Create an SSL communication environment as preparation for setting up Interstage Single Sign-On.
Use the following procedure to create an SSL communication environment.
Set up access permissions for the Interstage certificate environment.
Create an Interstage certificate environment and an application form for acquiring the certificates used for SSL communications.
Register the certificates used for SSL communications.
Enter settings for SSL communications.
Information
Refer to "Setting and Use of the Interstage Certificate Environment" in the Interstage Application Server Security System Guide for details on how to create an SSL environment.
Creating an Interstage certificate environment and an application form for acquiring the certificates used for SSL communications
Use the scsmakeenv command (the certificate signing request (CSR) creation command) to create an Interstage certificate environment and to create a CSR for applying to acquire the certificates used for SSL communications.
The creation procedure and an execution example are shown below.
Creation procedure:
Specify the installation path to the JDK or JRE in the JAVA_HOME environment variable.
This step is only required for Linux. There is no need to set the JAVA_HOME environment variable for Windows.
Execute the scsmakeenv command.
scsmakeenv -n <Nickname of the private key> -f <Name of the file where the CSR is output>
scsmakeenv -n <Nickname of the private key> -f <Name of the file where the CSR is output> -g <Group that allows access to the Interstage certificate environment>
If necessary, change the name of the file where the CSR is output.
Note
The nickname of the private key that is specified with the scsmakeenv command is required when the site certificate that is acquired from the certificate authority is registered.
Information
Refer to "SSL Environment Setting Commands" in the "Interstage Application Server Reference Manual (Command Edition)" for details on the scsmakeenv command.
Enter the password for accessing the Interstage certificate environment.
The password is required to access the Interstage certificate environment.
Enter an identifier.
For the "What is your first and last name?" prompt, the FQDN of the server for which the certificate application is to be made must be specified as the host name of the Web server.
Enter the following items, in the same way as with Step 4.
organizational unit
Organization
City or Locality
State or Province
Country code
Check the values that have been entered.
To create a CSR using the values that have been entered, enter "yes". To enter the values all over again, enter "no".
Send the CSR to the certificate authority to request that a certificate be issued.
If the scsmakeenv command terminates normally, a CSR will be output to the output file for the CSR that was specified with the "-f" option of the scsmakeenv command. Send this file to the certificate authority to request that a certificate be issued. Follow the request method used by the certificate authority.
Example
The command execution example below uses the following settings:
- Nickname of the site certificate: SERVERCERT - Output file name for the CSR: C:\temp\ssocert.txt - First and last name: ssoserver.example.com - Organizational unit: FUJITSU TOKYO - Organization: FUJITSU - City or locality: Shinjuku - State or province: Tokyo - Country code: jp
scsmakeenv -n SERVERCERT -f C:\temp\ssocert.txt New Password: Retype: Input X.500 distinguished names. What is your first and last name? [Unknown]: ssoserver.example.com What is the name of your organizational unit? [Unknown]: FUJITSU TOKYO What is the name of your organization? [Unknown]: FUJITSU What is the name of your City or Locality? [Unknown]: Shinjuku What is the name of your State or Province? [Unknown]: Tokyo What is the two-letter country code for this unit? [Un]: jp Is <CN=ssoserver.example.com, OU=FUJITSU TOKYO, O=FUJITSU, L=Shinjuku, ST=Tokyo,C=jp> correct? [no]: yes <SCS: INFO: scs0101: CSR was issued <C:\temp\ssocert.txt>
The command execution example below uses the following settings:
- Nickname of the site certificate: SERVERCERT - Output file name for the CSR: /tmp/ssocert.txt - Group that allows access to the Interstage certificate environment: iscertg - First and last name: ssoserver.example.com - Organizational unit: FUJITSU TOKYO - Organization: FUJITSU - City or locality: Shinjuku - State or province: Tokyo - Country code: jp
The execution example creates a new Interstage certificate environment with access permissions set by the iscertg group, and also creates a CSR. If an Interstage certificate environment has already been created, set the access permissions for the Interstage certificate environment as necessary.
The execution example below uses a Bourne shell.
# JAVA_HOME=/opt/FJSVawjbk/jdk5;export JAVA_HOME # scsmakeenv -n SERVERCERT -f /tmp/ssocert.txt -g iscertg New Password: Retype: Input X.500 distinguished names. What is your first and last name? [Unknown]: ssoserver.example.com What is the name of your organizational unit? [Unknown]: FUJITSU TOKYO What is the name of your organization? [Unknown]: FUJITSU What is the name of your City or Locality? [Unknown]: Shinjuku What is the name of your State or Province? [Unknown]: Tokyo What is the two-letter country code for this unit? [Un]: jp Is <CN=ssoserver.example.com, OU=FUJITSU TOKYO, O=FUJITSU, L=Shinjuku, ST=Tokyo,C=jp> correct? [no]: yes UX:SCS: INFO: scs0101: CSR was issued </tmp/ssocert.txt> UX:SCS: INFO: scs0180: The owners group of Interstage certificate environment was set. #
Note
If an Interstage certificate environment has already been created, there will be a prompt asking you to enter the password for the Interstage certificate environment, so enter the password that was specified when the Interstage certificate environment was created.
