Configuring SSL – Process Overview

The following process overview describes the tasks necessary to configure the Sun N1 Service Provisioning System 5.2 to use SSL.

1. Determine the SSL connectivity that you want to use.

   For more information, see Overview of SSL Support in the Sun N1 Service Provisioning System 5.2.

2. Use the crkeys command to create keystores.

   See How to Create Keystores.

3. Edit the config.properties file to configure SSL.

   See How to Edit the config.properties File to Configure SSL.

How to Create Keystores

The Sun N1 Service Provisioning System 5.2 uses the keytool utility provided with the JRE. The keytool utility is wrapped in a shell script, crkeys, to enable you to create keystores. The script ensures that the correct parameters are supplied to the keytool utility.

When you create a keystore, the X.509 Distinguished Name in the self-signed certificate is set to the following:

CN=application_name OU=Engineering O=Sun Microsystems Inc L=Menlo Park ST=CA C=US

Step

Generate the keys.

% crkeys -options

Use the following options to create keystores based on the type of SSL connectivity you want to use.

-alias application_hostname

Specifies an alias for the certificate or the key pair. Use the host name of the application as the alias. The alias names must be unique within a keystore.

-mode upstream|downstream

Specifies the location of the machine that is being authenticated in relationship to the machine that is performing the authentication. For example, you are generating certificates for a Remote Agent that is downstream form a Local Distributor. Specify downstream as the mode for the Remote Agent. Specify upstream as the mode for the Local Distributor.

-cpass

Changes the password of the keystore and all the keys within the keystore.

-delete

Specifies that the key pair or certificate for the specified entity should be deleted from keystore.

-epass

Converts and prints the encoded version of the plaintext password. Create an encoded version of a password if you plan to store the password in a file. For example, if you choose to store the keystore password in the config.properties file, you must supply an encoded version of the password.

-export

Exports a self-signed certificate of the specified entity to the specified file.

-file cert_file

Specifies the name of the file that the certificate is to be imported from or exported to.

-generate

Generates a new key pair for the specified alias.

-help

Lists all the options.

-import

Imports a self-signed certificate of an entity that is allowed to connect to this node. When importing the certificate, the host name of the node that this certificate represents should be used as the alias.

-keyalg keyalg

The key generation algorithm. Defaults to RSA. Can be either RSA or DSA.

-keysize keysize

The key size. Defaults to 1024. Can be any multiple of 64 in the range 512-1024 for DSA keys, and range 512-2048 for RSA keys.

-list

Lists all the entities contained in the keystore.

-new newpassword

Specifies the new password for the keystore and all the keys in the keystore. The password must contain at least six characters.

-password password

Specifies the password for the keystore. If a password is not specified, the user is prompted for a password. The password must contain at least six characters.

-private

Specifies the private keystore as the target of the operation.

-validity days_valid

Number of days the self-signed certificate is valid.

-trust

Specifies the trust keystore as the target of the operation.

Example 8–1 crkeys Command Syntax

The following examples show how to use the crkeys command.

To generate a public-private key pair:

crkeys -private –generate -mode {upstream|downstream} –alias application_hostname [-keyalg keyalg] 
[-keysize keysize] [-validity days_valid] [–password password]

To export the self signed public key for a key pair to a file:

crkeys -private –export –file cert_file
 –alias application_hostname [–password password]

To import an exported, as shown in the previous example, self signed public key into the trust store:

crkeys –trust –import –file cert_file
 –alias application_hostname [-password password] 

To delete a key or key pair:

crkeys {-private|–trust} -delete
 –alias application_hostname [-password password] 

To list all of the public keys:

crkeys {-private|–trust} –list [-password password]

To change the SSL keystore, both the trust and the private store, password:

crkeys –cpass -password oldpassword 
-new newpassword

To convert and print the encoded version of the plaintext pasword:

crkeys -epass -password password

To print instructions for using the crkeys command:

crkeys -help

How to Edit the config.properties File to Configure SSL

During the installation, each application is configured to do the following:

• Support cipher suites that require server authentication.

• Do not require client authentication.

• Find the private keystore in the N1SPS5.2-home/app/data/private.store file.

• Find the trust keystore in the N1SPS5.2-home/app/data/trust.store file.

• Supply empty passwords for each keystore.

You can change the SSL configuration of each application to perform the following security checks:

• Selectively enable cipher suites on each application

  You can explicitly specify which cipher suites to enable. If unspecified, the reference implementation uses the cipher suites that are enabled by default. The default cipher suites enabled by the reference implementation require server authentication. For the list of supported cipher suites, see SSL Cipher Suites.

• Specify that the application authenticates the SSL clients that are connecting to it

• Specify the location and password of the private and trust keystores

To enable authentication, you must initialize the keystores after installation of the application.

Step

(Optional) Manually edit the config.properties file to change the SSL configuration.

The following table lists the settings in the config.properties file that are related to SSL configurations. Change the parameters based on the type of SSL connectivity you want to use.

Parameter	Default Value	Description
net.ssl.cipher.suites	SSL_RSA_WITH_3DES_EDE_CBC_SHA	A comma separated list of SSL cipher suites to enable. For a list of supported SSL Cipher suite, see SSL Cipher Suites.
net.ssl.client.auth	false	Specifies whether the SSL server should authenticate clients that are connecting to it.
net.ssl.key.store.pass		The keystore password. Required in some instances. See the following for more information.

---

Note –

The net.ssl.key.store.pass parameter specifies the SSL keystore password for an Sun N1 Service Provisioning System 5.2 application. Use this parameter when you configure an application with SSL keystores and you do not want to be prompted for the passwords to the keystore when you start the application. You must specify this parameter in the following instances:

• When you setup the Sun N1 Service Provisioning System applications to start automatically when the system boots

• On Windows servers, Sun N1 Service Provisioning System applications do not prompt for keystore passwords, so this parameter must be specified for any applications configured to use SSL on Windows servers.

• The CLI application does not prompt for keystore passwords, so this parameter must be specified for any CLI Clients that you configure to use SSL.

• If a Local Distributor is connected to its parent through an SSH connection, the Local Distributor cannot prompt for passwords.

---