Use this scenario if you do not want to use an internal Web-based System Manager CA, but instead you want to use another internal CA product that may already be functioning on your system. In this scenario, your certificate requests are signed by this other CA.
Provide full TCP/IP names of all your Web-based System Manager servers. You can enter them in the dialog one at a time, or you can provide a file containing a list of your servers, one per line.
On a server, log in locally as root user and start Web-based System Manager. The security configuration applications of Web-based System Manager are not accessible if you are not logged in as root user or if you are running Web-based System Manager in remote application or applet mode.
Select Management Environment --> hostname --> System Manager Security --> Server Security.
On the task list for Server Security, select Generate private keys and certificate requests for this server and other servers. Fill in the following information:
When you click OK, a private key file and a certificate request is created for each server that you specified.
You can perform this task from the command line with the /usr/websm/bin/smgenkeycr command.
Transfer the certificate request files to the CA. The certificate requests do not contain secret data. However, the integrity and authenticity during transfer must be ensured.
Transfer a copy of the certificate request files from the server to a directory on the CA machine.
Follow the instructions of your CA to generate the signed certificates out of the certificate requests.
Transfer the certificates from the CA back to the server. Copy them to the directory containing the certificate requests and server private key files that you created in step 1. This step requires that the certificate file of server S be named S.cert.
Then, on the server, from Server Security, select Import Signed Certificates.
Fill in the following information:
When you click OK, if the server private key files were encrypted in step 1, you are prompted for the password. Then, for each server that you selected, the certificate is imported into the private key file and the private key ring file is created.
You can perform the above task from the command line with the /usr/websm/bin/smimpservercert command.
Each server's private key ring file must be installed on the server.
You can move the files to their targets in any secure way. Shared directory and diskette TAR methods are described here:
Note: For this method, you should have chosen to encrypt the server private key ring files on the Generate private keys and certificate requests for this server and other servers dialog, because the files are transferred in the clear. It is also recommended that you restrict the access rights to the shared directory to the administrator.
Next, install the server private key rings on each server. Log in to each server as root user and start Web-based System Manager. Select Management Environment --> hostname --> System Manager Security --> Server Security. Select Install Private Key Ring, then select the source for the server private key ring files. If using a diskette TAR, insert the diskette before clicking OK. If the key ring files are encrypted, you are asked for the password. The server's private key is installed in /var/websm/security/SM.privkr. Repeat this procedure on each server.
You can perform this task from the command line with the /usr/websm/bin/sminstkey command.
Receive the self-signed CA certificate of your CA. Copy it to a directory on the server you are working on.
Then, on the server, from the task list for Server Security, select Import CA Certificate.
Fill in the following information:
When you click OK, the public key ring file SM.pubkr is written to the directory you specified.
You can perform the above task from the command line with the /usr/websm/bin/smimpcacert command.
A copy of the CA public key ring file must be placed in the /usr/websm/codebase directory of all Web-based System Manager servers and clients.
Note: The content of this file is not secret. However, placing it on a client machine specifies which CA the client trusts. Thus, make sure that you limit access to this file on the client machine. In applet mode, the client can trust the server to send over this file along with the applet itself, provided the HTTPS protocol is used.