Information
Test site certificates can be used for test environments. Use test site certificates for test environments only and not for actual operations.
Refer to "Creating test site certificates" for information on how to create test site certificates.
Registering the certificates used for SSL communications
Obtain the site certificate issued by the certificate authority, as well as the CA certificate for the certificate issuer, and then register these certificates using the scsenter command (the certificate/CRL registration command).
Information
Depending on the certificate authority, it may be necessary to register an intermediate CA certificate as well. Refer to "Registering Certificates and CRL" in the "Interstage Application Server Security System Guide" for details.
This step is not required if a test site certificate has been created.
Creation procedure:
Use the scsenter command to register the CA certificate.
scsenter -n <Nickname of the CA certificate> -f <CA certificate>
Information
Refer to "SSL Environment Setting Commands" in the "Interstage Application Server Reference Manual (Command Edition)" for details on the scsenter command.
Enter the password for accessing the Interstage certificate environment.
Enter the password for accessing the Interstage certificate environment that was specified in the scsmakeenv command.
Use the scsenter command to register the site certificate.
scsenter -n <Nickname of the site certificate> -f <Site certificate> -o
To register the site certificate obtained from the certificate authority, specify the nickname that was specified for the private key using the scsmakeenv command.
Be sure to specify the "-o" option when registering site certificates.
Enter the password for accessing the Interstage certificate environment.
Enter the password for accessing the Interstage certificate environment that was specified in the scsmakeenv command.
Example
The command execution example below uses the following settings:
- CA certificate: c\temp\ca-cert.cer - Nickname of the CA certificate: CACERT - Site certificate: C:\temp\server-cert.cer - Nickname of the site certificate: SERVERCERT
If necessary, change the file names of the CA certificate and the site certificate that have been obtained.
c:\>scsenter -n CACERT -f c\temp\ca-cert.cer Password: Certificate was added to keystore SCS: INFO: scs0104: Certificate was imported. c:\>scsenter -n SERVERCERT -f C:\temp\server-cert.cer -o Password: Certificate reply was installed in keystore SCS: INFO: scs0104: Certificate was imported. c:\>
The command execution example below uses the following settings:
- CA certificate: /tmp/ca-cert.cer - Nickname of the CA certificate: CACERT - Site certificate: /tmp/server-cert.cer - Nickname of the site certificate: SERVERCERT
If necessary, change the file names of the CA certificate and the site certificate that have been obtained. The execution example uses a Bourne shell.
# JAVA_HOME=/opt/FJSVawjbk/jdk5;export JAVA_HOME # scsenter -n CACERT -f /tmp/ca-cert.cer Password: Certificate was added to keystore UX:SCS: INFO: scs0104: Certificate was imported. # scsenter -n SERVERCERT -f /tmp/server-cert.cer -o Password: Certificate reply was installed in keystore UX:SCS: INFO: scs0104: Certificate was imported. #
Setting up for SSL communications
Use the Interstage Management Console to create SSL definitions.
Start the Interstage Management Console.
Use the following procedure to start the Interstage Management Console.
Select the [All Programs], [Interstage, Application Server], and then [Interstage Management Console] from the [Start] menu.
Start a Web browser.
Specify the URL of the Interstage Management Console.
The URL format is shown below.
(For communications without SSL encryption)
http://<Host name of the Admin Server>:<12000 (Port number of the Interstage Management Console>/IsAdmin/
(For communications with SSL encryption)
http://<Host name of the Admin Server>:<12000 (Port number of the Interstage Management Console)>/IsAdmin/
Log in to the Interstage Management Console.
Create SSL definitions
Select the [System] - [Security] - [SSL] - [Create a new SSL Configuration] tabs to show [General Settings], then select the registered site certificate nickname, then create the SSL definition.
Specify the following items, then click the <Create> button.
Item | Settings |
|---|---|
Configuration name | Specify a name to identify the SSL definitions. The definition name specified here must be specified when Interstage Single Sign-On is set up. The definition name can be up to 32 characters long, including alphanumeric characters and the following symbols.
|
Site Certificate Nickname | Select the nickname that was specified when the site certificate was registered with the Interstage certificate environment in "Registering the certificates used for SSL communications". The site certificate that was selected can be checked in the [System] - [Security] - [Certificates] - [Site Certificates] window of the Interstage Management Console. |
Protocol Version | Select "SSL 3.0" and "TLS 1.0". |
Verify Client Certificate? | Select "No". |
Encryption Method | If necessary, change the encryption method by referring to the help for the Interstage Management Console. |
CA Certificate Nickname | If necessary, change the nickname of the CA certificate by referring to the help for the Interstage Management Console. |
