In order to perform HTTPS communications, a certificate/key management environment must be created using the following procedure. Refer to the Systemwalker Operation Manage Reference Guide for details on the commands being used.
1. Create a certificate/key management environment
Create management directories
The following directories are required to manage certificates and private keys, so use the commands provided by the operating system to create these directories.
The following example shows how to create management directories.
[Windows]
mkdir d:\sslenv\slot Slot information directory mkdir d:\sslenv\sslcert Administration directory mkdir d:\sslenv\sslcert\cert Certificate management directory mkdir d:\sslenv\sslcert\crl CRL management directory
[Solaris/Linux]
# mkdir /export/home/slot Slot information directory # mkdir /export/home/sslcert Administration directory # mkdir /export/home/sslcert/cert Certificate management directory # mkdir /export/home/sslcert/crl CRL management directory
Create and set up a private key management environment
Create and set up a private key management environment, which is required to manage private keys. The following example shows how to create private key management environments.
[Windows]
makeslot -d d:\sslenv\slot Generate and initialize the slot information directory maketoken -d d:\sslenv\slot -s 1 -t Token01 Initialize token
[Solaris/Linux]
# makeslot -d /export/home/slot Generate and initialize the slot information directory # maketoken -d /export/home/slot -s 1 -t Token01 Initialize token
Create a certificate/CRL management environment
Create and set up a certificate/CRL management environment, which is required to manage certificates and CRLs.
To use certificates issued by VeriSign, Inc. or Cybertrust, Inc., register a VeriSign or Cybertrust root certificate (CA certificate).
The following example shows how to create management environments.
Using VeriSign or Cybertrust certificates (the built-in certificate list file)
Use the cmsetenv command to register the root certificates (CA certificates) for VeriSign and Cybertrust.
[Windows]
cmmkenv d:\sslenv\sslcert -todir d:\sslenv\sslcert\cert,d:\sslenv\sslcert\crl Create a certificate/CRL management environment cmsetenv d:\sslenv\sslcert -sd d:\sslenv\slot -jc 1 -rc %F4AN_INSTALL_PATH%\F4ANswnc\etc\l\tsilc Set up a certificate/CRL management environment
[Solaris/Linux]
# cmmkenv /export/home/sslcert -todir /export/home/sslcert/cert,/export/home/sslcert/crl Create a certificate/CRL management environment # cmsetenv /export/home/sslcert -sd /export/home/slot -jc 1 -rc /etc/opt/FJSVswnc/l/tsilc Set up a certificate/CRL management environment
Information
With this version of the product, the built-in certificate list file contains the CA certificates and intermediate CA certificates listed in "List of Built-in Certificates". Accordingly, when a certificate/key management environment is created, if the "-rc" option is specified with the cmsetenv command, these certificates will be registered with the certificate/key management environment.
Note that, depending on the certificate authority's operating policies, CA certificates and intermediate CA certificates may be updated or added earlier than the expiry date of normal certificates. In this case, check the websites for the appropriate certificate authorities, and obtain new CA certificates and intermediate CA certificates in accordance with the procedure indicated. These certificates must be registered by specifying the "-ca" option with the cmentcert command.
2. Create private keys and obtain certificates
Obtain certificates by requesting the certificate authority to issue a certificate.
Create a Certificate Signing Request (CSR) and private key at the same time
Create a CSR to request the certificate authority to issue a certificate.
When the following command (cmmakecsr) is executed, a private key is created at the same time.
Note
To protect the private key, back up the file for the certificate/key management environment until the certificate is actually received. Refer to "How to Back up and Restore the Certificate/Key Management Environment" for information on how to back up and restore this file.
If the file for the certificate/key management environment has not been backed up and the environment is damaged, the private key will be lost. In this case, both a certificate/key management environment and a CSR will have to be created again.
The following example shows how to create management environments and CSRs:
[Windows]
cmmakecsr -ed d:\sslenv\sslcert -sd d:\sslenv\slot -f TEXT -c jp -cn "www.infoproviderpro.com" -o fujitsu -ou 4-1f -l "Shizuoka-shi" -s "Shizuoka-ken" -kt RSA -kb 1024 -tl Token01 -of d:\sslenv\myCertRequest ENTER TOKEN PASSWORD=> * (*)
[Solaris/Linux]
# cmmakecsr -ed /export/home/sslcert -sd /export/home/slot -f TEXT -c jp -cn "www.infoproviderpro.com" -o fujitsu -ou 4-1f -l "Shizuoka-shi" -s "Shizuoka-ken" -kt RSA -kb 1024 -tl Token01 -of /export/home/myCertRequest ENTER TOKEN PASSWORD=> * (*)
*: Enter the user PIN if this string is displayed. Note that the text that is entered is not echoed back.
The user PIN entered with this command is also used with "4. Register the user PIN".
Make a request for a certificate to be issued
Send the CSR to the certificate authority to request that a site certificate be issued.
Follow the request method used by the certificate authority.
Obtain certificates
Obtain a certificate signed by the certificate authority. Follow the acquisition method specified by the certificate authority.
