IMPORTANT: Because of Access Manager configuration conflicts, you need to use a netHSM client other than the Identity Server. The remote file system server is a netHSM client, or if you have configured another device as a client, you can use that device.
The following commands are specific to nCipher; it does not come with a tool to generate a key pair and CSR. nCipher also uses a unique keystore of type nCipher.sworld.
nCipher supports both a Windows and a Linux netHSM client.
If you have a Windows netHSM client, the command is located in the following directory:
c:\Program Files\Java\jdk1.5.0_14\jre\bin\java
If you have Linux netHSM client, the command is located in the following directory:
/opt/novell/java/bin/java To create a new key pair for nCipher:
1 On a netHSM client, add the nCipher provider to the provider list of the java.security file:
1a In a text editor, open the C:\Program Files\Java\jdk1.5.0_14\jre\lib\
security\java.security file.
1b Add the following lines to the top of the list of providers:
security.provider.1=com.ncipher.fixup.provider.nCipherRSAPrivateEncrypt security.provider.2=com.ncipher.provider.km.nCipherKM
The provider section should look similar to the following:
#
# List of providers and their preference orders (see above):
#
security.provider.1=com.ncipher.fixup.provider.nCipherRSAPrivateEncrypt security.provider.2=com.ncipher.provider.km.nCipherKM
security.provider.3=sun.security.provider.Sun security.provider.4=sun.security.rsa.SunRsaSign
security.provider.5=com.sun.net.ssl.internal.ssl.Provider security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider security.provider.8=com.sun.security.sasl.Provider 1c Save your changes.
2 Add the nfast libraries to the CLASSPATH for Java:
For a Windows client, add the following paths:
c:\nfast\java\classes\keysafe.jar;c:\nfast\java\classes\nfjava.jar
;c:\nfast\java\classes\kmjava.jar;c:\nfast\java\classes\kmcsp.jar;
c:\nfast\java\classes\jutils.jar;c:\nfast\java\classes\jcetools.
jar;c:\nfast\java\classes\spp.jar;c:\nfast\java\classes\rsaprivenc .jar;
For a Linux client, add the following paths and export them:
/opt/nfast/java/classes/nfjava.jar:/opt/nfast/java/classes/
kmjava.jar:/opt/nfast/java/classes/kmcsp.jar:/opt/nfast/java/
classes/spp.jar:/opt/nfast/java/classes/rsaprivenc.jar:/opt/nfast/
java/classes/jutils.jar:/opt/nfast/java/classes/jcetools.jar:/opt/
nfast/java/classes/keysafe.jar
3 Create a directory for the keystore and change to that directory.
4 On a Windows client, enter the following command to create a new key in a keystore:
"c:\Program Files\Java\jdk1.5.0_14\jre\bin\java" -Dprotect=module -DignorePassphrase=true sun.security.tools.KeyTool -genkey -v -alias od93 -keyalg RSA -keystore AMstore.jks -storetype nCipher.sworld -provider com.ncipher.provider.km.nCipherKM Enter your values for the following parameters:
The tool prompts you for a password for the keypass and the storepass. They must be the same password if you are going to use card set protection rather than module protection.
The tool also prompts you for the certificate subject name (first name, last name, organization, organizational unit, locality, state or providence, and country).
5 To generate a certificate request from a key in the keystore, enter the following command:
"c:\Program Files\Java\jdk1.5.0_14\jre\bin\java" -Dprotect=module -DignorePassphrase=true sun.security.tools.KeyTool -certreq -alias od93 -file cert.csr -keypass mypwd -keystore AMstore.jks -storepass mypwd -storetype nCipher.sworld -provider
com.ncipher.provider.km.nCipherKM Enter your values for the following parameters:
Parameter Description
-Dprotect=module Required if you want the keystore to be module protected.
-DignorePassphrase=true Required if you want the keystore to be module protected.
sun.security.tools.KeyTool The name of the keytool command
-alias A name that helps you identify the key. In this
sample configuration, the name is od93.
-keyalg The security algorithm.
-keystore A name for the keystore. In this sample
configuration, the name is AMstore.jks.
-storetype The type of keystore. For nCipher, this must be set to nCipher.sworld.
-provider The name of the providerClass and providerName.
This is the provider that you added to the java.security file in Step 1.
6 Take the CSR created in Step 5 to a certificate authority. The CA needs to send you a DER-encoded public certificate. The CA also needs to send you the public certificate that it used to create the certificate and the public certificates for any CAs in the chain.
7 Load the public certificate of the CA into the keystore by entering the following command:
"c:\Program Files\Java\jdk1.5.0_14\jre\bin\java" -Dprotect=module -DignorePassphrase=true sun.security.tools.KeyTool -import -alias publicca –file certca.cer -keystore Amstore.jks -storetype
nCipher.sworld -provider com.ncipher.provider.km.nCipherKM Enter your values for the following parameters:
Parameter Description
-Dprotect=module Required if you want the keystore to be module protected.
