For SSL communication using each server, acquire the site certificates and register them in the
Interstage certificate environment. For explanations of site certificate acquisition and registration in the Interstage certificate environment, refer to 'Setting and Use of the Interstage Certificate Environment' of the Security System Guide.
When the site certificate is already acquired and registered, the registered site certificate can be used. The following is an example of preparations for SSL communication.
Setting Access Permission of Interstage Certificate Environment
To set up the Interstage certificate environment, an owner group with permission to access the
Interstage certificate environment must be created. The created owner group must be specified in the - g option of the scsmakeenv command when the Interstage certificate environment is set up.
The effective users who are to be registered in the owner group of the Interstage certificate environment must be already set in the User directive of the environment configuration file (httpd.conf) of the
Interstage HTTP server.
For an explanation of the access permission of the Interstage certificate environment, refer to 'Setting and Use of the Interstage Certificate Environment' of the Security System Guide.
Signing Request of a Certificate for SSL Communication
Specify distinguished names such as country code, alphanumeric first and last name, alphanumeric organization name, alphanumeric organizational unit name, prefecture name, and municipality name to create a certificate signing request (CSR) for signing requesting the certificate for the SSL
communication.
Use the scsmakeenv command to create the certificate signing request (CSR). Send the CSR to a certificate authority (VeriSign Inc.) to request to issue the certificate.
Setup of Authentication Server
Refer to 'SSL Commands' in Reference Manual (Command Edition) for details of the scsmakeenv command for CSR creation.
Example
The following is an example in which the name of the CSR output destination file is
'C:\WINNT\temp\ssocert.txt'. When necessary, change the name of the CSR output destination file. When password entry is requested, enter the password for access to the Interstage certificate environment. The entered password is not displayed.
When you are requested to enter distinguished names, enter them in the bold as shown below. Site Certificate Nickname: 'SERVERCERT'
CSR output destination file name : 'C:\WINNT\temp\ssocert.txt' Country code: jp
Alphanumeric first and last name: authenticate_server.fujitsu.com Alphanumeric organization name: FUJITSU
Alphanumeric organizational unit name: FUJITSU TOKYO Prefecture name: Tokyo
Municipality name: Shinjuku
C:\>scsmakeenv -n SERVERCERT -f C:\WINNT\temp\ssocert.txt New Password:
Retype:
Input X.500 distinguished names. What is your first and last name?
[Unknown]: authenticate_server.fujitsu.com
What is the name of your organizational unit?
[Unknown]: FUJITSU TOKYO
What is the name of your organization?
[Unknown]: FUJITSU
What is the name of your City or Locality?
[Unknown]: Shinjuku
What is the name of your State or Province?
[Unknown]: Tokyo
What is the two-letter country code for this unit?
[Un]: jp
Is <CN=authenticate_server.fujitsu.com, OU=FUJITSU TOKYO, O=FUJITSU, L=Shinjuku, ST=Tokyo,C=jp> correct?
[no]: yes
SCS: INFO: scs0101: CSR was issued <C:\WINNT\temp\ssocert.txt>
C:\>
When the scsmakeenv command is terminated normally, the CSR is output to the file specified with the - f option of the scsmakeenv command. Send the file to the certificate authority and request to issue the CSR. The requesting method depends on the certificate authority.
The following is an example in which the Interstage certificate environment with the access permission by 'nobody' is newly created and a CSR is created. When the Interstage certificate environment is already created, set the access permission in the Interstage certificate environment when necessary. In this example, the name of the CSR output destination file is '/tmp/ssocert.txt'. Change the CSR output destination file when necessary.
Before requesting the CSR, set the JDK or JRE installation path in environment variable JAVA_HOME. The following example uses the Bourne shell. When password input is requested, enter the password for access to the Interstage certificate environment. The entered password is not displayed.
When you are requested to enter distinguished names, enter them in bold as shown below. Site Certificate Nickname: 'SERVERCERT'
CSR output destination file name: '/tmp/ssocert.txt' Country code: jp
Alphanumeric first and last name: authenticate_server.fujitsu.com Alphanumeric organization name: FUJITSU
Alphanumeric organizational unit name: FUJITSU TOKYO Prefecture name: Tokyo
Municipality name: Shinjuku
Group which is permitted to access to Interstage certificate environment: nobody
# JAVA_HOME=/opt/FJSVawjbk/jdk14;export JAVA_HOME
# scsmakeenv -n SERVERCERT -f /tmp/ssocert.txt –g nobody New Password:
Retype:
Input X.500 distinguished names. What is your first and last name?
[Unknown]: authenticate_server.fujitsu.com
What is the name of your organizational unit?
[Unknown]: FUJITSU TOKYO
What is the name of your organization?
[Unknown]: FUJITSU
What is the name of your City or Locality?
[Unknown]: Shinjuku
What is the name of your State or Province?
