In order to perform HTTPS communications, a certificate/key management environment must be created using the following procedure. Refer to the Systemwalker Operation Manage Reference Guide for details on the commands being used.
1. Create a certificate/key management environment
Create directories to execute a certificate/key management when using SSL.
Create directories to manage a certificate/private key management with using the commands provided by the operating system.
The following example shows how to create.
[Windows]
mkdir d:\mpahso\sslcert Administration directory mkdir d:\mpahso\sslcert\cert Certificate management directory
[Solaris]
# mkdir /export/home/mpahso/sslcert Administration directory # mkdir /export/home/mpahso/sslcert/cert Certificate management directory
2. Create private keys and obtain certificates
Obtain certificates by requesting the certificate authority to issue a certificate.
Create a CSR (Certificate Signing Request) and private key at the same time
Create a CSR to request the certificate authority to issue a certificate.
When the following command is executed, a private key is created and then CSR (Certificate Signing Request) is created.
The following example shows how to create. You must specify the -config option when the CSR (Certificate Signing Request) is created (openssl req sub command).
[Windows]
c:\Systemwalker\MPWALKER.JM\mpahs\bin\openssl.exe genrsa -aes256 -out d:\mpahso\sslcert\server.key 2048 (The execution result is as below.) Generating RSA private key, 2048 bit long modulus ......+++ ...........++ e is 65537 (0x10001) Enter pass phrase for server.key: (Note) Verifying - Enter pass phrase for server.key: (Note)
c:\Systemwalker\MPWALKER.JM\mpahs\bin\openssl.exe req -new -key d:\mpahso\sslcert\server.key -out d:\mpahso\sslcert\server.csr -config c:\Systemwalker\MPWALKER.JM\mpahs\conf\openssl.cnf -subj "/C=JP/ST=Shizuoka/L=Shizuoka-shi/O=fujitsu/OU=4-1f/CN=www.example.com" (The execution result is as below.) Enter pass phrase for server.key: (Note)
[UNIX]
# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl genrsa -aes256 -out /export/home/mpahso/sslcert/server.key 2048 (The execution result is as below.) Generating RSA private key, 2048 bit long modulus ......+++ ...........++ e is 65537 (0x10001) Enter pass phrase for server.key: (Note) Verifying - Enter pass phrase for server.key: (Note)
# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl req -new -key /export/home/mpahso/sslcert/server.key -out /export/home/mpahso/sslcert/server.csr -config /opt/FJSVftlo/mpahs/oss/openssl/ssl/openssl.cnf -subj "/C=JP/ST=Shizuoka/L=Shizuoka-shi/O=fujitsu/OU=4-1f/CN=www.example.com" (The execution result is as below.) Enter pass phrase for server.key: (Note)
Note: If this string is output, enter the passphrase as a single-byte alphanumeric string of 128 bytes or less. In addition, input characters are not echoed back. The passphrase entered in this command is also used in the "4. Register the passphrase".
Make a request for a certificate to be issued
Send the created CSR to the certificate authority to request that a site certificate be issued.
Follow the request method used by the certificate authority.
Obtain certificates
Obtain a certificate signed by the certificate authority as PEM format (Base64 encoding data).
The certificates of PEM format is like the following data format.
-----BEGIN CERTIFICATE----- (The certificates data that Base64 encoded) -----END CERTIFICATE-----
Floow the obtain method used by the certificate authority.
3. Deploy the certificate
After obtaining the certificate, put them with the certificate management environment.
Deploy the certificate to the directory that created when the certificate/key management environment is builed.
Deploy any certificate of the certificate authority that issued the certificate (Site or client certificates) for use in operations.
Deploy the site certificate
Deploy the site certificate (server.pem) issued by the certificate authority to the certificate/key management environment.
[Windows]
move server.pem d:\mpahso\sslcert\cert
[UNIX]
# mv server.pem /export/home/mpahso/sslcert/cert
After registering the site certificate issued, check the certificate's expiry date to confirm when the certificate will need to be updated. The expiry date can be checked using the openssl x509 command.