3. Register the certificate and the CRL
After obtaining the certificate and CRL, register them with the certificate/CRL management environment.
After registering the certificate and CRL, back up the certificate/key management environment. Refer to "How to Back up and Restore the Certificate/Key Management Environment" for information on how to back up and restore the environment.
Register the CA certificate
After obtaining the CA certificate, register it with the certificate/CRL management environment.
Register all of the certificates for the certificate authority to be used in the operation. Note that CA certificates issued by VeriSign and Cybertrust should be registered using the cmsetenv command.
Register certificates in order, starting with the root certificate. The following example shows how to register certificates:
[Windows]
In the following example, the CA certificate is stored in d:\sslenv\ca-cert.der.
cmentcert d:\sslenv\ca-cert.der -ed d:\sslenv\sslcert -ca -nn CACert
[Solaris/Linux]
In the following example, the CA certificate is stored in /export/home/ca-cert.der.
# cmentcert /export/home/ca-cert.der -ed /export/home/sslcert -ca -nn CACert
Register intermediate CA certificates
For some certificate authorities, intermediate CA certificates will be prepared, in addition to CA certificates and site certificates. In such cases, register the intermediate CA certificates that have been distributed by the certificate authority before registering the site certificates.
Note that the method for registering intermediate CA certificates is the same as for registering CA certificates. Refer to "Register the CA certificate".
Register the site certificate
Register the site certificate issued by the certificate authority in the certificate/key management environment.
After registering the site certificate issued, check the certificate's expiry date to confirm when the certificate will need to be updated. The expiry date can be checked using the cmdspcert command. Refer to the Systemwalker Operation Manager Reference Guide for details on the command. Refer to "2.5.7.1 Updating Certificates (When Certificates Expire)" for information on how to update certificates.
The following example shows how to register certificates:
[Windows]
In the following example, the site certificate is stored in d:\sslenv\my_site_cert.der.
cmentcert d:\sslenv\my_site_cert.der -ed d:\sslenv\sslcert -own -nn MySiteCert
[Solaris/Linux]
In the following example, the site certificate is stored in /export/home/my_site_cert.der.
# cmentcert /export/home/my_site_cert.der -ed /export/home/sslcert -own -nn MySiteCert
Register the CRL
There is no need to register the CRL if revocation checks using a CRL are not performed.
If revocation checks are performed using a CRL, regularly obtain and register the latest CRL.
The following example shows how to register CRL:
[Windows]
In the following example, the CRL is stored in d:\sslenv\crl.der.
cmentcrl d:\sslenv\crl.der -ed d:\sslenv\sslcert
[Solaris/Linux]
In the following example, the CRL is stored in /export/home/crl.der.
# cmentcrl /export/home/crl.der -ed /export/home/sslcert
4. Register the user PIN
Register the user PIN in the user PIN management file.
By specifying the user PIN and the user PIN management file with the ihsregistupin command, the user PIN will be encrypted and registered in the user PIN management file. Specify the user PIN that was used in "2. Create private keys and obtain certificates". The following example shows how to register the user PIN.
[Windows]
In this example, the user PIN is entered interactively, encrypted and registered in the d:\ssl\upinfile user PIN management file.
ihsregistupin -f d:\ssl\upinfile -d d:\sslenv\slot
[Solaris/Linux]
In this example, the user PIN is entered interactively, encrypted and registered in the /home/ssl/upinfile user PIN management file.
ihsregistupin -f /home/ssl/upinfile -d /home/sslenv/slot
5. Configure the environment definition file
Configure the Web server environment definition file "httpd.conf" to use SSL encryption.
The file "httpd.conf" is stored in the following directory:
[Windows]
<Systemwalker Operation Manager installation directory>\mpwalker.jm\mpahs\conf\httpd.conf |
[UNIX]
/opt/FJSVftlo/mpahs/conf/httpd.conf |
Definition examples of the environment definition file are shown below.
[Windows]
If performing SSL operations with the following settings:
SSL protocol version: "SSL3.0" or "SSL3.1" (TLS 1.0)
Client authentication: Yes
Slot information directory: "d:\ssl\slotdir"
Token label: "secret_key_tok"
User PIN management file: "d:\ssl\upinfile"
Administration directory: "d:\ssl\envdir"
Site certificate nickname: "server_cert"
Client CA certificate nickname: "client_cert"
[Example of how to edit httpd.conf]
ServerAdmin webmaster@main.example.com ServerName main.example.com SSLExec on SSLVersion 3-3.1 SSLVerifyClient require SSLSlotDir d:/ssl/slotdir SSLTokenLabel secret_key_tok SSLUserPINFile d:/ssl/upinfile SSLEnvDir d:/ssl/envdir SSLCertName server_cert SSLClCACertName client_cert SSLCipherSuite RSA-AES-256-SHA:RSA-AES-128-SHA:RSA-3DES-SHA:RSA-RC4-SHA:RSA-RC4-MD5:DES-CBC3-MD5:RC4-MD5:RC2-MD5
[Solaris] [Linux]
If performing SSL operations with the following settings:
SSL protocol version: "SSL3.0" or "SSL3.1" (TLS 1.0)
Client authentication: Yes
Slot information directory: "/export/home/slotdir"
Token label: "secret_key_tok"
User PIN management file: "/home/ssl/upinfile"
Administration directory: "/export/home/envdir"
Site certificate nickname: "server_cert"
Client CA certificate nickname: "client_cert"
[Example of how to edit httpd.conf]
ServerAdmin webmaster@main.example.com ServerName main.example.com SSLExec on SSLVersion 3-3.1 SSLVerifyClient require SSLSlotDir /export/home/slotdir SSLTokenLabel secret_key_tok SSLUserPINFile /home/ssl/upinfile SSLEnvDir /export/home/envdir SSLCertName server_cert SSLClCACertName client_cert SSLCipherSuite RSA-AES-256-SHA:RSA-AES-128-SHA:RSA-3DES-SHA:RSA-RC4-SHA:RSA-RC4-MD5:DES-CBC3-MD5:RC4-MD5:RC2-MD5
Note
Note that "httpd.conf" is excluded when backup and restoration are performed, or when migration assets are backed up and restored. Therefore, the same settings must be configured again if you restore the environment from the backup or restore the migration assets.
