ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatl_5.4.0.1/rzatlsslenable.htm

157 lines
11 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2005" />
<meta name="DC.rights.owner" content="(C) Copyright IBM Corporation 2005" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Create an SSL key and certificate for Pegasus" />
<meta name="abstract" content="For Pegasus to run in Secure Sockets Layer (SSL) mode, a private key and certificate are required. Pegasus checks for its private key and certificate during startup. If those files do not exist, Pegasus creates its private key and a self-signed 365-day certificate. You can also create a private key and certificate with this information." />
<meta name="description" content="For Pegasus to run in Secure Sockets Layer (SSL) mode, a private key and certificate are required. Pegasus checks for its private key and certificate during startup. If those files do not exist, Pegasus creates its private key and a self-signed 365-day certificate. You can also create a private key and certificate with this information." />
<meta name="DC.Relation" scheme="URI" content="rzatlsecure.htm" />
<meta name="DC.Relation" scheme="URI" content="rzatladvstartup.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurazhudigitalcertmngmnt.htm" />
<meta name="DC.Relation" scheme="URI" content="http://www.openssl.org" />
<meta name="DC.Relation" scheme="URI" content="rzatlbackupcert.htm" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzatlsslenable" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Create an SSL key and certificate for Pegasus</title>
</head>
<body id="rzatlsslenable"><a name="rzatlsslenable"><!-- --></a>
<img src="./delta.gif" alt="Start of change" /><!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Create an SSL key and certificate for Pegasus</h1>
<div><p>For Pegasus to run in Secure Sockets Layer (SSL) mode, a private
key and certificate are required. Pegasus checks for its private key and certificate
during startup. If those files do not exist, Pegasus creates its private key
and a self-signed 365-day certificate. You can also create a private key and
certificate with this information.</p>
<div class="p"><img src="./delta.gif" alt="Start of change" />Before you can do this procedure, you must install OpenSSL
on your system (LPO 5733-SC1). <img src="./deltaend.gif" alt="End of change" /></div>
<div class="section"><p>The private key and certificate are stored in paths that are defined
by the sslKeyFilePath and sslCertificateFilePath configuration properties
of the cimconfig command. You can create your own certificate and private
key in these paths. Otherwise, if either the certificate or private key does
not exist in these paths, then the CIM Server will create its own certificate
and private key. The CIM server creates its certificate with the following
attributes for the subject name:</p>
<div class="p"><pre>State or Province Name: Minnesota
Locality: Rochester
Organization Name: IBM
Organizational Unit: iSeries
Common Name: <var class="varname">hostname of system</var>
Email Address: </pre>
<div class="note"><span class="notetitle">Note:</span> <ul><li>The <samp class="codeph">Common Name</samp> field is replaced by the hostname of
this system.</li>
<li>The <samp class="codeph">Email Address</samp> field is left blank.</li>
<li>This certificate is self-signed. The expiration date of the certificate
is set to 365 days from its creation date.</li>
</ul>
</div>
</div>
After these files are created you must manage the renewal
and recovery of the certificate. You need to create an SSL key and certificate
whenever the certificate is not valid, expired, or its security has been compromised.
You can recreate the certificate by deleting the certificate file, and restarting
the CIM server. The CIM server creates a new certificate that expires in 365
days.<div class="note"><span class="notetitle">Note:</span> Pegasus only supports private key files without a pass-phrase.
For this reason it is important to keep the private key in a protected directory.