Note
The expiration dates for site and certificate authority certificates (issuing authority certificate)
The site and certificate authority certificates (issuing authority certificate) have expiration dates. If they expire and the operation of Web console/Web API is continued, the warning messages is displayed during SSL communication from the client. Check the expiration dates for certificate by the openssl x509 comman and obtain new certificate and register it before they expire. After registering, restart Systemwalker Operation Manger.
The following example is how to check the expiration dates for certificate.
[Windows]
Systemwalker Operation Manager installation directory\MPWALKER.JM\mpahs\bin\openssl.exe x509 -noout -dates -in d:\mpahso\sslcert\cert\server.pem
[UNIX]
# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl x509 -noout -dates -in /export/home/mpahso/sslcert/cert/server.pem
Deploy the root CA certificate and Intermediate CA certificate
After obtaining root CA certificate, check fingerprints before rgistering. The fingerprints information of the root CA certificate is provided in a safe manner.
Check that fingerprints match to output root CA certificate obtained from the certificate authority.
In addition, the fingerprints is hash value from a portion of the certificate, and if the certificatehe is fake or tampered, it will be different value.
As the value will be different depending on the algorithm used to calculate, compare the computed fingerprints using the same algorithm.
The following example displays the fingerprint of the root CA certificate obtained from a certificate authority. Select the option [-sha1|-sha256|-md5] that matches the fingerprint information provided by the certificate authority and compare it with the displayed value.
[Windows]
Execution example if the root CA certificate for the certificate authority is stored in the d:\mpahso\sslcert\server-root-ca.pem.
c:\Systemwalker\MPWALKER.JM\mpahs\bin\openssl.exe x509 [-sha1|-sha256|-md5] -fingerprint -noout -in d:\mpahso\sslcert\server-root-ca.pem
-md5 option: MD5 Fingerprint=40 79 98 2F 37 12 31 7C AE E7 B4 AB 78 C8 A2 28 -sha1 option: SHA1 Fingerprint=07 28 BE 26 94 89 6D F9 ... << (20 bytes is displayed in hexadecimal.) -sha256 option: SHA256 Fingerprint=F7 16 00 6E A1 6E A2 14 ... << (32 bytes is displayed in hexadecimal.)
[UNIX]
Execution example if the root CA certificate for the certificate authority is stored in the /export/home/mpahso/sslcert/server-root-ca.pem
# /opt/FJSVftlo/mpahs/oss/openssl/bin/openssl x509 [-sha1|-sha256|-md5] -fingerprint -noout -in /export/home/mpahso/sslcert/server-root-ca.pem
-md5 option: MD5 Fingerprint=40 79 98 2F 37 12 31 7C AE E7 B4 AB 78 C8 A2 28 -sha1 option: SHA1 Fingerprint=07 28 BE 26 94 89 6D F9 ... << (20 bytes is displayed in hexadecimal.) -sha256 option: SHA256 Fingerprint=F7 16 00 6E A1 6E A2 14 ... << (32 bytes is displayed in hexadecimal.)
In addition to the root CA and site certificates of the certificate authority, some certificate authorities provide intermediate CA certificates, so check with each certificate authority to obtain an intermediate CA certificate.
The intermediate CA certificate is merged into the site certificate file and used.
Although merging the root CA certificate is not required, it is recommended that you operate with a pem file that contains the root CA certificate.
Example merging the intermediate CA certificate (server-chain-ca.pem), the root CA certificate (server-root-ca.pem) into the site certificate
[Windows]
type server-chain-ca.pem >> d:\mpahso\sslcert\cert\server.pem type server-root-ca.pem >> d:\mpahso\sslcert\cert\server.pem type d:\mpahso\sslcert\cert\server.pem -----BEGIN CERTIFICATE----- ... (The site certificate data) ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (The intermediate CA certificate data) ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (The root CA certificate data) ... -----END CERTIFICATE-----
[UNIX]
# cat server-chain-ca.pem >> /export/home/mpahso/sslcert/cert/server.pem # cat server-root-ca.pem >> /export/home/mpahso/sslcert/cert/server.pem # cat /export/home/mpahso/sslcert/cert/server.pem -----BEGIN CERTIFICATE----- ... ((The site certificate data) ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (The intermediate CA certificate data) ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (The root CA certificate data) ... -----END CERTIFICATE-----
Set the key exchange parameter
When DHE is used for key exchange, the parameter length must be set to 2048 bits or more as a security measure.
