157 lines
11 KiB
HTML
157 lines
11 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2005" />
|
||
|
<meta name="DC.rights.owner" content="(C) Copyright IBM Corporation 2005" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="task" />
|
||
|
<meta name="DC.Title" content="Create an SSL key and certificate for Pegasus" />
|
||
|
<meta name="abstract" content="For Pegasus to run in Secure Sockets Layer (SSL) mode, a private key and certificate are required. Pegasus checks for its private key and certificate during startup. If those files do not exist, Pegasus creates its private key and a self-signed 365-day certificate. You can also create a private key and certificate with this information." />
|
||
|
<meta name="description" content="For Pegasus to run in Secure Sockets Layer (SSL) mode, a private key and certificate are required. Pegasus checks for its private key and certificate during startup. If those files do not exist, Pegasus creates its private key and a self-signed 365-day certificate. You can also create a private key and certificate with this information." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzatlsecure.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzatladvstartup.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurazhudigitalcertmngmnt.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="http://www.openssl.org" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzatlbackupcert.htm" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzatlsslenable" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Create an SSL key and certificate for Pegasus</title>
|
||
|
</head>
|
||
|
<body id="rzatlsslenable"><a name="rzatlsslenable"><!-- --></a>
|
||
|
<img src="./delta.gif" alt="Start of change" /><!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Create an SSL key and certificate for Pegasus</h1>
|
||
|
<div><p>For Pegasus to run in Secure Sockets Layer (SSL) mode, a private
|
||
|
key and certificate are required. Pegasus checks for its private key and certificate
|
||
|
during startup. If those files do not exist, Pegasus creates its private key
|
||
|
and a self-signed 365-day certificate. You can also create a private key and
|
||
|
certificate with this information.</p>
|
||
|
<div class="p"><img src="./delta.gif" alt="Start of change" />Before you can do this procedure, you must install OpenSSL
|
||
|
on your system (LPO 5733-SC1). <img src="./deltaend.gif" alt="End of change" /></div>
|
||
|
<div class="section"><p>The private key and certificate are stored in paths that are defined
|
||
|
by the sslKeyFilePath and sslCertificateFilePath configuration properties
|
||
|
of the cimconfig command. You can create your own certificate and private
|
||
|
key in these paths. Otherwise, if either the certificate or private key does
|
||
|
not exist in these paths, then the CIM Server will create its own certificate
|
||
|
and private key. The CIM server creates its certificate with the following
|
||
|
attributes for the subject name:</p>
|
||
|
<div class="p"><pre>State or Province Name: Minnesota
|
||
|
Locality: Rochester
|
||
|
Organization Name: IBM
|
||
|
Organizational Unit: iSeries
|
||
|
Common Name: <var class="varname">hostname of system</var>
|
||
|
Email Address: </pre>
|
||
|
<div class="note"><span class="notetitle">Note:</span> <ul><li>The <samp class="codeph">Common Name</samp> field is replaced by the hostname of
|
||
|
this system.</li>
|
||
|
<li>The <samp class="codeph">Email Address</samp> field is left blank.</li>
|
||
|
<li>This certificate is self-signed. The expiration date of the certificate
|
||
|
is set to 365 days from its creation date.</li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
</div>
|
||
|
After these files are created you must manage the renewal
|
||
|
and recovery of the certificate. You need to create an SSL key and certificate
|
||
|
whenever the certificate is not valid, expired, or its security has been compromised.
|
||
|
You can recreate the certificate by deleting the certificate file, and restarting
|
||
|
the CIM server. The CIM server creates a new certificate that expires in 365
|
||
|
days.<div class="note"><span class="notetitle">Note:</span> Pegasus only supports private key files without a pass-phrase.
|
||
|
For this reason it is important to keep the private key in a protected directory.
