ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatl_5.4.0.1/rzatlcertauth.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2005" />
<meta name="DC.rights.owner" content="(C) Copyright IBM Corporation 2005" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Configure the CIM server to verify client certificates" />
<meta name="abstract" content="You can configure the CIM server to use secure sockets layer (SSL) to verify client certificate's and to check certificate revocation lists (CRLs) on the main SSL port and the export SSL port." />
<meta name="description" content="You can configure the CIM server to use secure sockets layer (SSL) to verify client certificate's and to check certificate revocation lists (CRLs) on the main SSL port and the export SSL port." />
<meta name="DC.Relation" scheme="URI" content="rzatlsecure.htm" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzatlcertauth" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure the CIM server to verify client certificates</title>
</head>
<body id="rzatlcertauth"><a name="rzatlcertauth"><!-- --></a>
<img src="./delta.gif" alt="Start of change" /><!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure the CIM server to verify client certificates</h1>
<div><p><span><img src="./delta.gif" alt="Start of change" />You can configure the CIM server to use secure
sockets layer (SSL) to verify client certificate's and to check certificate
revocation lists (CRLs) on the main SSL port and the export SSL port.<img src="./deltaend.gif" alt="End of change" /></span></p>
<p><img src="./delta.gif" alt="Start of change" />The CIM server uses the main SSL port for CIM operation requests,
such as <span class="parmname">GetInstance</span> requests and <span class="parmname">EnumerateInstance </span> requests.
The purpose of the export SSL port is to allow CIM export requests to use
automatic certificate-based authentication on a port that does not require
a user name and password. CIM export requests are used to deliver CIM Indications.
Because export requests do not have an associated user name,
the only way to deliver secure indications is to use SSL on the export SSL
port.<img src="./deltaend.gif" alt="End of change" /></p>
<p><img src="./delta.gif" alt="Start of change" />The CIM server can also check client certificates against
a CRL.<img src="./deltaend.gif" alt="End of change" /></p>
<div class="section"><h4 class="sectiontitle">Configure client certificate verification on the main SSL
port</h4><div class="p">To configure the CIM server to verify client certificates on
the main SSL port, use the <span class="parmname">sslClientVerificationMode</span> property
of the <span class="parmname">cimconfig</span> command. You can set this property to
do one of the following tasks:<ul><li>Disable client certificate verification</li>
<li>Require client certificate verification</li>
<li>Verify the client certificate if available and use the <span class="parmname">httpAuthType</span> property
if the certificate is not available</li>
</ul>
</div>
<p>With these choices, you can authenticate clients through certificate
verification, Basic authentication, or Kerberos authentication.</p>
<p><img src="./delta.gif" alt="Start of change" />You
can manage the certificates in the server's truststore for the main SSL port
by using the ssltrustmgr command. In this case the trust store name is <span class="parmname">cim_trust</span><img src="./deltaend.gif" alt="End of change" /></p>
</div>
<div class="section"><h4 class="sectiontitle">Configure client certificate verification on the export SSL
port</h4><p><img src="./delta.gif" alt="Start of change" />To configure the CIM server to verify client certificates
on the export SSL port, use the <span class="parmname">enableSSLExportClientVerification</span> property
of the <span class="parmname">cimconfig</span> command.  When set to true, this property
causes the CIM server to require that certificates are sent by export clients.
 The <span class="parmname">exportSSLTrustStore</span> property gives the location
of the truststore. In most cases, you can use the default value of the <span class="parmname">exportSSLTrustStore</span> property.<img src="./deltaend.gif" alt="End of change" /></p>
<p><img src="./delta.gif" alt="Start of change" />You can manage the certificates in the server's truststore for
the export SSL port by using the ssltrustmgr command. In this case the trust
store name is export_trust.". <img src="./deltaend.gif" alt="End of change" /></p>
</div>
<div class="section"><h4 class="sectiontitle">Configure client certification against a CRL</h4><p><img src="./delta.gif" alt="Start of change" />To
configure the CIM server to verify client certificates against a CRL, use
the <span class="parmname">crlStore</span> property.  In most cases, the default value
of the <span class="parmname">crlStore</span> property can be used.  The CIM server
checks a CRL file or directory on the local system.  It does not contact a
remote CIM server for the CRL.  The <span class="parmname">crlStore</span> property
gives the location of the CRL store.  The <span class="parmname">crlStore</span> applies
to requests that are made on the main SSL port and the export SSL port. <img src="./deltaend.gif" alt="End of change" /></p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzatlsecure.htm" title="Use this topic to find out about the options that are available for ensuring that the CIM server is secure.">Secure Pegasus</a></div>
</div>
</div>
<img src="./deltaend.gif" alt="End of change" /></body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2005" />`
			`<meta name="DC.rights.owner" content="(C) Copyright IBM Corporation 2005" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="concept" />`