User certificates have expiry dates, and so the certificates need to be obtained and registered again.
To do this, use the following commands to manage certificates:
Command | Description |
|---|---|
cmlistcert | This command displays a list of the certificates that have been registered with the certificate/key management environment. |
cmdspcert | This command displays the content of the specified certificate. |
cmlistcrl | This command displays a list of the CRLs that have been registered with the certificate/key management environment. |
cmrmcert | This command deletes certificates that have been registered with the certificate/key management environment. |
When certificates expire, operations and functions may stop. Before a certificate expires, a new certificate must be obtained and registered.
When a new certificate has been obtained, it is normal practice to replace the current certificate with the new certificate. At this point, do not delete the old certificate that has been used up until this point, and leave it intact.
Perform the procedure again, starting from "2. Create private keys and obtain certificates". During this procedure, it is not possible to specify the same nickname as was used for the old certificate.
Note that, depending on the certificate authority's operating policies, CA certificates and intermediate CA certificates may be updated or added earlier than the expiry date of normal certificates. In this case, check the websites for the appropriate certificate authorities, and obtain new CA certificates and intermediate CA certificates in accordance with the procedure indicated. Register these certificates by specifying the cmentcert command with the "-ca" option before registering the new site certificate. At this point, arbitrary nicknames can be specified for the new CA certificate and intermediate CA certificate, so long as they do not coincide with the nicknames for certificates that have already been registered.
Using VeriSign's test secure server ID
The VeriSign root certificates that have been registered using the cmsetenv command do not include the "test root certificate" or the "test intermediate CA certificate". Therefore, to use the test secure server ID, obtain the test root certificate and the test intermediate CA certificate from VeriSign, and then register them using the cmentcert command. If the test root certificate and the test intermediate CA certificate have not been registered, certificate verification will fail, and so the registration of the test secure server ID will fail.
Note that these certificates are for test purposes, and so should not be used for actual operations.
To prevent test certificates from accidentally being used for actual operations, it is recommended that the test certificates be deleted as soon as the tests are complete. It is also recommended that the CA certificate for the test certificates also be deleted.
This section explains how to back up and restore the certificate/key management environment.
Back up existing resources (private keys and certificates)
Use the following command to back up existing resources (private keys and certificates). The backup will be created in the form of PKCS#12(PFX) data. When backing up these resources, specify the nickname of the site certificate. The CRL cannot be backed up using this command. Register the latest CRL when the resources are restored.
[Windows]
cmmkpfx d:\sslenv\my_site_pfx.pfx -ed d:\sslenv\sslcert -sn 1 -nn MySiteCert
[Solaris/Linux]
# cmmkpfx /export/home/my_site_pfx.pfx -ed /export/home/sslcert -sn 1 -nn MySiteCert
Restore private keys and certificates
Use the following command to restore the private key and certificate.
[Windows]
In this example, the certificate/key management environment to be restored is d:\sslnewenv\sslcert.
cmentpfx d:\sslenv\my_site_pfx.pfx -ed d:\sslnewenv\sslcert -sn 1 -nn MyNewSiteCert -entca
[Solaris/Linux]
In this example, the certificate/key management environment to be restored is /export/home/new/sslcert.
# cmentpfx /export/home/my_site_pfx.pfx -ed /export/home/new/sslcert -sn 1 -nn MyNewSiteCert -entca
This section lists the certificates that are included in this version of the product.
VeriSign
<Root certificate> |
Cybertrust
<Root certificate> |
If certificates that are not included in this version of the product are required, check the certificate authority's website, and obtain CA certificates or intermediate CA certificates in accordance with the procedure indicated.
To register a certificate in the certificate environment, perform the operations indicated below.
Refer to the Systemwalker Operation Manager Reference Guide for details on the commands being used.
If the certificate required is in the certificate list
Execute the cmsetenv command with the "-rc" option specified.
If the certificate required is not in the certificate list
Execute the cmentcert command with the "-ca" option specified.
