In Systemwalker Operation Manager, encrypted communication (SSL: Secure Socket Layer) is used for communication between the Web server and the Web Console. This section explains the certificate and key management environment required to use SSL.

To use SSL, the Certificate Authority (CA) certificate(Issuing authority certificate), site certificate, and the corresponding private keys are required. Also, a CRL (Certificate Revocation List) is used to check the certificate validity.

A certificate and CRL that conforms to either X.509 or RFC2459, and uses the RSA cipher algorithm to generate keys, can be used.

• CA certificates(Issuing authority certificate)

  This is the certificate of the CA itself. This certificate guarantees certificates issued by the CA.

  The CA can issue a certificate to a subordinate CA. In this case, the CA's certificate and the subordinate CA's certificate are both called CA certificates. However the subordinate CA's certificate is also called an intermediate CA certificate.

• Site certificates

  This is a certificate issued by the CA that guarantees the identify of a server. It contains information related to the server and the CA. The site certificate must be used in combination with the CA's certificate. A certificate's validity period is contained in the certificate itself, and cannot be used once it has expired. The certificate must be updated and a new one obtained before it expires. Refer to "Updating Certificates (When Certificates Expire" in the Systemwalker Operation Manager Installation Guide for more information.

• The private key that corresponds to the site certificate

  This is the key that is paired with the public key contained in the site certificate.

  Note

  If the private key is lost, the corresponding site certificate cannot be used. For this reason, it must always be backed up.

• CRL (Certificate Revocation List)

  The CA issues the CRL, which includes a list of invalid certificates that were issued by that CA. Examples of events that will expire or invalidate a certificate are the theft of a private key or the loss of user credentials.

  If this is used in SSL communication, it will be referenced when the destination server's certificate is checked for validity.

  The CRL is issued periodically, and is released to each Web server or directory server that is managed by the CA. The release method is different depending on the CA system, so check with the CA. Note that the release location might be described in the certificate.

PKCS # 12 data may be used when issuing from a certificate authority and when backup/migration. The PKCS # 12 data contains the certificate and its corresponding private key and the certificate needed to validate the certificate, encrypted with a password string.

In a certificate/key management environment, you can import (register) the following PKCS # 12 data.

• PKCS # 12 data exported from a Systemwalker Operation Manager V 13.8.0 or earlier certificate/key management environment with the cmmkpfx command

For how to import, refer to the "Migrating Certificate/Key Management Environment" in the "Systemwalker Operation Manager Upgrade Guide".

A CA is required to obtain a certificate.

In certificate and key management environments, certificates and CRLs are supported when they are issued by one of the following:

• Compliant with X. 509 or RFC 5280

• Uses the RSA encryption algorithm with a key length of 4096 bits or less

• Use the following hash algorithm

  • SHA256

  • SHA384

  • SHA512

  The information required to apply for a certificate from a certificate authority (CSR) and how to apply them, how to obtain an issued certificate, and the information that is captured in the certificate depend on the operation of the certificate authority. For this reason, we recommend that you use a test certificate published by a certificate authority to confirm that you can register in a certificate/key management environment before starting operation.