Use this scenario if you have multiple sites and do not want to distribute
private key ring files between sites. Suppose you have site A and site B,
and you define your internal Web-based System Manager Certificate Authority (CA) on
a machine in site A. See Step 1 of Using Ready-to-Go Key Ring Files for directions
on configuring a CA.
For all clients and for site A servers, you can follow
the instructions in
Using Ready-to-Go Key Ring Files.
- Generate Private Keys and Certificate
Requests for Your Web-based System Manager Servers.
Provide the full TCP/IP
names of all Web-based System Manager servers in site B. You can type them in the dialog
one at a time, or you can provide a file containing a list of your servers,
one per line.
On a server in site B, log in locally as root user and
start Web-based System Manager. The security configuration applications of Web-based System Manager are
not accessible if you are not logged in as root user or if you are running
the Web-based System Manager in remote application or applet mode.
Select Management Environment --> hostname --> System Manager Security --> Server Security.
On the task list for Server Security, select Generate Servers' Private Keys and Certificate Requests.
Fill in the following information:
- List of servers
Add the names
of your Web-based System Manager servers in site B to the list. You can type them in
the dialog one at a time or you can provide a file containing a list of your
servers, one per line. To get the server names from the file, type the file
name in the File containing list of servers entry field
and click the Browse file button. Use the Browse Server List File dialog to select some or all of the servers in
the list.
- Organization name
Type a
descriptive name that identifies your company or your organization.
- ISO country code or region code
Type
your two-character ISO country code or region code or select it from the list.
- Location for private key ring files
Type
the directory where you want the server private key ring files and certificate
requests written. In step 2, transfer the certificate request files to the
CA in site A for signing. In step 3, transfer the signed certificates from
the CA in site A back to this directory.
- Length in bits of server keys
Select
a key length (this field displays only if you have the sysmgt.websm.security-us fileset installed).
- Encrypt the server private key ring files
This
dialog creates a private key ring file for each server you specified. Each
private key ring file contains the private key of the server, and therefore,
must always be kept protected. You can protect the private key ring files
by encrypting them. If you select this option, you are prompted for a password,
which you need when you import the signed certificates and when you install
the private key rings on the servers.
When you click OK, a private key ring file
and a certificate request is created for each server you specified.
You can also generate private keys and certificate requests from the command
line with the /usr/websm/bin/smgenkeycr command.
- Get the Certificates Signed by the CA
in Site A.
Transfer the certificate request files to the CA in site
A. The certificate requests do not contain secret data. However, the integrity
and authenticity during transfer must be ensured.
Transfer a copy of
the certificate request files from the server in site B to a directory on
the CA machine in site A.
Log in to the CA machine in site A locally
as root user and start the Web-based System Manager. The security configuration applications
of the Web-based System Manager are not accessible if you are not logged in as root
user or if you are running the Web-based System Manager in remote application or applet
mode.
Select Management Environment --> hostname --> System Manager Security --> Certificate
Authority.
On the task list for Certificate Authority, select Sign Certificate Requests. Fill in the
following information:
- Directory for certificate requests
Type
the directory containing the certificate requests. Then click the Update List button. The certificate request list displays.
- Select certificate requests to sign
To
select individual certificate requests, click their names in the list box.
To select all of the listed certificate requests, click the Select All button.
- Certificate expiration date
After
the certificate expires, you need to repeat this process to generate new private
key ring files for your servers. You can change this date or accept the default
date.
When you click OK, a certificate file is created
for each server you selected. The certificates are written to the directory
containing the certificate requests.
You can also get the certificates
signed by the CA by running the following command from the command line: /usr/websm/bin/smsigncert.
- Import the Signed Certificates to the
Servers Private Key Ring Files.
In this step, transfer the certificates
from the CA in site A back to the server in site B. Copy them to the directory
containing the certificate requests and server private key files you created
in step 1.
Then, on the server in site B from the Server Security task list, select Import Signed Certificates.
Fill in the following information:
- Directory for certificates and private keys
Type
the directory containing the signed certificates and server private key files.
Click Update List. The list of servers for which there
is a signed certificate and a private key file displays.
- Select one or more servers from the list
To
select individual servers, click thier names in the list box. To select all
of the listed servers, click the Select All button.
When you click OK, you are prompted for the
password if the server private key files were encrypted in step 1. For each
server you selected, the certificate is imported into the private key file
and the private key ring file is created.
You can import signed certificates
from the command line with the /usr/websm/bin/smimpservercert command.
- Distribute the Private Key Ring Files
to All Servers.
Each server's private key ring file must be installed
on the server.
You can move the files to their targets in any secure
way. Shared directory and diskette TAR methods are described here:
- Shared directory: Place all of the key ring files
on a shared directory (for example, NFS or DFS) accessible to each server.
Note
For this method, you should have chosen to encrypt the server private
key ring files on the Generate private keys and certificate
requests for this server or other servers dialog, because the files are
transferred without encryption. It is also recommended that you restrict the
access rights to the shared directory to the administrator.
- Diskette TAR: Generate a diskette TAR containing
all of the server private key ring files. The TAR archive should contain only
the file names without the paths. To do this, go to the directory containing
the server private key ring files and run the command tar
-cvf /dev/fd0 *.privkr.
Install the server private key rings on each server.
- Log in to each server as root user and start Web-based System Manager.
- Select Management Environment --> hostname --> System Manager Security --> Server Security.
- Select Install the private key ring files for this server.
- Select the source for the server private key ring files. If using a diskette
TAR, insert the diskette.
- Click OK.
If the key ring files are encrypted, you are asked for the password.
The server's private key is installed in /var/websm/security/SM.privkr. Repeat this procedure on each server.
You can also distribute
the private key ring files from the command line with the /usr/websm/bin/sminstkey command.
- Distributing the CA Public Key Ring File
to All Servers and Clients in Site B.
A copy of the CA public key ring
file from the directory you specified in Step 1 must be placed on your Web-based System Manager servers
and clients in the directory you chose during installation, similar to the
following:
- on an AIX client, use the /usr/websm/codebase directory
- on a Windows client, use the Program Files\websm\codebase directory
- on a Linux client, use the /opt/websm/codebase directory
Note
This file must be copied in a binary format.
Note
The content of this file is not
secret. However, placing it on a client machine specifies which CA the client
trusts. Make sure you limit access to this file on the client machine. In
applet mode, the client can trust the server to send over this file along
with the applet itself, provided the HTTPS protocol
is used.