|
||
|
By default, the Pegasus private key is put in a directory owned by QSYS, with
|
||
|
PUBLIC *EXCLUDE, and no private authorities. If you change the sslKeyFilePath
|
||
|
property, it is recommended that this directory be protected.<p>Pegasus allows
|
||
|
the OpenSSL default for its initialization (seeding) of the pseudo random
|
||
|
number generator (PRNG). Pegasus calls the SSL_library_init application programming
|
||
|
interface (API) which calls the i5/OS™ Qc3GenPrns API (Generate Pseudorandom
|
||
|
Numbers). Pegasus on i5/OS will not support seeding the PRNG from a file.</p>
|
||
|
</div>
|
||
|
<p><img src="./delta.gif" alt="Start of change" />One method to create a certificate and private key for Pegasus
|
||
|
is to use the Digital Certificate Manager (DCM) on i5/OS. <img src="./deltaend.gif" alt="End of change" /></p>
|
||
|
<p>DCM allows you to create
|
||
|
a Pegasus server certificate that is issued by a local Certificate Authority
|
||
|
(CA) on the i5/OS system,
|
||
|
or by an external Certificate Authority. </p>
|
||
|
<p> Note that Pegasus is not
|
||
|
integrated with DCM. You must export all certificates that are created in
|
||
|
DCM to Pegasus. Pegasus only supports the PEM format for certificates.</p>
|
||
|
To
|
||
|
create a private key and certificate, do the following steps:</div>
|
||
|
<ol><li class="stepexpand"><span>Create an Application definition in DCM of type server for Pegasus.</span> Because Pegasus is not integrated with DCM, the details of the Application
|
||
|
definition are not important. However, the recommended Application ID is
|
||
|
QIBM_CIMOM. </li>
|
||
|
<li class="stepexpand"><span> Create a certificate for the Pegasus application that is issued
|
||
|
by a CA.</span> Make note of the subject name that you enter for Pegasus
|
||
|
in the certificate.</li>
|
||
|
<li class="stepexpand"><span>Export the certificate from DCM to Pegasus by doing the following
|
||
|
steps:</span><ol type="a"><li class="substepexpand"><span>In the navigation frame, select <span class="uicontrol">Manage Certificates</span> and <span class="uicontrol">Export
|
||
|
Certificates</span>.</span></li>
|
||
|
<li class="substepexpand"><span>Select <span class="uicontrol">Server or client</span> as the type of
|
||
|
certificate.</span></li>
|
||
|
<li class="substepexpand"><span> Select the certificate that you created for Pegasus and click <span class="uicontrol">Export</span>.</span></li>
|
||
|
<li class="substepexpand"><span> Choose <span class="uicontrol">File</span> as the export destination.</span></li>
|
||
|
<li class="substepexpand"><span> For the export file name, use the directory defined by the
|
||
|
Pegasus <span class="parmname">sslCertificateFilePath</span> property, and name the
|
||
|
file <kbd class="userinput">pegasuscert.p12.</kbd></span> This file will be
|
||
|
in PKCS12 format.<div class="note"><span class="notetitle">Note:</span> Make sure to remember the password that you enter here.
|
||
|
This will be used to decrypt the exported certificate later.</div>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li class="stepexpand"><span>Run the OpenSSL commands to convert the certificate from PKCS12
|
||
|
format to Privacy Enhanced Mail (PEM) format by doing the following steps:</span><ol type="a"><li class="substepexpand"><span>At an i5/OS command line, start the PASE environment by typing <kbd class="userinput">CALL
|
||
|
QP2TERM</kbd>.</span></li>
|
||
|
<li class="substepexpand"><span>Change directory to the location of the exported certificate.</span></li>
|
||
|
<li class="substepexpand"><span>Extract the certificate from the PKCS12 file and convert to
|
||
|
PEM format by using the following OpenSSL command: <kbd class="userinput">openssl pkcs12
|
||
|
-in pegasuscert.p12 -out pegasuscert.pem -nokeys -clcerts</kbd> </span> This command will prompt for the password that you entered in the <span class="uicontrol">DCM
|
||
|
Export</span> page. <p>The PEM file that is created
|
||
|
might contain more than one certificate. It might contain both the Pegasus
|
||
|
certificate and the certificate of the CA that issued the Pegasus certificate.
|
||
|
Because Pegasus does not support this type of PEM file, the CA certificate
|
||
|
must be removed.</p>
|
||
|
</li>
|
||
|
<li class="substepexpand"><span>Remove the CA certificate by editing the PEM file; delete all
|
||
|
of the lines except the ones for the Pegasus certificate.</span> The Pegasus
|
||
|
certificate has the Pegasus <kbd class="userinput">subject</kbd> name that you used
|
||
|
when you created the certificate in DCM. Keep the lines of Pegasus certificate
|
||
|
starting with <kbd class="userinput">Bag Attributes</kbd> and ending with <kbd class="userinput">END
|
||
|
CERTIFICATE</kbd>. </li>
|
||
|
<li class="substepexpand"><span>Extract the private key from the PKCS12 file and convert to
|
||
|
PEM format by using the following OpenSSL command: <kbd class="userinput">openssl pkcs12
|
||
|
-in pegasuscert.p12 -out pegasuskey.pem -nocerts -nodes</kbd></span> This command will prompt for the password that you entered in the <span class="uicontrol">DCM
|
||
|
Export</span> page. <p>The certificate and private key are now converted
|
||
|
to PEM format,</p>
|
||
|
</li>
|
||
|
<li class="substepexpand"><span> Make the certificate available to Pegasus by placing it in
|
||
|
the path that is defined by the <span class="parmname">sslCertificateFilePath</span> property.</span></li>
|
||
|
<li class="substepexpand"><span>Make the private key available to Pegasus by placing it in the
|
||
|
path that is defined by the <span class="parmname">sslKeyFilePath</span> property.</span></li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzatlsecure.htm" title="Use this topic to find out about the options that are available for ensuring that the CIM server is secure.">Secure Pegasus</a></div>
|
||
|
</div>
|
||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="rzatladvstartup.htm" title="You can change the advanced startup options for the CIM server with the cimconfig command.">Advanced startup options for the cimconfig command</a></div>
|
||
|
<div><a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">Digital Certificate Manager topic collection</a></div>
|
||
|
<div><a href="rzatlbackupcert.htm" title="Regularly back up the Pegasus repository as part of your existing backup plan. In most cases, you can recover a damaged repository by restoring the last backup copy.">Backup and recovery considerations</a></div>
|
||
|
</div>
|
||
|
<div class="relinfo"><strong>Related information</strong><br />
|
||
|
<div><a href="http://www.openssl.org" target="_blank">OpenSSL Web site</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
<img src="./deltaend.gif" alt="End of change" /></body>
|
||
|
</html>
|