D.91. tarantella security enable

Makes an SGD server secure.

Syntax

tarantella security enable
tarantella security enable --certfile cfile
                         [ --keyfile kfile ]
                         [ --rootfile carootfile ]
                         [ --firewalltraversal on|off ]

Description

Use this command to secure an SGD server.

The following limitations apply for this command:

Use the --certfile option to specify a server SSL certificate to install. Certificates must be Base 64-encoded PEM-format, with a header line including "BEGIN CERTIFICATE", as used by OpenSSL.

If you omit the --certfile option, this command generates and installs a self-signed server SSL certificate. Only use self-signed server SSL certificates for test purposes.

If you use the --certfile option and the --keyfile option together, SGD creates symbolic links to the specified SSL certificate and key files.

Use the --rootfile option to install the CA certificate if the SSL certificate is signed by an unsupported CA. This option also imports the CA certificate into the CA certificate truststore for the SGD server. This is the /opt/tarantella/bin/jre/lib/security/cacerts file.

Use the --firewalltraversal option to enable or disable the SGD server for firewall traversal. SGD servers configured for firewall traversal cannot be used with the SGD Gateway.

tarantella security enable command is used when you install SGD in secure mode. This is the default installation mode.

If you have attempted to configure security previously, the tarantella security enable command has no effect. The command exits with an error message, indicating that security settings have been modified previously.

Ensure that the SGD server is running before you use this command. You can use the tarantella status command to show the current status of an SGD server.

The following table shows the available options for this command.

Option

Description

--certfile

Specifies the location of a file containing the SSL certificate.

You must specify the full path to the SSL certificate file. The path must be readable by the ttasys user.

--keyfile

Specifies the location of a file containing the private key for the SSL certificate specified by --certfile.

Use this option to tell SGD about a private key you have already. If you used the Section D.86, “tarantella security certrequest” command to generate a CSR and obtain an SSL certificate, you do not need to use this option.

You must specify the full path to the key file. The path must be readable by the ttasys user.

--rootfile

Specifies the location of a file containing the CA's root certificate. Details are copied to /opt/tarantella/var/tsp for use by SGD security services.

You must specify the full path to the CA root certificate file. The path must be readable by the ttasys user.

--firewalltraversal

Configures the SGD server for firewall traversal.

If you do not specify this option, firewall traversal is enabled by default.

If you use this command to secure an SGD server, the tarantella security disable command can be used to restore the security settings to their previous state.

See Section 1.5.3, “Enabling Secure Connections (Automatic Configuration)” for more details about how to secure an SGD server using this command.

Examples

The following example secures the SGD server, installs the specified SSL certificate, and uses the private key generated when the Section D.86, “tarantella security certrequest” command was used to generate a CSR:

# tarantella security enable \
--certfile /opt/certs/cert

The following example secures the SGD server, and installs the specified SSL certificate and private key. A CA root certificate is also installed. The Section D.86, “tarantella security certrequest” command was not used to generate a CSR.

# tarantella security enable \
--certfile /opt/certs/cert \
--keyfile /opt/keys/key \
--rootfile /tmp/rootcert

The following example secures the SGD server and installs a self-signed SSL certificate. Firewall traversal is not enabled for the SGD server.

# tarantella security enable \
--firewalltraversal off