Setting up asymmetric encryption through the use of public-private key files involves creating a new key database, requesting a new public-private key pair, adding the CA-signed digital certificate to your key database, and enabling components to access the certificate.
For additional information on these procedures, see the IKeyMan user guide on IBM developerWorks®
During installation, the key file names are specified with these parameters in the Tivoli Enterprise Portal Server environment file:
v KDEBE_KEYRING_FILE=C:\IBM\ITM\keyfiles\keyfile.kdb v KDEBE_KEYRING_STASH=C:\IBM\ITM\keyfiles\keyfile.sth v KDEBE_KEY_LABEL=IBM_Tivoli_Monitoring_Certificate
Setting the JRE for GSKit and starting Key Manager
You need to set the path to the Java Runtime Environment before starting GSKit.
Otherwise, you will get an error like″Failed to parse JAVA_HOME setting″.
v
1. From the command prompt, run this script to get the IBM Java location:
Install_dir\InstallITM\GetJavaHome.bat
2. Set the JAVA_HOME variable to point to the IBM Java location.
3. Get the GSKit location by running this script:
Install_dir\InstallITM\GetGSKitHome.bat
4. Change the directory to GSKit path\bin and run this command:
gsk7ikm.exe 5.
v
1. From the console, run this script to get the IBM Java location:
Install_dir/bin/CandleGetJavaHome.sh
2. Export variable JAVA_HOME to point to the IBM Java path. For 64–bit, the gsk7ikm has to be 64–bit Java.
3. Check the path for a local GSKit by looking in this file:
Install_dir/config/gsKit.config
GskitInstallDir points to a 32–bit GSKit and GskitInstallDir_64 points to a 64–bit GSKit.
4. Start GSKit Key Manager by running the command that corresponds to your system:
– HP 32–bit: GskitInstallDir/bin/gsk7ikm_32
– Linux, Aix, or Solaris 32–bit: GskitInstallDir/bin/gsk7ikm – 64–bit: GskitInstallDir_64/bin/gsk7ikm_64
Creating a new key database
Create a new key database using iKeyman.
About this task
Use the following steps to create a new key database:
1. If you have not already done so, start iKeyman.
2. Click Key Database File → New.
3. Select CMS in the Key database type field.
4. Type keyfile.kdb in the File Name field.
5. Type the following location in the Location field: <itm_installdir>/keyfiles.
6. Click OK. The Password Prompt window is displayed.
7. Enter a password in the Password field, and confirm it again in the Confirm Passwordfield. Click OK.
8. A confirmation window is displayed. Click OK.
The IBM Key Management window is displayed. This window reflects the new CMS key database file and your signer digital certificates.
Creating a new public-private key pair and certificate request
Create a new public-private key pair and certificate request in iKeyman.
About this task
Use the following steps to create a new public-private key pair and certificate request:
1. If you have not already done so, start iKeyman.
2. Click Key Database File → Open.
3. Select the keyfile.kdb key database and click Open.
4. Type the password for the key database and click OK.
5. Select Personal Certificate Requests from the pull-down list and click New.
6. Click New.
7. Type IBM_Tivoli_Monitoring_Certificate in the Key Label field.
8. Type a Common Name and Organization, and select a Country. For the remaining fields, either accept the default values, or type or select new values.
9. At the bottom of the window, type a name for the file.
10. Click OK. A confirmation window is displayed, verifying that you have created a request for a new digital certificate.
11. Click OK.
The IBM Key Management window is displayed.
Send the file to a CA to request a new digital certificate, or cut and paste the request into the request forms on the CA’s Web site.
Using a temporary self-signed certificate
It can take between two and three weeks to receive a CA-signed digital certificate.
If you want to use a digital certificate other than the one provided with IBM Tivoli Monitoring and you have not yet received the CA-signed digital certificate, you can create a self-signed certificate on the portal server. A self-signed digital certificate is not as secure as a CA-signed certificate; this is strictly a temporary measure until the CA-signed certificate arrives.
About this task
Creating and using a self-signed certificate involves the following steps:
1. Create a CA key database.
2. Create the self-signed certificate.
3. Export the self-signed certificate.
4. Receive the self-signed certificate into the key databases on the portal server.
When you receive the CA-signed certificate, you need to delete the self-signed certificate.
Receiving the CA-signed certificate
About this task
After the CA returns your new digital certificate, save it on the computer where the portal server is running. Repeat for the client. If the CA returns the certificate as part of an e-mail message, copy and paste it from the e-mail into a text file.
Use the following steps to receive the digital certificate from the CA into key database on each computer.
1. If you have not already done so, start iKeyman.
2. Click Key Database File → Open.
3. Select the keyfile.kdb database and click Open.
4. Type the password for the database and click OK.
5. Select Personal Certificates from the pull-down list.
6. Click Receive.
7. Click Data type and select the data type of the new digital certificate, such as Base64-encoded ASCII data.
8. Type keyfile.sth for the Certificate file name and <itm_installdir>/
keyfilesas the Location for the new digital certificate.
9. Click OK.
10. Type IBM_Tivoli_Monitoring_Certificate for the new digital certificate and click OK.
Save the password to a stash file
Because many of the IBM Tivoli Monitoring components work without user intervention, you need to save the key database password to a stash file on your computer. This enables the components to use SSL without requiring any
intervention from you.
About this task
Use the following steps to save the password to a stash file:
1. If you have not already done so, start iKeyman.
2. Select Key Database File → Stash File.
An information window is displayed telling you that the password was saved to a stash file.
3. Click OK.