Top
ServerView Resource Orchestrator Cloud Edition V3.2.0 NS Option Instruction
FUJITSU Software

C.3.1 Registering Server Certificates and CA Certificates

This section explains how to register the certificates necessary when using an SSL accelerator of the server load balancer function.

The tenant user prepares a certificate based on the business system to configure, and the infrastructure administrator registers this certificate in the NS Appliance.

Figure C.1 Flow of Registration of Server Certificates and CA Certificates


This section explains how to register a certificate in an NS appliance.

Registering CA Certificates

In general, registration of CA certificates (including intermediate CA certificates) is not necessary.
Registration of CA certificates is necessary when it is requested by a tenant administrator or tenant user and when the server certificate issued by a CA for which the CA certificate has not been registered on the client side is used.
The procedure for registering a CA certificate is as follows.

  1. Check if a CA certificate is already registered in the NS appliance.

    Log in to the NS appliance, and execute the following command:

    admin
    password: Administrator Password
    show cert ca-certificate all
    Administrator Password

    Enter the administrator password specified in the "2.2.3.3 Network Configuration Information Files" which was created during installation of NS Appliance.

    CA certificates registered in the NS Appliance are displayed. Confirm that valid CA certificates have been registered, based on the following items:

    Item

    Description

    Issuser

    The issuer information of the CA certificate

    Subject

    The owner information of the CA certificate

    Validity

    The expiration date of the CA certificate

    When no CA certificate is registered, register the CA certificate using the procedure after step 2.

    If one is already registered, registration is not required.

  2. Store the CA certificate in the NS appliance.

    Store the certificate in the NS appliance, by transferring an FTP server file to the NS appliance.
    Store the certificate on the FTP server in advance.
    Execute the following command:

    copy src_uri [ username name [ password password ] ] [ dst_filename ]
    src_uri

    Specify the certificate on the FTP server as the copy source, in order to copy it to the NS appliance.

    ftp://IPv4 address of the FTP server/directory/filename
    name

    Specify the login ID for the FTP server using a character string containing between 1 and 64 characters.

    password

    Specify the password for the login ID for the FTP server using a character string containing between 1 and 64 characters.

    dst_filename

    Specify the file name as "ca-cert.incom.pem".

  3. Register the CA certificate in the NS appliance.
    Execute the following command:

    cert entry peer-ca-certificate ca-certificate-group-entry-num
    ca-certificate-group-entry-num

    Configure the CA certificate number. This number is the number of the peer and the certificate of its own device.
    A value between 1 and 2048 can be specified.
    0 has a specific meaning, and certificates from other CA authorities cannot be registered, as the number is allocated to the certificate created by Resource Orchestrator. Also, the numbers between 1 and 18 are registered for the CA certificates of Symantec Website Security (formerly VeriSign) installed by default, so use another number.

Registering Server Certificates

  1. Store the server certificate in the NS appliance.

    Store the certificate in the NS appliance, by transferring an FTP server file to the NS appliance.
    Store the certificate on the FTP server in advance.
    Execute the following command:

    copy src_uri [ username name [ password password ] ] [ dst_filename ]
    src_uri

    Specify the certificate on the FTP server as the copy source, in order to copy it to the NS appliance.

    ftp://IPv4 address of the FTP server/directory/filename
    name

    Specify the login ID for the FTP server using a character string containing between 1 and 64 characters.

    password

    Specify the password for the login ID for the FTP server using a character string containing between 1 and 64 characters.

    dst_filename

    Specify the file name as "certXXX.imp.pkcs12".

    XXX

    Entry number

  2. Register the server certificate in the NS appliance.
    Execute the following command:

    cert pkcs12-import certificate-entry-num password password
    certificate-entry-num

    Configure the server certificate and the registration number of the secret key.
    A value between 1 and 256 can be specified.

    password

    Specify a password using a character string containing up to 20 characters with alphanumeric characters and the symbols "!"#$%&()=~|-^\@[;:]/.,{`}*+_?><" in order to use the PKCS#12 file.

  3. Execute the rcxnetworkservice certctl command.

    rcxnetworkservice crtctl -name name -sync
    name

    Specify the NS appliance device name.


    Execute this command when using simple configuration mode.

    For details on this command, refer to "A.1 rcxnetworkservice".

  4. Notify the Tenant Administrator and tenant users of the completion of registration.