Using the Ready-to-Go Key Ring Files is usually the fastest way to get
into security operational state. In this scenario, use a single machine to
define an internal CA (Certificate Authority) and generate ready-to-go key
ring files for all of your Web-based System Manager servers and clients. This generates
a public key ring file that you must copy to all of the servers and clients
as well as a unique private key ring file for each server.
- Define an Internal Web-based System Manager Certificate
Authority.
You should use a safe system for the CA because its private
key is the most sensitive data in the Web-based System Manager security configuration.
Note
Do not use diskless or dataless workstations as Certificate
Authorities, because the private key would be transferred over the network.
After the CA machine is chosen, log in locally as
the root user and start Web-based System Manager. The security configuration applications
of Web-based System Manager are not accessible if you are not logged in as the root
user or if you are running Web-based System Manager in remote application or applet
mode.
Select Management Environment --> hostname --> System Manager Security --> Certificate
Authority.
On the task list for Certificate Authority, select Configure this system as a Web-based System Manager Certificate
Authority. When the wizard opens, fill in the following information:
- Certificate Authority distinguished name
Type
a descriptive name that helps you identify the CA machine and the instance
of the CA; for example, the machine's host name plus a sequence number. Blanks
are permitted in the name. If you redefine the CA, use a different sequence
number so you will be able to determine which instance of the CA a certificate
is signed by. The name should not be exactly the same as the full TCP/IP name,
as this will not work with the SMGate daemon.
- Organization name
Type a
descriptive name that identifies your company or your organization.
- ISO country code or region code
Type
your two-character ISO country code or region code or select it from the list.
- Expiration date
After the
certificate expires, reconfigure Web-based System Manager security by redefining the
CA and generating new private key ring files for all of your servers. You
can change this date or accept the default value.
- Public key ring directory
The
public key ring containing the CA's certificate is written to this directory.
Copy this file to the Web-based System Manager codebase directory
on all of the Web-based System Manager servers and clients.
- Password
The CA's private
key ring file is encrypted with this password. You need to type this password
each time you perform a task on this CA.
You can also define an internal CA from the command
line with the /usr/websm/bin/smdefca command.
- Generate Private Key Ring Files for Your Web-based System Manager Servers.
Provide the full TCP/IP names of all of your Web-based System Manager servers.
On the task list for Certificate Authority,
select Generate Servers' Private Key Ring Files. In
the CA password dialog, type the password that you specified when you defined
the CA. Then fill in the following information:
When you click OK, a private key ring file
is created for each server that you specified.
You can also generate
public key ring files from the command line with the /usr/websm/bin/smgenprivkr command.
- Distribute the Public Key Ring File (SM.pubkr)
to All Servers and Clients.
A copy of the CA public key ring file from
the directory you specified in Step 1 must be placed on your Web-based System Manager servers
and clients in the directory you chose during installation, similar to the
following:
- on an AIX client, use the /usr/websm/codebase directory
- on a Windows client, use the Program Files\websm\codebase directory
- on a Linux client, use the /opt/websm/codebase directory
Note
This file must be copied in a binary format.
Note
The content of this file is not
secret. However, placing it on a client machine specifies which CA the client
trusts. Thus, access to this file on the client machine should be limited.
In applet mode, the client can trust the server to send over this file along
with the applet itself, provided the HTTPS protocol
is used.
- Distribute the Private Key Ring Files
to All Servers.
Each server's private key ring file must be installed
on the server.
You can move the files to their targets in any secure
way. Shared directory and diskette TAR methods are described here:
- Shared directory: Place all of the key ring files
on a shared directory (for example, NFS or DFS) accessible to each server.
Note
For this method, you should have chosen to encrypt the server private
key ring files on the Generate Servers Private Key Ring Files dialog, because the files are transferred without encryption. It is
also recommended that you restrict the access rights to the shared directory
to the administrator.
- Diskette TAR: Generate a diskette TAR containing
all of the server private key ring files. The TAR archive should contain only
the file names without the paths. To do this, change directories to the directory
containing the server private key ring files and run the command tar -cvf /dev/fd0 *.privkr.
Install the server private key rings on each server.
- Log on to each server as root user, start Web-based System Manager and select Management Environment --> hostname --> System Manager Security --> Server Security.
- From the task list, select Install the private key ring
file for this server.
- Select the source for the server private key ring files. If using a diskette,
select tar diskette.
- Insert the diskette.
- Click OK.
If the key ring files are encrypted, you are asked for the password.
The server's private key is installed in /var/websm/security/SM.privkr.
Repeat this procedure on each server.
You can also distribute
private key ring files to all servers from the command line with the /usr/websm/bin/sminstkey command.