Merge the recommended parameters (2048 bit) from RFC 3526 into the site certificate.
Merge the following PEM format parameters, including the hyphens.
-----BEGIN DH PARAMETERS----- MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq 5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg== -----END DH PARAMETERS-----
4. Register the passphrase
Register the passphrase in the passphrase management file.
By specifying the passphrase and the passphrase management file with the ahsregistupin command, the passphrase will be encrypted and registered in the passphrase management file.
Example for register the passphrase
[Windows]
In this example, the passphrase (Interactive Input) is encrypted and registered in the d:\mpahso\sslcert\upinfile passphrase management file.
c:\systemwalker\MPWALKER.JM\mpahs\bin\ahsregistupin.exe -f d:\mpahso\sslcert\upinfile
[UNIX]
In this example, the passphrase (Interactive Input) is encrypted and registered in the /export/home/mpahso/sslcert/upinfile passphrase management file.
/opt/FJSVftlo/mpahs/bin/ahsregistupin -f /export/home/mpahso/sslcert/upinfile
5. Configure the environment definition file (httpd.conf)
Configure the Web server environment definition file "httpd.conf" to use SSL encryption.
The file "httpd.conf" is stored in the following directory:
[Windows]
<Systemwalker Operation Manager installation directory>\mpwalker.jm\mpahs\conf\httpd.conf |
[UNIX]
/opt/FJSVftlo/mpahs/conf/httpd.conf |
Definition examples of the environment definition file are shown below.
[Windows]
If performing SSL operations with the following settings:
SSL protocol version: "TLSv1.2 TLSv1.3"
Passphrase management file: "d:\mpahso\sslcert\upinfile"
Site certificate: "d:\mpahso\sslcert\cert\server.pem"
Site private key: "d:\mpahso\sslcert\server.key"
[Example of how to edit httpd.conf]
ServerAdmin webmaster@main.example.com ServerName main.example.com SSLEngine On SSLHonorCipherOrder On SSLProtocol TLSv1.2 +TLSv1.3 SSLCertificateFile d:\mpahso\sslcert\cert\server.pem SSLCertificateKeyFile d:\mpahso\sslcert\server.key SSLUserPINFile d:\mpahso\sslcert\upinfile SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
[UNIX] [Linux]
If performing SSL operations with the following settings:
SSL protocol version: "TLSv1.2 TLSv1.3""
Passphrase management file: " export/home/mpahso/sslcert/upinfile"
Site certificate: " /export/home/mpahso/sslcert/cert/server.pem"
Site private key: " /export/home/mpahso/sslcert/server.key"
[Example of how to edit httpd.conf]
ServerAdmin webmaster@main.example.com ServerName main.example.com SSLEngine On SSLHonorCipherOrder On SSLProtocol TLSv1.2 +TLSv1.3 SSLCertificateFile /export/home/mpahso/sslcert/cert/server.pem SSLCertificateKeyFile /export/home/mpahso/sslcert/server.key SSLUserPINFile /export/home/mpahso/sslcert/upinfile SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305: DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Note
Note that "httpd.conf" is excluded when backup and restoration are performed, or when migration assets are backed up and restored. Therefore, the same settings must be configured again if you restore the environment from the backup or restore the migration assets.
This section explains how to back up and restore the certificate/key management environment.
Back up existing resources (private keys and certificates)
Back up the resources specified in the target directive (Note) of the environment definition file (httpd.conf) to the directory for back-up.
Restore private keys and certificates
Restore the back-up resources to the pass specified in the target directive (Note) of the environment definition file (httpd.conf).
Note: the target directive
Site certificate: (The file specified in the SSLCertificateFile directive)
Site private key: (The file specified in the SSLCertificateKeyFile directive)
Passphrase management file: (The file specified in the SSLUserPINFile directive)