Execute either one of the following procedures to suit the environment.
The following procedures are required for getting a certificate from the Certificate Authority:
This section explains how to get a certificate from the Certificate Authority.
Creating the Interstage Certificate Environment and the Application to Obtain the Certificate that is used for SSL Communication
The CSR creation command (from now on, this is referred to as the "scsmakeenv command") is used to create the CSR that will create the Interstage certificate environment and apply for the certificate that is used for SSL communication.
The creation procedure and execution example are shown below:
Creation procedure
Set the JDK or JRE installation path in the JAVA_HOME environment variable. This procedure is only required for Linux. Setting of the environment variable JAVA_HOME is unnecessary for Windows.
Execute the scsmakeenv command.
[Windows]
scsmakeenv -n <private key nickname> -f <output destination file name for the CSR>
[Linux]
scsmakeenv -n <private key nickname> -f <output destination file name for the CSR> -g <Group that has permissions to access the Interstage certificate environment>
Change the CSR output destination file name if necessary.
Note
The private key nickname specified in the scsmakeenv command will be required when the site certificate obtained from the CA is registered.
Information
Refer to "Chapter 16 SSL Environment Setting Commands" in the Interstage Application Server Reference Manual (Command Edition) for information on the scsmakeenv command.
Enter a password to access the Interstage certificate environment.
The password will be required to access the Interstage certificate environment.
Enter an identifier.
When the "What is your first and last name?" enquiry is made, specify the FQDN of the server used to apply for the certificate as the Web server host name.
As with step 4, enter the following items:
Name of organizational unit
Name of organization
Name of City or Locality
Name of State or Province
Two-letter country code
Check the values that were entered.
To create the CSR using the values that were entered, enter yes. To change the values that were entered, enter no.
Send the CSR to the CA to request that a certificate be issued.
If the scsmakeenv command has terminated normally, the CSR will be output to the certificate output destination file name that was specified in the -f option of the scsmakeenv command. Send that file to the CA and request that a certificate be issued. Follow the request method used by the CA.
Execution example [Windows]
The command execution examples shown below use the following values:
- Site certificate nickname: SERVERCERT - Applicant output destination file name: C:\temp\ssocert.txt - First and last name: rormanager.example.com - Name of organizational unit: FUJITSU TOKYO - Name of organization: FUJITSU - Name of City or Locality: Shinjuku - Name of State or Province: Tokyo - Two-letter country code for this unit:jp
C:\>scsmakeenv -n SERVERCERT -f C:\temp\ssocert.txt New Password: Retype: Input X.500 distinguished names. What is your first and last name? [Unknown]: rormanager.example.com What is the name of your organizational unit? [Unknown]: FUJITSU TOKYO What is the name of your organization? [Unknown]: FUJITSU What is the name of your City or Locality? [Unknown]: Shinjuku What is the name of your State or Province? [Unknown]: Tokyo What is the two-letter country code for this unit? [Un]: jp Is <CN=rormanager.example.com, OU=FUJITSU TOKYO, O=FUJITSU, L=Shinjuku, ST=Tokyo,C=jp> correct? [no]: yes C:\>
Execution example [Linux]
The command execution examples shown below use the following values:
- Site certificate nickname: SERVERCERT - Applicant output destination file name: /tmp/ssocert.txt - Group that has permissions to access the Interstage certificate environmentiscertg - First and last name: rormanager.example.com - Name of organizational unit: FUJITSU TOKYO - Name of organization: FUJITSU - Name of City or Locality: Shinjuku - Name of State or Province: Tokyo - Two-letter country code for this unit:jp
In the execution example, a new Interstage certificate environment is created for which "iscertg" access permissions are set, and the CSR is also created. If an Interstage certificate environment has already been created, then set access permissions to it if necessary.
The Bourne shell has been used in the execution example.
# JAVA_HOME=/opt/FJSVawjbk/jdk5;export JAVA_HOME # scsmakeenv -n SERVERCERT -f /tmp/ssocert.txt -g iscertg New Password: Retype: Input X.500 distinguished names. What is your first and last name? [Unknown]: rormanager.example.com What is the name of your organizational unit? [Unknown]: FUJITSU TOKYO What is the name of your organization? [Unknown]: FUJITSU What is the name of your City or Locality? [Unknown]: Shinjuku What is the name of your State or Province? [Unknown]: Tokyo What is the two-letter country code for this unit? [Un]: jp Is <CN=rormanager.example.com, OU=FUJITSU TOKYO, O=FUJITSU, L=Shinjuku, ST=Tokyo,C=jp> correct? [no]: yes UX:SCS: INFO: scs0180: The owners group of Interstage certificate environment was set. #
Note
You will be prompted to input password for Interstage certificate environment if Interstage certificate environment is already configured. In this case, input the password that was set when you configured Interstage certificate environment.
Registering Certificates used in SSL Communication
Obtain the site certificate that was issued by the CA, and the CA certificate of the issuer of that certificate, and register them using the certificate/CRL registration command (from now on, this is referred to as the "scsenter command").