-DignorePassphrase=true Required if you want the keystore to be module protected.
sun.security.tools.KeyTool The name of the keytool command
-certreq The parameter that makes this a certificate request.
-alias A name that helps you identify the certificate
request. In this sample configuration, the name is od93.
-file The name to be given to the certificate signing
request file. In this sample configuration, the name is cert.csr.
-keypass The password for the key. In this sample
configuration, the password is mypwd.
-keystore A name for the keystore. In this sample
configuration, the name is AMstore.jks.
-storepass The password for the keystore. In this sample
configuration, the password is mypwd.
-storetype The type of keystore. For nCipher, this must be set to nCipher.sworld.
-provider The name of the providerClass and providerName.
Parameter Description
-Dprotect=module Required if you want the keystore to be module protected.
-DignorePassphrase=true Required if you want the keystore to be module protected.
sun.security.tools.KeyTool The name of the keytool command
-import The parameter that makes this an import request.
-alias A name that helps you identify that this is the public certificate from the CA. In this sample configuration, the name is publicca.
The tool prompts you for the keystore password and asks whether you want to trust the certificate.
8 (Conditional) Repeat Step 7 for each CA in the chain, giving each CA a unique alias.
9 Import the signed certificated received from the CA by entering the following command:
"c:\Program Files\Java\jdk1.5.0_14\jre\bin\java" -Dprotect=module -DignorePassphrase=true sun.security.tools.KeyTool -import -alias od93 –file signcert.der -keystore AMstore.jks -storepass mypwd -storetype nCipher.sworld -provider
com.ncipher.provider.km.nCipherKM Enter your values for the following parameters:
10 (Optional) To verify that the certificates have been added to the keystore, enter the following command:
-file The name of the CA certificate file. In this sample
configuration, the name is certca.cer.
-keystore A name for the keystore. In this sample
configuration, the name is AMstore.jks.
-storetype The type of keystore. For nCipher, this must be set to nCipher.sworld.
-provider The name of the providerClass and providerName.
Parameter Description
-Dprotect=module Required if you want the keystore to be module protected.
-DignorePassphrase=true Required if you want the keystore to be module protected.
sun.security.tools.KeyTool The name of the keytool command
-import The parameter that makes this an import request.
-alias A name that helps you identify that this is the
signing key pair from the CA. It needs to be the same alias you specified when you created the keystore in Step 4. In this sample configuration, the name is od93.
-file The name of the signing certificate file from the CA.
In this sample configuration, the name is signcert.der.
-keystore A name for the keystore. In this sample
configuration, the name is AMstore.jks.
-storepass The password for the keystore. In this sample
configuration, the password is mypwd.
-storetype The type of keystore. For nCipher, this must be set to nCipher.sworld.
-provider The name of the providerClass and providerName.
Parameter Description
"c:\Program Files\Java\jdk1.5.0_14\jre\bin\java" -Dprotect=module -DignorePassphrase=true sun.security.tools.KeyTool -list -v -keystore AMstore.jks -storetype nCipher.sworld -provider com.ncipher.provider.km.nCipherKM
The keystore should contain at least two certificates. The certificate that you created should now be issued by the CA you used, and the public certificate of the CA should be there as the owner and the issuer.
11 Copy the keystore to the idp directory on the Identity Server.
Linux: /opt/novell/devman/jcc/certs/idp
Windows Server 2008: \Program Files (x86)\Novell\devman\jcc\certs\idp The keystore is found on the netHSM client in the directory specified by the -keystore parameter when you created the keystore. See Step 4.
12 Synchronize the Identity Server with the remote file system server.
Linux: Enter the following commands:
/opt/nfast/bin/rfs-sync –-update /opt/nfast/bin/rfs-sync –-commit Windows: Enter the following commands:
C:\nfast\bin>rfs-sync --update C:\nfast\bin>rfs-sync --commit
13 (Conditional) If the cluster configuration contains more than one Identity Server, complete the following steps for each cluster member:
13a Copy the keystore to the cluster member. Copy it to the following directory:
Linux: /opt/novell/devman/jcc/certs/idp
Windows Server 2008: \Program Files (x86)\Novell\devman\jcc\certs\idp 13b Ensure that the novlwww user has at least read rights.
13c Use the netHSM client to synchronize the cluster member with the remote file system server.
Linux: Enter the following commands:
/opt/nfast/bin/rfs-sync –-update /opt/nfast/bin/rfs-sync –-commit Windows: Enter the following commands:
C:\nfast\bin>rfs-sync --update C:\nfast\bin>rfs-sync --commit
14 Continue with “Configuring the Identity Server to Use the netHSM Certificate” on page 53.