Use this scenario if you do not want to use an internal Web-based System Manager CA,
but instead you want to use another internal CA product that may already be
functioning on your system. In this scenario, your certificate requests are
signed by this other CA.
- Generate Private Keys and Certificate
Requests for Your Web-based System Manager Servers.
Provide full TCP/IP names
of all your Web-based System Manager servers. You can enter them in the dialog one at
a time, or you can provide a file containing a list of your servers, one per
line.
On a server, log in locally as root user and start Web-based System Manager.
The security configuration applications of Web-based System Manager are not accessible
if you are not logged in as root user or if you are running Web-based System Manager in
remote application or applet mode.
Select Management
Environment --> hostname --> System
Manager Security --> Server Security.
On the task list
for Server Security, select Generate
private keys and certificate requests for this server and other servers.
Fill in the following information:
- List of servers
Add the names
of your Web-based System Manager servers to the list. You can enter them in the dialog
one at a time or you can provide a file containing a list of your servers,
one per line. To get the server names from the file, enter the file name in
the File containing list of servers entry field and
click the Browse file button. Use the Browse Server List File dialog to select some or all of the servers in
the list.
- Organization name
Enter a
descriptive name that identifies your company or your organization.
- ISO country code or region code
Enter
your two-character ISO country code or region code or select it from the list.
- Location for private key ring files
Enter
the directory where you want the server private key ring files and certificate
requests written. In step 2, transfer the certificate request files to the
CA for signing. In step 3, transfer the signed certificates from the CA back
to this directory.
- Length in bits of server keys
Select
a key length (this field displays only if you have the sysmgt.websm.security-us fileset installed).
- Encrypt the server private key ring files
This
dialog creates a private key ring file for each server that you specified.
Each private key ring file contains the private key of a server, and therefore,
must always be kept protected. You can protect the private key ring files
by encrypting them. If you select this option, you are prompted for a password,
which you need when you import the signed certificates and when you install
the private key rings on the servers.
When you click OK, a private key file and a
certificate request is created for each server that you specified.
You can perform this task from the command line with the /usr/websm/bin/smgenkeycr command.
- Get the Certificates Signed by the CA.
Transfer the certificate request files to the CA. The certificate
requests do not contain secret data. However, the integrity and authenticity
during transfer must be ensured.
Transfer a copy of the certificate
request files from the server to a directory on the CA machine.
Follow
the instructions of your CA to generate the signed certificates out of the
certificate requests.
- Import the Signed Certificates to the
Server's Private Key Ring Files.
Transfer the certificates from the
CA back to the server. Copy them to the directory containing the certificate
requests and server private key files that you created in step 1. This step
requires that the certificate file of server S be
named S.cert.
Then, on the server, from Server Security, select Import Signed Certificates.
Fill in the following information:
- Directory for certificates and private keys
Enter
the directory containing the signed certificates and server private key files.
Then click the Update List button. The list of servers
for which there is a signed certificate and a private key file displays.
- Select one or more servers from the list
To
select individual servers, click on them in the list box. To select all of
the listed servers, click the Select All button.
When you click OK, if the server private key
files were encrypted in step 1, you are prompted for the password. Then, for
each server that you selected, the certificate is imported into the private
key file and the private key ring file is created.
You can perform
the above task from the command line with the /usr/websm/bin/smimpservercert command.
- Distribute the Private Key Ring Files
to All Servers.
Each server's private key ring file must be installed
on the server.
You can move the files to their targets in any secure
way. Shared directory and diskette TAR methods are described here:
- Shared directory: Place all of the key ring files
on a shared directory (for example, NFS or DFS) accessible to each server.
Note
For this method, you should have chosen to encrypt the server private
key ring files on the Generate private keys and certificate
requests for this server and other servers dialog, because the files
are transferred in the clear. It is also recommended that you restrict the
access rights to the shared directory to the administrator.
- Diskette TAR: Generate a diskette TAR containing
all of the server private key ring files. The TAR archive should contain only
the file names without the paths. To do this, change directories to the directory
containing the server private key ring files and run the command tar -cvf /dev/fd0 *.privkr.
Install the server private key rings on each server.
- Log in to each server as root user and start Web-based System Manager.
- Select Management Environment --> hostname --> System Manager Security --> Server Security.
- Select Install Private Key Ring.
- select the source for the server private key ring files. If using a diskette
TAR, insert the diskette.
- Click OK.
If the key ring files are encrypted, you are asked for the password.
The server's private key is installed in /var/websm/security/SM.privkr. Repeat this procedure on each server.
You can perform this task
from the command line with the /usr/websm/bin/sminstkey command.
- Import the Certificate Authority's Certificate
to the Public Key Ring File.
Receive the self-signed CA certificate
of your CA. Copy it to a directory on the server you are working on.
Then, on the server, from the task list for Server Security, select Import CA Certificate.
Fill in
the following information:
- Directory containing public key ring file
Enter
a directory for the CA public key ring file. This file needs to be distributed
to all of your servers and clients.
- Full path name of CA Certificate file
Enter
the directory containing the self-signed certificate of your CA.
When you click OK, the public key ring file SM.pubkr is written to the directory you specified.
You can perform the above task from the command line with the /usr/websm/bin/smimpcacert command.
- Distribute the Public Key Ring File to
All Clients and Servers.
A copy of the CA public key ring file from
the directory you specified in Step 1 must be placed on your Web-based System Manager servers
and clients in the directory you chose during installation, similar to the
following:
- on an AIX client, use the /usr/websm/codebase directory
- on a Windows client, use the Program Files\websm\codebase directory
- on a Linux client, use the /opt/websm/codebase directory
Note
This file must be copied in a binary format.
Note
The content of this file is not
secret. However, placing it on a client machine specifies which CA the client
trusts. Thus, make sure that you limit access to this file on the client machine.
In applet mode, the client can trust the server to send over this file along
with the applet itself, provided the HTTPS protocol
is used.