			`<meta name="DC.Title" content="Configure the CIM server to verify client certificates" />`
			`<meta name="abstract" content="You can configure the CIM server to use secure sockets layer (SSL) to verify client certificate's and to check certificate revocation lists (CRLs) on the main SSL port and the export SSL port." />`
			`<meta name="description" content="You can configure the CIM server to use secure sockets layer (SSL) to verify client certificate's and to check certificate revocation lists (CRLs) on the main SSL port and the export SSL port." />`
			`<meta name="DC.Relation" scheme="URI" content="rzatlsecure.htm" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzatlcertauth" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Configure the CIM server to verify client certificates</title>`
			`</head>`
			`<body id="rzatlcertauth"><a name="rzatlcertauth"><!-- --></a>`
			`<img src="./delta.gif" alt="Start of change" /><!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Configure the CIM server to verify client certificates</h1>`
			`<div><p><span><img src="./delta.gif" alt="Start of change" />You can configure the CIM server to use secure`
			`sockets layer (SSL) to verify client certificate's and to check certificate`
			`revocation lists (CRLs) on the main SSL port and the export SSL port.<img src="./deltaend.gif" alt="End of change" /></span></p>`
			`<p><img src="./delta.gif" alt="Start of change" />The CIM server uses the main SSL port for CIM operation requests,`
			`such as <span class="parmname">GetInstance</span> requests and <span class="parmname">EnumerateInstance </span> requests.`
			`The purpose of the export SSL port is to allow CIM export requests to use`
			`automatic certificate-based authentication on a port that does not require`
			`a user name and password. CIM export requests are used to deliver CIM Indications.`
			`Because export requests do not have an associated user name,`
			`the only way to deliver secure indications is to use SSL on the export SSL`
			`port.<img src="./deltaend.gif" alt="End of change" /></p>`
			`<p><img src="./delta.gif" alt="Start of change" />The CIM server can also check client certificates against`
			`a CRL.<img src="./deltaend.gif" alt="End of change" /></p>`
			`<div class="section"><h4 class="sectiontitle">Configure client certificate verification on the main SSL`
			`port</h4><div class="p">To configure the CIM server to verify client certificates on`
			`the main SSL port, use the <span class="parmname">sslClientVerificationMode</span> property`
			`of the <span class="parmname">cimconfig</span> command. You can set this property to`
			`do one of the following tasks:<ul><li>Disable client certificate verification</li>`
			`<li>Require client certificate verification</li>`
			`<li>Verify the client certificate if available and use the <span class="parmname">httpAuthType</span> property`
			`if the certificate is not available</li>`
			`</ul>`
			`</div>`
			`<p>With these choices, you can authenticate clients through certificate`
			`verification, Basic authentication, or Kerberos authentication.</p>`
			`<p><img src="./delta.gif" alt="Start of change" />You`
			`can manage the certificates in the server's truststore for the main SSL port`
			`by using the ssltrustmgr command. In this case the trust store name is <span class="parmname">cim_trust</span><img src="./deltaend.gif" alt="End of change" /></p>`
			`</div>`
			`<div class="section"><h4 class="sectiontitle">Configure client certificate verification on the export SSL`
			`port</h4><p><img src="./delta.gif" alt="Start of change" />To configure the CIM server to verify client certificates`
			`on the export SSL port, use the <span class="parmname">enableSSLExportClientVerification</span> property`
			`of the <span class="parmname">cimconfig</span> command. When set to true, this property`
			`causes the CIM server to require that certificates are sent by export clients.`
			`The <span class="parmname">exportSSLTrustStore</span> property gives the location`
			`of the truststore. In most cases, you can use the default value of the <span class="parmname">exportSSLTrustStore</span> property.<img src="./deltaend.gif" alt="End of change" /></p>`
			`<p><img src="./delta.gif" alt="Start of change" />You can manage the certificates in the server's truststore for`
			`the export SSL port by using the ssltrustmgr command. In this case the trust`
			`store name is export_trust.". <img src="./deltaend.gif" alt="End of change" /></p>`
			`</div>`
			`<div class="section"><h4 class="sectiontitle">Configure client certification against a CRL</h4><p><img src="./delta.gif" alt="Start of change" />To`
			`configure the CIM server to verify client certificates against a CRL, use`
			`the <span class="parmname">crlStore</span> property. In most cases, the default value`
			`of the <span class="parmname">crlStore</span> property can be used. The CIM server`
			`checks a CRL file or directory on the local system. It does not contact a`
			`remote CIM server for the CRL. The <span class="parmname">crlStore</span> property`
			`gives the location of the CRL store. The <span class="parmname">crlStore</span> applies`
			`to requests that are made on the main SSL port and the export SSL port. <img src="./deltaend.gif" alt="End of change" /></p>`
			`</div>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzatlsecure.htm" title="Use this topic to find out about the options that are available for ensuring that the CIM server is secure.">Secure Pegasus</a></div>`
			`</div>`
			`</div>`
			`<img src="./deltaend.gif" alt="End of change" /></body>`
			`</html>`