Top
Systemwalker Operation Manager V17.0.1 Installation Guide

2.4.7 Definitions for Encrypted Communications (HTTPS Communications) for the Web Console/ Web API

In order to perform HTTPS communications, a certificate/key management environment must be created using the following procedure. Refer to the Systemwalker Operation Manage Reference Guide for details on the commands being used.

1. Create a certificate/key management environment

Create directories to execute a certificate/key management when using SSL.

Create directories to manage a certificate/private key management with using the commands provided by the operating system.

The following example shows how to create.

[Windows]

mkdir d:\mpahso\sslcert          Administration directory
mkdir d:\mpahso\sslcert\cert     Certificate management directory

[Solaris]

# mkdir /export/home/mpahso/sslcert            Administration directory
# mkdir /export/home/mpahso/sslcert/cert       Certificate management directory

2. Create private keys and obtain certificates

Obtain certificates by requesting the certificate authority to issue a certificate.

Create a CSR (Certificate Signing Request) and private key at the same time

Create a CSR to request the certificate authority to issue a certificate.

When the following command is executed, a private key is created and then CSR (Certificate Signing Request) is created.

The following example shows how to create. You must specify the -config option when the CSR (Certificate Signing Request) is created (openssl req sub command).

[Windows]

c:\Systemwalker\MPWALKER.JM\mpahs\bin\openssl.exe genrsa -aes256 -out d:\mpahso\sslcert\server.key 2048
(The execution result is as below.) 
Generating RSA private key, 2048 bit long modulus
......+++ 
...........++ 
e is 65537 (0x10001) 
Enter pass phrase for server.key: (Note)
Verifying - Enter pass phrase for server.key: (Note)
c:\Systemwalker\MPWALKER.JM\mpahs\bin\openssl.exe req -new -key d:\mpahso\sslcert\server.key -out d:\mpahso\sslcert\server.csr -config c:\Systemwalker\MPWALKER.JM\mpahs\conf\openssl.cnf -subj "/C=JP/ST=Shizuoka/L=Shizuoka-shi/O=fujitsu/OU=4-1f/CN=www.example.com"
(The execution result is as below.)
Enter pass phrase for server.key: (Note)

[UNIX]

# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl genrsa -aes256 -out /export/home/mpahso/sslcert/server.key 2048
(The execution result is as below.)
Generating RSA private key, 2048 bit long modulus
......+++ 
...........++ 
e is 65537 (0x10001)
Enter pass phrase for server.key: (Note)
Verifying - Enter pass phrase for server.key: (Note)
# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl req -new -key /export/home/mpahso/sslcert/server.key -out /export/home/mpahso/sslcert/server.csr -config /opt/FJSVftlo/mpahs/oss/openssl/ssl/openssl.cnf -subj "/C=JP/ST=Shizuoka/L=Shizuoka-shi/O=fujitsu/OU=4-1f/CN=www.example.com"
(The execution result is as below.) 
Enter pass phrase for server.key: (Note)

Note: If this string is output, enter the passphrase as a single-byte alphanumeric string of 128 bytes or less. In addition, input characters are not echoed back. The passphrase entered in this command is also used in the "4. Register the passphrase".

Make a request for a certificate to be issued

Send the created CSR to the certificate authority to request that a site certificate be issued.

Follow the request method used by the certificate authority.

Obtain certificates

Obtain a certificate signed by the certificate authority as PEM format (Base64 encoding data).

The certificates of PEM format is like the following data format.

-----BEGIN CERTIFICATE-----
(The certificates data that Base64 encoded) 
-----END CERTIFICATE-----

Floow the obtain method used by the certificate authority.

3. Deploy the certificate

After obtaining the certificate, put them with the certificate management environment.

Deploy the certificate to the directory that created when the certificate/key management environment is builed.

Deploy any certificate of the certificate authority that issued the certificate (Site or client certificates) for use in operations.

Deploy the site certificate

Deploy the site certificate (server.pem) issued by the certificate authority to the certificate/key management environment.