By default, the Pegasus private key is put in a directory owned by QSYS, with
PUBLIC *EXCLUDE, and no private authorities. If you change the sslKeyFilePath
property, it is recommended that this directory be protected.<p>Pegasus allows
the OpenSSL default for its initialization (seeding) of the pseudo random
number generator (PRNG). Pegasus calls the SSL_library_init application programming
interface (API) which calls the i5/OS™ Qc3GenPrns API (Generate Pseudorandom
Numbers). Pegasus on i5/OS will not support seeding the PRNG from a file.</p>
</div>
<p><img src="./delta.gif" alt="Start of change" />One method to create a certificate and private key for Pegasus
is to use the Digital Certificate Manager (DCM) on i5/OS. <img src="./deltaend.gif" alt="End of change" /></p>
<p>DCM allows you to create
a Pegasus server certificate that is issued by a local Certificate Authority
(CA) on the i5/OS system,
or by an external Certificate Authority. </p>
<p> Note that Pegasus is not
integrated with DCM. You must export all certificates that are created in
DCM to Pegasus. Pegasus only supports the PEM format for certificates.</p>
To
create a private key and certificate, do the following steps:</div>
<ol><li class="stepexpand"><span>Create an Application definition in DCM of type server for Pegasus.</span> Because Pegasus is not integrated with DCM, the details of the Application
definition are not important. However, the recommended Application ID is
QIBM_CIMOM. </li>
<li class="stepexpand"><span> Create a certificate for the Pegasus application that is issued
by a CA.</span> Make note of the subject name that you enter for Pegasus
in the certificate.</li>
<li class="stepexpand"><span>Export the certificate from DCM to Pegasus by doing the following
steps:</span><ol type="a"><li class="substepexpand"><span>In the navigation frame, select <span class="uicontrol">Manage Certificates</span> and <span class="uicontrol">Export
Certificates</span>.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">Server or client</span> as the type of
certificate.</span></li>
<li class="substepexpand"><span> Select the certificate that you created for Pegasus and click <span class="uicontrol">Export</span>.</span></li>
<li class="substepexpand"><span> Choose <span class="uicontrol">File</span> as the export destination.</span></li>
<li class="substepexpand"><span> For the export file name, use the directory defined by the
Pegasus <span class="parmname">sslCertificateFilePath</span> property, and name the
file <kbd class="userinput">pegasuscert.p12.</kbd></span> This file will be
in PKCS12 format.<div class="note"><span class="notetitle">Note:</span> Make sure to remember the password that you enter here.
This will be used to decrypt the exported certificate later.</div>
</li>
</ol>
</li>
<li class="stepexpand"><span>Run the OpenSSL commands to convert the certificate from PKCS12
format to Privacy Enhanced Mail (PEM) format by doing the following steps:</span><ol type="a"><li class="substepexpand"><span>At an i5/OS command line, start the PASE environment by typing <kbd class="userinput">CALL
QP2TERM</kbd>.</span></li>
<li class="substepexpand"><span>Change directory to the location of the exported certificate.</span></li>
<li class="substepexpand"><span>Extract the certificate from the PKCS12 file and convert to
PEM format by using the following OpenSSL command: <kbd class="userinput">openssl pkcs12
-in pegasuscert.p12 -out pegasuscert.pem -nokeys -clcerts</kbd> </span> This command will prompt for the password that you entered in the <span class="uicontrol">DCM
Export</span> page. <p>The PEM file that is created
might contain more than one certificate. It might contain both the Pegasus
certificate and the certificate of the CA that issued the Pegasus certificate.
Because Pegasus does not support this type of PEM file, the CA certificate
must be removed.</p>
</li>
<li class="substepexpand"><span>Remove the CA certificate by editing the PEM file; delete all
of the lines except the ones for the Pegasus certificate.</span> The Pegasus
certificate has the Pegasus <kbd class="userinput">subject</kbd> name that you used
when you created the certificate in DCM. Keep the lines of Pegasus certificate
starting with <kbd class="userinput">Bag Attributes</kbd> and ending with <kbd class="userinput">END
CERTIFICATE</kbd>. </li>
<li class="substepexpand"><span>Extract the private key from the PKCS12 file and convert to
PEM format by using the following OpenSSL command: <kbd class="userinput">openssl pkcs12
-in pegasuscert.p12 -out pegasuskey.pem -nocerts -nodes</kbd></span> This command will prompt for the password that you entered in the <span class="uicontrol">DCM
Export</span> page. <p>The certificate and private key are now converted
to PEM format,</p>
</li>
<li class="substepexpand"><span> Make the certificate available to Pegasus by placing it in
the path that is defined by the <span class="parmname">sslCertificateFilePath</span> property.</span></li>
<li class="substepexpand"><span>Make the private key available to Pegasus by placing it in the
path that is defined by the <span class="parmname">sslKeyFilePath</span> property.</span></li>
</ol>
</li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzatlsecure.htm" title="Use this topic to find out about the options that are available for ensuring that the CIM server is secure.">Secure Pegasus</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzatladvstartup.htm" title="You can change the advanced startup options for the CIM server with the cimconfig command.">Advanced startup options for the cimconfig command</a></div>
<div><a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">Digital Certificate Manager topic collection</a></div>
<div><a href="rzatlbackupcert.htm" title="Regularly back up the Pegasus repository as part of your existing backup plan. In most cases, you can recover a damaged repository by restoring the last backup copy.">Backup and recovery considerations</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="http://www.openssl.org" target="_blank">OpenSSL Web site</a></div>
</div>
</div>
<img src="./deltaend.gif" alt="End of change" /></body>
</html>