5.5 Importing the Root CA Certificate into the Access Manager Web Servers
Use the following as your checklist for importing the root CA certificate into the Access Manager Web Servers:
-
Import the root CA certificate into the Access Manager 1 Web Server.
-
Import the root CA certificate into the Access Manager 2 Web Server.
To Import the Root CA Certificate into the
Access Manager 1 Web Server
-
To to the Web Server administration URL:
http://AccessManager-1.example.com:8888/https-admserv/bin/index
-
Log in to the Web Server console using the following information:
- User name:
-
admin
- Password:
-
web4d4min
-
On the Servers tab, select the server AccessManager-1.example.com, and then click Manage.
-
Click on the Security tab, and then initialize the Trust Database by providing the following information:
- Database Password:
-
password
- Password (again):
-
password
Click OK.
-
In the left frame, click Install Certificate. In the Install a Server Certificate page, provide the following information:
- Certificate for:
-
Choose Trusted Certificate Authority (CA)
- Message text (with headers):
-
Choose this option, and then paste into the text box the root certificate you received from the CA. To Request an SSL Certificate for the Distributed Authentication UI Load Balancer. The root certificate will look similar to this:
-----BEGIN CERTIFICATE----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----
Click OK.
-
On the “Add Trusted CA Certificate page,” click “Add Server Certificate.”
-
In the left frame, click Manage Certificates.
In the list of certificates, you will see the certificate you just added. In this deployment example, the certificate name OpenSSLTestCA-Sun is displayed in the list.
Close the browser.
-
As a root user, log into the Access Manager 1 host.
-
To verify that the certificate was imported properly, go to the following directory:
/opt/SUNWwbsvr/alias
In a directory listing, notice that certificate filename is formed by joining the prefix https-AccessManager-1.example.com and database file name cert8.db.
#ls https-AccessManager-1.example.com-AccessManager-1-cert8.db https-AccessManager-1.example.com-AccessManager-1-key3.db https-AccessManager-1.example.com-cert8.db https-AccessManager-1.example.com-key3.db secmod.db
-
Run the certutil list command, specifying the prefix from certificate filename:
# cd /opt/SUNWwbsvr/bin/https/admin/bin # ./certutil -L -d /opt/SUNWwbsvr/alias/ -P "https-AccessManager-1.example.com-" OpenSSLTestCA - Sun
The OpenSSLTestCA — Sun certificate you imported is displayed.
To Modify the AMConfig.properties File
-
As a root user, log in to the Access Manager 1 host.
-
Go to the following directory:
/etc/opt/SUNWam/config
Make a backup of the AMConfig.properties file before making any changes to the file.
-
In the AMConfig.properties file, verify that the certificate database directory is specified correctly as in this example:
com.iplanet.am.admin.cli.certdb.dir=/opt/SUNWWwbsvr/alias
-
For the value of the following property, add the prefix from the certificate filename as in this example:
com.iplanet.am.admin.cli.certdb.prefix=https-AccessManager-1.example.com-
-
Notice that the following property points to a file wtpass which doesn't exist yet:
com.iplanet.am.admin.cli.certdb.
You will create this file in the next step.
Save the file.
-
Create the wtpass file.
In the file, enter the name of the password you used to create the certificate database. Example:
# cd /etc/opt/SUNWam/config # vi .wtpass password
Save the file.
-
Verify that the file was created properly.
# cat .wtpass password
-
Restart the Web Server.
# cd /opt/SUNWwbsvr/https-AccessManager-1.example.com # ./stop; ./start
To Import the Root CA Certificate into the
Access Manager 2 Web Server
-
To to the Web Server administration URL:
http://AccessManager-2.example.com:8888/https-admserv/bin/index
-
Log in to the Web Server console using the following information:
- User name:
-
admin
- Password:
-
web4d4min
-
On the Servers tab, select the server AccessManager-2.example.com, and then click Manage.
-
Click on the Security tab, and then initialize the Trust Database by providing the following information:
- Database Password:
-
password
- Password (again):
-
password
Click OK.
-
In the left frame, click Install Certificate. In the Install a Server Certificate page, provide the following information:
- Certificate for:
-
Choose Trusted Certificate Authority (CA)
- Message text (with headers):
-
Choose this option, and then paste into the text box the root certificate you received from the CA. To Request an SSL Certificate for the Distributed Authentication UI Load Balancer. The root certificate will look similar to this:
-----BEGIN CERTIFICATE----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----
Click OK.
-
On the “Add Trusted CA Certificate page,” click “Add Server Certificate.”
-
In the left frame, click Manage Certificates.
In the list of certificates, you will see the certificate you just added. In this deployment example, the certificate name OpenSSLTestCA-Sun is displayed in the list.
Close the browser.
-
As a root user, log into the Access Manager 2 host.
-
To verify that the certificate was imported properly, go to the following directory:
/opt/SUNWwbsvr/alias
In a directory listing, notice that certificate filename is formed by joining the prefix https-AccessManager-1.example.com and database file name cert8.db.
#ls https-AccessManager-1.example.com-AccessManager-2-cert8.db https-AccessManager-1.example.com-AccessManager-2-key3.db https-AccessManager-2.example.com-cert8.db https-AccessManager-1.example.com-key3.db secmod.db
-
Run the certutil list command, specifying the prefix from certificate filename:
# cd /opt/SUNWwbsvr/bin/https/admin/bin # ./certutil -L -d /opt/SUNWwbsvr/alias/ -P "https-AccessManager-2.example.com-" OpenSSLTestCA - Sun
The OpenSSLTestCA — Sun certificate you imported is displayed.
To Modify the AMConfig.properties File
-
As a root user, log in to the Access Manager 2 host.
-
Go to the following directory:
/etc/opt/SUNWam/config
Make a backup of the AMConfig.properties file before making any changes to the file.
-
In the AMConfig.properties file, verify that the certificate database directory is specified correctly as in this example:
com.iplanet.am.admin.cli.certdb.dir=/opt/SUNWWwbsvr/alias
-
For the value of the following property, add the prefix from the certificate filename as in this example:
com.iplanet.am.admin.cli.certdb.prefix=https-AccessManager-2.example.com-
-
Notice that the following property points to a file wtpass which doesn't exist yet:
com.iplanet.am.admin.cli.certdb.
You will create this file in the next step.
Save the file.
-
Create the wtpass file.
In the file, enter the name of the password you used to create the certificate database. Example:
# cd /etc/opt/SUNWam/config # vi .wtpass password
Save the file.
-
Verify that the file was created properly.
# cat .wtpass password
-
Restart the Web Server.
# cd /opt/SUNWwbsvr/https-AccessManager-2.example.com # ./stop; ./start
- © 2010, Oracle Corporation and/or its affiliates