[Windows]

move server.pem d:\mpahso\sslcert\cert

[UNIX]

# mv server.pem /export/home/mpahso/sslcert/cert

After registering the site certificate issued, check the certificate's expiry date to confirm when the certificate will need to be updated. The expiry date can be checked using the openssl x509 command.

Note

The expiration dates for site and certificate authority certificates (issuing authority certificate)

The site and certificate authority certificates (issuing authority certificate) have expiration dates. If they expire and the operation of Web console/Web API is continued, the warning messages is displayed during SSL communication from the client. Check the expiration dates for certificate by the openssl x509 comman and obtain new certificate and register it before they expire. After registering, restart Systemwalker Operation Manger.

The following example is how to check the expiration dates for certificate.

[Windows]

Systemwalker Operation Manager installation directory\MPWALKER.JM\mpahs\bin\openssl.exe x509 -noout -dates -in d:\mpahso\sslcert\cert\server.pem

[UNIX]

# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl x509 -noout -dates -in /export/home/mpahso/sslcert/cert/server.pem

Deploy the root CA certificate and Intermediate CA certificate

After obtaining root CA certificate, check fingerprints before rgistering. The fingerprints information of the root CA certificate is provided in a safe manner.

Check that fingerprints match to output root CA certificate obtained from the certificate authority.

In addition, the fingerprints is hash value from a portion of the certificate, and if the certificatehe is fake or tampered, it will be different value.

As the value will be different depending on the algorithm used to calculate, compare the computed fingerprints using the same algorithm.

The following example displays the fingerprint of the root CA certificate obtained from a certificate authority. Select the option [-sha1|-sha256|-md5] that matches the fingerprint information provided by the certificate authority and compare it with the displayed value.

[Windows]

Execution example if the root CA certificate for the certificate authority is stored in the d:\mpahso\sslcert\server-root-ca.pem.

c:\Systemwalker\MPWALKER.JM\mpahs\bin\openssl.exe x509 [-sha1|-sha256|-md5] -fingerprint -noout -in d:\mpahso\sslcert\server-root-ca.pem
-md5 option:       MD5 Fingerprint=40 79 98 2F 37 12 31 7C AE E7 B4 AB 78 C8 A2 28
-sha1 option:         SHA1 Fingerprint=07 28 BE 26 94 89 6D F9 ... << (20 bytes is displayed in hexadecimal.) 
-sha256 option:      SHA256 Fingerprint=F7 16 00 6E A1 6E A2 14 ... << (32 bytes is displayed in hexadecimal.)  

[UNIX]

Execution example if the root CA certificate for the certificate authority is stored in the /export/home/mpahso/sslcert/server-root-ca.pem

# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl x509 [-sha1|-sha256|-md5] -fingerprint -noout -in /export/home/mpahso/sslcert/server-root-ca.pem
-md5 option:       MD5 Fingerprint=40 79 98 2F 37 12 31 7C AE E7 B4 AB 78 C8 A2 28
-sha1 option:      SHA1 Fingerprint=07 28 BE 26 94 89 6D F9 ... << (20 bytes is displayed in hexadecimal.)
-sha256 option:    SHA256 Fingerprint=F7 16 00 6E A1 6E A2 14 ... << (32 bytes is displayed in hexadecimal.) 

In addition to the root CA and site certificates of the certificate authority, some certificate authorities provide intermediate CA certificates, so check with each certificate authority to obtain an intermediate CA certificate.

The intermediate CA certificate is merged into the site certificate file and used.

Although merging the root CA certificate is not required, it is recommended that you operate with a pem file that contains the root CA certificate.

