SSL configuration must be defined using the Interstage Management Console.
To define the SSL configuration, select the [Security] and then [SSL] from the System menu. Click the [Create a new SSL Configuration] tab, and then perform [General Settings]. Select the nickname of the confirmed site certificate, and define the SSL configuration.
Refer to the Operator’s Guide for an explanation of the start of the Interstage Management Console. Refer to the Operator’s Guide for details of the items to be defined on the Interstage Management Console.
Set each item of the SSL environment configuration as follows:
Configuration Name
Set the identifying the SSL configuration. The configuration name specified here is used for setting the authentication server.
Site Certificate Nickname
Enter the nickname that was specified when the site certificate was registered in the Interstage certificate environment as described in Preparations for SSL Communication. The registered site certificate can be accessed on the Interstage Management Console by selecting [Security] and then [Certificate] from the System menu and then clicking [Site Certificate].
Protocol Version
Select 'SSL 2.0' and 'SSL 3.0'.
Verify Client Certificate?
Select 'Yes (Authenticate when client certificate is presented)'.
Encryption Method
When necessary, change the method. Refer to the Operator’s Guide.
CA Certificate Nickname
When necessary, change the nickname. Refer to the Operator’s Guide.
Preparations for Confirming Validity of Certificate Authentication
The validity of a certificate can be confirmed using the certificate revocation list (CRL) at certificate authentication. The following explains the preparations for certificate validity confirmation.
SSL Communication using Authentication Server
If using SSL communication on the authentication server, perform the following steps. 1. Registering the Certificate of the CRL-issuing Authority (*1)
2. Registering CRL
*1 Register the CRL that was issued from a certificate authority that was not specified in the site certificate described in Preparations for SSL Communication.
SSL Communication using SSL Accelerator or Application Gateway
When the authentication infrastructure uses SSL Accelerator or Application Gateway perform the following describes:
1. Creating Interstage certificate environment
2. Registering the Certificate of the CRL-issuing Authority 3. Registering CRL
Creating Interstage certificate environment
Set up the Interstage certificate environment using scsmakeenv command when the Interstage certificate environment is not set up.
For details about scsmakeenv command, refer to 'SSL Commands' in the Reference Manual (Command Edition)
Setup of Authentication Server
Example
The following shows an example in which the Interstage certificate environment is created for the first time using the scsmakeenv command.
When password to input is requested, enter the password for access to the Interstage certificate environment. The entered password is not displayed.
C:\> scsmakeenv –e New Password: Retype:
SCS: INFO: scs0100: Interstage certificate environment was created C:\>
The following shows an example in which the Interstage certificate environment access permission is granted to the user 'nobody' when it is created for the first time using the scsmakeenv command. Before requesting the certificates, set the JDK or JRE installation path in environment variable JAVA_HOME.
The following example uses the Bourne shell. When the password input is requested, enter the password for access to the Interstage certificate environment. The entered password is not displayed.
# JAVA_HOME=/opt/FJSVawjbk/jdk14;export JAVA_HOME # scsmakeenv -e -g nobody
New Password: Retype:
UX:SCS: INFO: scs0100: Interstage certificate environment was created UX:SCS: INFO: scs0180: The owners group of Interstage certificate environment was set
#
The following shows an example in which the Interstage certificate environment in whichaccess permission is granted to iscertg for the first time using the scsmakeenv command.
In this example, iscertg is created as the owner group permitted access to the Interstage certificate environment. The effective user 'nobody' is added to the owner group iscertg. 'Nobody' is set as the initial value in the User directive of the environment configuration file (httpd.conf) for the Interstage HTTP server.
Before requesting the CSR, set the JDK or JRE installation path in environment variable JAVA_HOME. The following example uses the Bourne shell. When password input is requested, enter the password for access to the Interstage certificate environment. The entered password is not displayed.
# groupadd iscertg
# usermod -G iscertg nobody
# JAVA_HOME=/opt/FJSVawjbk/jdk14;export JAVA_HOME # scsmakeenv -e -g iscertg
New Password: Retype:
UX:SCS: INFO: scs0100: Interstage certificate environment was created UX:SCS: INFO: scs0180: The owners group of Interstage certificate environment was set
#
Registering the Certificate of the CRL-issuing Authority
The certificate of the authority that issued the CRL must be acquired and registered before registering the CRL. If the certificate of the CRL-issuing authority has not been registered, register the certificate of the CRL-issuing authority.
To register the certificate of the CRL-issuing authority, use the certificate and CRL registration command (scsenter).
In the scsenter command, specify the password and certificate nickname that were specified in the scsmakeenv command for access to the security environment.
Refer to 'SSL Commands' in the Reference Manual (Command Edition)the Reference Manual (Command Edition) for details of the scsenter command.
Example
Certificate of CRL-issuing authority: 'C:\WINNT\temp\crlca-cert.cer' Nickname of certificate of CRL-issuing authority: 'CRLCACERT'
The following shows an example of the scsenter command in which C:\WINNT\temp\crlca-cert.cer is specified as the certificate of the CRL-issuing authority. Change the file path of the certificate when necessary.
When password entry is requested, enter the password for access to the Interstage certificate environment. The entered password is not displayed.
C:\>scsenter –n CRLCACERT –f C:\WINNT\temp\crlca-cert.cer Password:
Certificate was added to keystore
SCS: INFO: scs0104: Certificate was imported C:\>
Setup of Authentication Server
# JAVA_HOME=/opt/FJSVawjbk/jdk14;export JAVA_HOME # scsenter –n CRLCACERT –f /tmp/crlca-cert.cer Password:
Certificate was added to keystore
UX:SCS: INFO: scs0104: Certificate was imported #
Registering CRL
To confirm the validity of a certificate, the CRL that was acquired from the certificate authority must be registered using the certificate and CRL registration command (scsenter).
In the scsenter command, specify the password that was specified in the scsmakeenv command to access the security environment.
The -o option must always be specified to register the CRL.
Refer to 'SSL Commands' in the Reference Manual (Command Edition) for details of the scsenter command.
The validity of a user's certificate can be confirmed by setting [Yes] in [Enable Certificate Revocation Check?] of [Certificate Authentication Settings] during setup of the environment authentication server after CRL registration.
Example
CRL that was acquired from certificate authority: 'C:\WINNT\temp\crl.crl'
The following is an example of the scsenter command in which C:\WINNT\temp\crl.crl is specified as the acquired CRL. Change the CRL file path when necessary.
When password input is requested, enter the password for access to the Interstage certificate environment. The entered password is not displayed.
C:\>scsenter –c –f C:\WINNT\temp\crl.crl Password:
SCS: INFO: scs0105: CRL was imported C:\>
CRL that was acquired from certificate authority: '/tmp/crl.crl'
The following shows an example of the scsenter command in which /tmp/crl.crl is specified as the acquired CRL. Change the CRL file path when necessary.
The following example uses the Bourne shell. When password input is requested, enter the password for access to the Interstage certificate environment. The entered password is not displayed.
# JAVA_HOME=/opt/FJSVawjbk/jdk14;export JAVA_HOME # scsenter –c –f /tmp/crl.crl
Password:
UX:SCS: INFO: scs0105: CRL was imported #