Setup of Authentication Server
When the scsmakeenv command is terminated normally, the CSR is output to the file specified with the - f option of the scsmakeenv command. Send the file to the certificate authority and request to issue the CSR. The requesting method depends on the certificate authority.
The following is an example in which the Interstage certificate environment granted access permission by using iscertg and then the CSR is created.
In this example, iscertg is created as the owner group permitted access to the Interstage certificate environment. The effective user 'nobody' is added to the owner group iscertg. 'Nobody' is set as the initial value in the User directive of the environment configuration file (httpd.conf) of the Interstage HTTP server. The name of the CSR output destination file is '/tmp/ssocert.txt'. Change the CSR output destination file when necessary.
Before requesting the CSR, set the JDK or JRE installation path in environment variable JAVA_HOME. The following example uses the Bourne shell. When password input is requested, enter the password for access to the Interstage certificate environment. The entered password is not displayed.
When you are requested to enter distinguished names, enter them in bold as shown below. Site Certificate Nickname: 'SERVERCERT'
CSR output destination file name: '/tmp/ssocert.txt' Country code: jp
Alphanumeric first and last name: authenticate_server.fujitsu.com Alphanumeric organization name: FUJITSU
Alphanumeric organizational unit name: FUJITSU TOKYO Prefecture name: Tokyo
Municipality name: Shinjuku
Group which is permitted to access to Interstage certificate environment: iscertg
# groupadd iscertg
# usermod -G iscertg nobody
# JAVA_HOME=/opt/FJSVawjbk/jdk14;export JAVA_HOME
# scsmakeenv -n SERVERCERT -f /tmp/ssocert.txt –g iscertg New Password:
Retype:
Input X.500 distinguished names. What is your first and last name?
[Unknown]: authenticate_server.fujitsu.com
What is the name of your organizational unit?
[Unknown]: FUJITSU TOKYO
What is the name of your organization?
[Unknown]: FUJITSU
What is the name of your City or Locality?
[Unknown]: Shinjuku
What is the name of your State or Province?
[Unknown]: Tokyo
What is the two-letter country code for this unit?
Is <CN=authenticate_server.fujitsu.com, OU=FUJITSU TOKYO, O=FUJITSU, L=Shinjuku, ST=Tokyo,C=jp> correct?
[no]: yes
UX:SCS: INFO: scs0101: CSR was issued </tmp/ssocert.txt>
UX:SCS: INFO: scs0180: The owners group of Interstage certificate #
When the scsmakeenv command is terminated normally, the CSR is output to the file specified with the - f option of the scsmakeenv command. Send the file to the certificate authority and request to issue the CSR. The requesting method depends on the certificate authority.
Registering the Certificates for SSL Communication
The site certificate issued by a certificate authority and the CA certificate of the certificate authority that issued the site certificate must be acquired and registered.
Use the certificate and CRL registration command (scsenter) to register these certificates.
In the scsenter command, specify the passwords and certificate nicknames that are specified in the scsmakeenv command for access to the Interstage certificate environment. To register the site
certificate that was acquired from the certificate authority, use the scsmakeenv command to specify the nickname specified in the private-key. Be sure to specify the -o option for registering the site certificate. Refer to 'SSL Commands' in Reference Manual (Command Edition) for details of the scsenter command.
Example
CA certificate: 'C:\WINNT\temp\ca-cert.cer' CA Certificate Nickname: 'CACERT'
Site certificate: 'C:\WINNT\temp\server-cert.cer' Site Certificate Nickname: 'SERVERCERT'
The following shows an example of the scsenter command in which C:\WINNT\temp\ca-cert.cer is specified as the CA certificate and C:\WINNT\temp\server-cert.cer is specified as the site certificate. Change the file path of each certificate when necessary.
When password entry is requested, enter the password for access to the Interstage certificate environment. The entered password is not displayed.
Setup of Authentication Server
CA certificate: '/tmp/ca-cert.cer' CA Certificate Nickname: 'CACERT' Site certificate: '/tmp/server-cert.cer' Site Certificate Nickname: 'SERVERCERT'
The following shows an example of the scsenter command in which /tmp/ca-cert.cer is specified as the CA certificate and /tmp/server-cert.cer is specified as the site certificate. Change the file path of each certificate when necessary.
Before requesting the certificates, set the JDK or JRE installation path in environment variable JAVA_HOME.
The following example uses the Bourne shell. When password input is requested, enter the password for access to the Interstage certificate environment. The entered password is not displayed.
# JAVA_HOME=/opt/FJSVawjbk/jdk14;export JAVA_HOME # scsenter –n CACERT –f /tmp/ca-cert.cer
Password:
Certificate was added to keystore
UX:SCS: INFO: scs0104: Certificate was imported # scsenter –n SERVERCERT –f /tmp/server-cert.cer -o Password:
Certificate reply was installed in keystore UX:SCS: INFO: scs0104: Certificate was imported #