[ Previous | Next Page | Table of Contents | Library Home | Legal | Search ]

Web-based System Manager Administration Guide

Avoiding Transfer of Private Keys

Use this scenario if you want a private key to be generated on the server it belongs to, preventing it from being transferred (by network or diskette) to other systems. In this scenario, you configure each server separately. The process must be repeated on each server.

Before you follow this scenario, configure your CA, following the steps using Using Ready-to-Go Key Ring Files.

This scenario involves the following tasks:

  1. Generate a Private Key and Certificate Request for Your Web-based System Manager Server.

    On the server, log in locally as root user and start Web-based System Manager. The security configuration applications of Web-based System Manager are not accessible if you are not logged in as root user or if you are running Web-based System Manager in remote application or applet mode.

    Select Management Environment --> hostname --> System Manager Security --> Server Security.

    On the task list for Server Security, select Generate private keys and certificate requests for this server and other servers. Fill in the following information:

    When you click OK, a private key ring file and a certificate request is created for this server.

    You can perform this task from the command line with the /usr/websm/bin/smgenkeycr command.

  2. Get the Certificates Signed by the CA.

    Transfer the certificate request file to your CA. The certificate request does not contain secret data. However, the integrity and authenticity during transfer must be ensured.

    Transfer a copy of the certificate request file from the server to a directory on the CA machine. To save time, you can transfer the certificate requests from all of your servers and have all of them signed by the CA in one step.

    Log in to your CA machine locally as root user and start Web-based System Manager. The security configuration applications of Web-based System Manager are not accessible if you are not logged in as root user or if you are running Web-based System Manager in remote application or applet mode.

    Select Management Environment --> hostname --> System Manager Security --> Certificate Authority.

    On the task list for Certificate Authority, select Sign Certificate Requests. Fill in the following information:

    When you click OK, a certificate file is created for each server that you selected. The certificate is written to the directory containing the certificate request.

    You can perform this task from the command line with the /usr/websm/bin/smsigncert command.

  3. Import the Certificates to the Private Key Files.

    Transfer the certificate from the CA back to the server. Copy it to the directory containing the certificate request and server private key file that you previously created in step 1.

    Then, on the server, from the task list for Server Security, select Import Signed Certificates.

    Fill in the following information:

    When you click OK, if the server private key file was encrypted in step 1, you are prompted for the password. Your server's certificate is imported into the private key file, and the private key ring file is created in the directory containing the certificate request and private key file.

    You can perform this task from the command line with the /usr/websm/bin/smimpservercert command.

  4. Install the Private Key on the Server.

    On the task list for Server Security, select Install the private key ring file for this server. Select the Directory button and enter the directory containing the server's private key ring file. If the key ring file was encrypted, you are asked for the password. The server's private key is installed in /var/websm/security/SM.privkr.

    You can perform this task from the command line with the /usr/websm/bin/sminstkey command.

  5. Distribute the Public Key Ring File (SM.pubkr) to All Servers and Clients.

    A copy of SM.pubkr from the directory you specified in step 1 must be placed in the /usr/websm/codebase directory of your Web-based System Manager servers and clients.

    Note: The content of this file is not secret. However, placing it on a client machine specifies which CA the client trusts. Thus, make sure that you limit access to this file on the client machine. In applet mode, the client can trust the server to send over this file along with the applet itself, provided the HTTPS protocol is used.


[ Previous | Next Page | Table of Contents | Library Home | Legal | Search ]