Example merging the intermediate CA certificate (server-chain-ca.pem), the root CA certificate (server-root-ca.pem) into the site certificate

[Windows]

type server-chain-ca.pem >> d:\mpahso\sslcert\cert\server.pem
type server-root-ca.pem >> d:\mpahso\sslcert\cert\server.pem
type d:\mpahso\sslcert\cert\server.pem  
-----BEGIN CERTIFICATE-----
... (The site certificate data) ...
 -----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (The intermediate CA certificate data) ...
 -----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (The root CA certificate data) ...
-----END CERTIFICATE-----

[UNIX]

# cat server-chain-ca.pem >> /export/home/mpahso/sslcert/cert/server.pem
# cat server-root-ca.pem >> /export/home/mpahso/sslcert/cert/server.pem
# cat /export/home/mpahso/sslcert/cert/server.pem 
-----BEGIN CERTIFICATE-----
... ((The site certificate data) ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (The intermediate CA certificate data) ...
 -----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (The root CA certificate data) ...
-----END CERTIFICATE-----

Set the key exchange parameter

When DHE is used for key exchange, the parameter length must be set to 2048 bits or more as a security measure.

Merge the recommended parameters (2048 bit) from RFC 3526 into the site certificate.

Merge the following PEM format parameters, including the hyphens.

-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
-----END DH PARAMETERS-----

4. Register the passphrase

Register the passphrase in the passphrase management file.

By specifying the passphrase and the passphrase management file with the ahsregistupin command, the passphrase will be encrypted and registered in the passphrase management file.

Example for register the passphrase

[Windows]

In this example, the passphrase (Interactive Input) is encrypted and registered in the d:\mpahso\sslcert\upinfile passphrase management file.

c:\systemwalker\MPWALKER.JM\mpahs\bin\ahsregistupin.exe -f d:\mpahso\sslcert\upinfile

[UNIX]

In this example, the passphrase (Interactive Input) is encrypted and registered in the /export/home/mpahso/sslcert/upinfile passphrase management file.

/opt/FJSVftlo/mpahs/bin/ahsregistupin -f /export/home/mpahso/sslcert/upinfile

5. Configure the environment definition file (httpd.conf)

Configure the Web server environment definition file "httpd.conf" to use SSL encryption.

The file "httpd.conf" is stored in the following directory:

[Windows]

<Systemwalker Operation Manager installation directory>\mpwalker.jm\mpahs\conf\httpd.conf

[UNIX]

/opt/FJSVftlo/mpahs/conf/httpd.conf

Definition examples of the environment definition file are shown below.

[Windows]

If performing SSL operations with the following settings:

[Example of how to edit httpd.conf]

ServerAdmin webmaster@main.example.com
ServerName  main.example.com
SSLEngine      On
SSLHonorCipherOrder On
SSLProtocol    TLSv1.2 +TLSv1.3
SSLCertificateFile     d:\mpahso\sslcert\cert\server.pem
SSLCertificateKeyFile  d:\mpahso\sslcert\server.key

SSLUserPINFile  d:\mpahso\sslcert\upinfile
SSLCipherSuite  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

[UNIX] [Linux]

If performing SSL operations with the following settings:

[Example of how to edit httpd.conf]

ServerAdmin webmaster@main.example.com
ServerName  main.example.com
SSLEngine      On
SSLHonorCipherOrder On
SSLProtocol    TLSv1.2 +TLSv1.3
SSLCertificateFile     /export/home/mpahso/sslcert/cert/server.pem
SSLCertificateKeyFile  /export/home/mpahso/sslcert/server.key

SSLUserPINFile  /export/home/mpahso/sslcert/upinfile
SSLCipherSuite  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

Note

Note that "httpd.conf" is excluded when backup and restoration are performed, or when migration assets are backed up and restored. Therefore, the same settings must be configured again if you restore the environment from the backup or restore the migration assets.

2.4.7.1 How to Back up and Restore the Certificate/Key Management Environment

This section explains how to back up and restore the certificate/key management environment.

Back up existing resources (private keys and certificates)

Back up the resources specified in the target directive (Note) of the environment definition file (httpd.conf) to the directory for back-up.

Restore private keys and certificates

Restore the back-up resources to the pass specified in the target directive (Note) of the environment definition file (httpd.conf).

Note: the target directive