Information
Depending on the CA, it might be necessary to register an intermediate CA certificate. Refer to "Registering Certificates and CRL" in "Chapter 9 Setting and Use of the Interstage Certificate Environment" in the Interstage Application Server Security System Guide for details.
This work is unnecessary if you created a test site certificate.
Creation procedure
Set the JDK or JRE installation path in the JAVA_HOME environment variable.
Register the CA certificate using the scsenter command.
scsenter -n <CA certificate nickname> -f <CA certificate>
Information
Refer to "SSL Environment Setting Commands" in the Interstage Application Server Reference Manual (Command Edition) for information on the scsenter command.
Enter a password to access the Interstage certificate environment.
Enter the password that was specified in the scsmakeenv command to access the Interstage certificate environment.
Register the site certificate using the scsenter command.
scsenter -n <Site certificate nickname> -f <Site certificate> -o
To register the site certificate that was obtained from the CA, specify the nickname that was specified in the private key in the scsmakeenv command. Note that the -o option must be specified to register the site certificate.
Enter a password to access the Interstage certificate environment.
Enter the password that was specified in the scsmakeenv command to access the Interstage certificate environment.
Execution example [Windows]
The command execution examples shown below use the following values:
- CA certificate: C:\temp\ca-cert.cer - CA certificate nickname: CACERT - Site certificate: C:\temp\server-cert.cer - Site certificate nickname: SERVERCERT
Change the file names of the CA and site certificates that were obtained if necessary.
C:\>scsenter -n CACERT -f C:\temp\ca-cert.cer Password: SCS: INFO: scs0104: Certificate was imported. C:\>scsenter -n SERVERCERT -f C:\temp\server-cert.cer -o Password: SCS: INFO: scs0104: Certificate was imported. C:\>
Execution example [Linux]
The command execution examples shown below use the following values:
- CA certificate: /tmp/ca-cert.cer - CA certificate nickname: CACERT - Site certificate: /tmp/server-cert.cer - Site certificate nickname: SERVERCERT
Change the file names of the CA and site certificates that were obtained if necessary.
The Bourne shell has been used in the execution example.
# JAVA_HOME=/opt/FJSVawjbk/jdk5;export JAVA_HOME # scsenter -n CACERT -f /tmp/ca-cert.cer Password: UX:SCS: INFO: scs0104: Certificate was imported. # scsenter -n SERVERCERT -f /tmp/server-cert.cer -o Password: UX:SCS: INFO: scs0104: Certificate was imported. #
The test site certificate can only be used for testing before the site certificate issued by the CA is used. Examples of how to create the test site certificate are shown below:
An example of creating a test site certificate when the server FQDN is "rormanager.example.com" is shown below.
Note
The test site certificate can only be used in a test environment.
Do not use the test site certificate in actual operations.
The command execution examples shown below use the following values:
- Test site certificate nickname: testCert - First and last name:rormanager.example.com - Name of organizational unit: FUJITSU TOKYO - Name of organization: FUJITSU - Name of City or Locality: Shinjuku - Name of State or Province: Tokyo - Two-letter country code for this unit:jp
The password that was entered will not be displayed. The password will be registered the first time it is entered. To create the certificate using the information displayed for the confirmation of the password that was entered, enter "yes". To enter a different password, enter "no".
[Windows]
scsmakeenv -n testCert New Password: Retype: Input X.500 distinguished names. What is your first and last name? [Unknown]: rormanager.example.com What is the name of your organizational unit? [Unknown]: FUJITSU TOKYO What is the name of your organization? [Unknown]: FUJITSU What is the name of your City or Locality? [Unknown]: Shinjuku What is the name of your State or Province? [Unknown]: Tokyo What is the two-letter country code for this unit? [Un]: jp Is <CN=ssoserver.fujitsu.com, OU=FUJITSU TOKYO, O=FUJITSU, L=Shinjuku, ST=Tokyo,C=jp> correct? [no]: yes SCS: INFO: scs0102: Self-sign certificate was issued
[Linux]
The Bourn shell has been used in the execution example.
# JAVA_HOME=/opt/FJSVawjbk/jdk5;export JAVA_HOME # scsmakeenv -n testCert New Password: Retype: Input X.500 distinguished names. What is your first and last name? [Unknown]: rormanager.example.com What is the name of your organizational unit? [Unknown]: FUJITSU TOKYO What is the name of your organization? [Unknown]: FUJITSU What is the name of your City or Locality? [Unknown]: Shinjuku What is the name of your State or Province? [Unknown]: Tokyo What is the two-letter country code for this unit? [Un]: jp Is <CN=rormanager.example.com, OU=FUJITSU TOKYO, O=FUJITSU, L=Shinjuku, ST=Tokyo,C=jp> correct? [no]: yes UX:SCS: INFO: scs0102: Self-sign certificate was issued #
Note
You will be prompted to input password for Interstage certificate environment if Interstage certificate environment is already configured. In this case, input the password that was set when you configured Interstage certificate environment.
