This section explains how to register the certificates necessary when using an SSL accelerator of the server load balancer function.
The tenant user prepares a certificate based on the business system to configure, and the infrastructure administrator registers this certificate in the NS Appliance.
Figure C.1 Flow of Registration of Server Certificates and CA Certificates
This section explains how to register a certificate in an NS appliance.
Registering CA Certificates
In general, registration of CA certificates (including intermediate CA certificates) is not necessary.
Registration of CA certificates is necessary when it is requested by a tenant administrator or tenant user and when the server certificate issued by a CA for which the CA certificate has not been registered on the client side is used.
The procedure for registering a CA certificate is as follows.
Check if a CA certificate is already registered in the NS appliance.
Log in to the NS appliance, and execute the following command:
admin
password: Administrator Password
show cert ca-certificate all
Enter the administrator password specified in the "2.2.3.3 Network Configuration Information Files" which was created during installation of NS Appliance.
CA certificates registered in the NS Appliance are displayed. Confirm that valid CA certificates have been registered, based on the following items:
Item | Description |
---|---|
Issuser | The issuer information of the CA certificate |
Subject | The owner information of the CA certificate |
Validity | The expiration date of the CA certificate |
When no CA certificate is registered, register the CA certificate using the procedure after step 2.
If one is already registered, registration is not required.
Store the CA certificate in the NS appliance.
Store the certificate in the NS appliance, by transferring an FTP server file to the NS appliance.
Store the certificate on the FTP server in advance.
Execute the following command:
copy src_uri [ username name [ password password ] ] [ dst_filename ]
Specify the certificate on the FTP server as the copy source, in order to copy it to the NS appliance.
ftp://IPv4 address of the FTP server/directory/filename
Specify the login ID for the FTP server using a character string containing between 1 and 64 characters.
Specify the password for the login ID for the FTP server using a character string containing between 1 and 64 characters.
Specify the file name as "ca-cert.incom.pem".
Register the CA certificate in the NS appliance.
Execute the following command:
cert entry peer-ca-certificate ca-certificate-group-entry-num
Configure the CA certificate number. This number is the number of the peer and the certificate of its own device.
A value between 1 and 2048 can be specified.
0 has a specific meaning, and certificates from other CA authorities cannot be registered, as the number is allocated to the certificate created by Resource Orchestrator. Also, the numbers between 1 and 18 are registered for the CA certificates of Symantec Website Security (formerly VeriSign) installed by default, so use another number.
Registering Server Certificates
Store the server certificate in the NS appliance.
Store the certificate in the NS appliance, by transferring an FTP server file to the NS appliance.
Store the certificate on the FTP server in advance.
Execute the following command:
copy src_uri [ username name [ password password ] ] [ dst_filename ]
Specify the certificate on the FTP server as the copy source, in order to copy it to the NS appliance.
ftp://IPv4 address of the FTP server/directory/filename
Specify the login ID for the FTP server using a character string containing between 1 and 64 characters.
Specify the password for the login ID for the FTP server using a character string containing between 1 and 64 characters.
Specify the file name as "certXXX.imp.pkcs12".
Entry number
Register the server certificate in the NS appliance.
Execute the following command:
cert pkcs12-import certificate-entry-num password password
Configure the server certificate and the registration number of the secret key.
A value between 1 and 256 can be specified.
Specify a password using a character string containing up to 20 characters with alphanumeric characters and the symbols "!"#$%&()=~|-^\@[;:]/.,{`}*+_?><" in order to use the PKCS#12 file.
Execute the rcxnetworkservice certctl command.
rcxnetworkservice crtctl -name name -sync
Specify the NS appliance device name.
Execute this command when using simple configuration mode.
For details on this command, refer to "A.1 rcxnetworkservice".
Notify the Tenant Administrator and tenant users of the completion of registration.