Using the Ready-to-Go Key Ring Files is usually the fastest way to get into security operational state. In this scenario, use a single machine to define an internal CA (Certificate Authority) and generate ready-to-go key ring files for all of your Web-based System Manager servers and clients. This generates a public key ring file that you must copy to all of the servers and clients as well as a unique private key ring file for each server.
The following steps describe how to use Ready-to-Go Key Ring Files:
You should use a safe system for the CA because its private key is the most sensitive data in the Web-based System Manager security configuration.
Note: Do not use diskless or dataless workstations as Certificate Authorities, because the private key would be transferred over the network.
After the CA machine is chosen, log in locally as the root user and start Web-based System Manager. The security configuration applications of Web-based System Manager are not accessible if you are not logged in as the root user or if you are running Web-based System Manager in remote application or applet mode.
Select Management Environment --> hostname --> System Manager Security --> Certificate Authority.
On the task list for Certificate Authority, select Configure this system as a Web-based System Manager Certificate Authority. When the wizard opens, fill in the following information:
You can also define an internal CA from the command line with the /usr/websm/bin/smdefca command.
Provide the full TCP/IP names of all of your Web-based System Manager servers.
On the task list for Certificate Authority, select Generate Servers' Private Key Ring Files. In the CA password dialog, enter the password that you specified when you defined the CA. Then fill in the following information:
When you click OK, a private key ring file is created for each server that you specified.
You can also generate public key ring files from the command line with the /usr/websm/bin/smgenprivkr command.
A copy of the CA public key ring file from the directory you specified in step 1 must be placed in the /usr/websm/codebase directory of your Web-based System Manager servers and clients.
Note: The content of this file is not secret. However, placing it on a client machine specifies which CA the client trusts. Thus, access to this file on the client machine should be limited. In applet mode, the client can trust the server to send over this file along with the applet itself, provided the HTTPS protocol is used.
Each server's private key ring file must be installed on the server.
You can move the files to their targets in any secure way. Shared directory and diskette TAR methods are described here:
Note: For this method, you should have chosen to encrypt the server private key ring files on the Generate Servers Private Key Ring Files dialog, because the files are transferred in the clear, that is, the files are transferred without encryption. It is also recommended that you restrict the access rights to the shared directory to the administrator.
Next, install the server private key rings on each server. Log on to each server as root user, start Web-based System Manager and select Management Environment --> hostname --> System Manager Security --> Server Security. From the task list, select Install the private key ring file for this server. Select the source for the server private key ring files. If using a diskette, select tar diskette, insert the diskette, and then click OK. If the key ring files are encrypted, you are asked for the password. The server's private key is installed in /var/websm/security/SM.privkr. Repeat this procedure on each server.
You can also distribute private key ring files to all servers from the command line with the /usr/websm/bin/sminstkey command.