test

Sun N1 Service Provisioning System 5.2 Installation Guide

Sample Configuration Scenarios

Example 8–2 How to Configure SSL Without Authentication Between the Master Server, Local Distributor, and Remote Agent

  1. Install the Master Server, Local Distributor, and Remote Agent and select SSL when the installation program prompts you to select a connection type. When prompted to select a cipher suite, select encryption with no authentication.

  2. Add the following property to the config.properties file for each application.


    net.ssl.cipher.suites=SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

    More than one cipher suite or a different cipher suite can be enabled. To enable multiple cipher suites, set the parameter to a comma separated list of cipher suites.

  3. From the browser interface, create a new host.

  4. On the host that you just created, add a Local Distributor with the connection type SSL.

  5. Test the connection to the Local Distributor.

  6. Create a new host.

  7. On the host that you just created, add a Remote Agent with the connection type SSL.

  8. Test the connection to the Remote Agent.

Example 8–3 How to Configure SSL Server Authentication

By default, cipher suites requiring server authentication are enabled, so no change is required in the config.properties file to enable cipher suites.

  1. Generate a key pair for the Local Distributor and store it in the private keystore for the Local Distributor. Specify -mode downstream.


    % ld/bin/crkeys –private –generate -mode downstream –alias ldhostname-downstream.cr.com –validity 365

  2. Export the self-signed certificate from the private keystore on the Local Distributor into a file.


    % ld/bin/crkeys –private –export –file ld-downstream.cert –alias ldhostname-downstream.cr.com

  3. Copy the self-signed certificate for Local Distributor to the Master Server.

  4. Import the self-signed certificate into the Master Server trust keystore.


    % server/bin/crkeys –trust –import –file ld-downstream.cert –alias ldhostname-downstream.cr.com

  5. Create a new host.

  6. On the new host, add a Local Distributor with the connection type SSL.

  7. For the Local Distributor, use the CLI net.gencfg command to manually generate the transport.config file.

  8. Copy the transport.config file to the Local Distributor.

  9. If already running, stop and start the Master Server and the Local Distributor.

  10. Start the Master Server and the Local Distributor.

  11. Provide the keystore password for the Master Server and Local Distributor.

  12. Test the connection to the Local Distributor.

  13. Generate a key pair for the Remote Agent and store it in the private store for the Remote Agent. Specify -mode downstream.


    % agent/bin/crkeys –private –generate -mode downstream –alias rahostname-downstream.cr.com –validity 365

  14. Export the self-signed certificate from the private store on the Remote Agent into a file.


    % agent/bin/crkeys –private –export –file ra-downstream.cert –alias rahostname-downstream.cr.com

  15. Copy the self-signed certificate for the Remote Agent to the Local Distributor.

  16. Import the self-signed certificate into the Local Distributor trust store.


    % ld/bin/crkeys –trust –import –file ra-downstream.cert –alias rahostname-downstream.cr.com

  17. Create a new host.

  18. On the new host, add a Remote Agent with the connection type SSL.

  19. For the Remote Agent, use the CLI net.gencfg command to manually generate the transport.config file.

  20. Copy the transport.config file to the Remote Agent.

  21. If already running, stop the Local Distributor and Remote Agent.

  22. Start the Local Distributor and the Remote Agent.

  23. Provide the keystore password for the Local Distributor and Remote Agent.

  24. Test the connection to the Remote Agent.

Example 8–4 How to Configure SSL Server and Client Authentication

  1. Install the Master Server, Local Distributor, and Remote Agent and select SSL when the installation program prompts you to select a connection type. When prompted to select a cipher suite, select encryption with authentication.

  2. Edit the config.properties file to include the cipher suite you want to use and the encoded keystore password.

    You must use the same keystore password for all of the hosts.

  3. Generate a key pair for the Local Distributor and store it in the private store for the Local Distributor. Specify -mode downstream.


    % ld/bin/crkeys –private –generate -mode downstream –alias ldhostname-downstream.cr.com –validity 365

  4. Generate a key pair for the Master Server and store it in the private store for the Master Server. Specify -mode upstream.


    % server/bin/crkeys –private –generate -mode upstream –alias mshostname-upstream.cr.com –validity 365

  5. Export the self-signed certificate from the private store for the Local Distributor into a file.


    % ld/bin/crkeys –private –export –file ld-downstream.cert –alias ldhostname-downstream.cr.com

  6. Copy the self-signed certificate for the Local Distributor to the Master Server.

  7. Import the self-signed certificate into the Master Server trust store.


    % server/bin/crkeys –trust –import –file ld-downstream.cert –alias ldhostname-downstream.cr.com

  8. Export the self-signed certificate from the private store for the Master Server into a file.


    % server/bin/crkeys –private –export –file ms-upstream.cert –alias mshostname-upstream.cr.com

  9. Copy the self-signed certificate for the Master Server to the Local Distributor.

  10. Import the self-signed certificate into the Local Distributor trust store.


    % ld/bin/crkeys –trust –import –file ms.cert –alias mshostname.cr.com

  11. If already running, stop the Master Server and the Local Distributor.

  12. Start the Master Server and the Local Distributor.

  13. Provide the keystore password for the Master Server and Local Distributor.

  14. Create a new host.

  15. On the new host, add a Local Distributor with the connection type SSL.

  16. Test the connection to the Local Distributor.

  17. Generate a key pair for the Remote Agent and store it in the private store for the Remote Agent. Specify -mode downstream.


    % agent/bin/crkeys –private –generate -mode downstream –alias rahostname-downstream.cr.com –validity 365

  18. Export the self-signed certificate from private store for the Remote Agent into a file.


    % agent/bin/crkeys –private –export –file ra-downstream.cert –alias rahostname-downstream.cr.com

  19. Copy the self-signed certificate for the Remote Agent to the Local Distributor.

  20. Import the self-signed certificate into the Local Distributor trust store.


    % ld/bin/crkeys –trust –import –file ra-downstream.cert –alias rahostname-downstream.cr.com

  21. Generate a key pair for the Local Distributor and store it in the private store for the Local Distributor. Specify -mode upstream.


    % ls/bin/crkeys -private -generate -mode upstream - alias ldhostname-upstream.cr.com -validity 365

  22. Export the self-signed certificate from the private store for the Local Distributor into a file.


    % ld/bin/crkeys -private -export -file ld-upstream.cert -alias ldhostname-upstream.cr.com

  23. Copy the self-signed certificate for the Local Distributor, that you exported in Step 21, to the Remote Agent machine.

  24. Import the self-signed certificate into the Remote Agent trust store.


    % agent/bin/crkeys –trust –import –file ld-upstream.cert –alias ldhostname-upstream.cr.com

  25. If already running, stop the Local Distributor and Remote Agent.

  26. Start the Local Distributor and the Remote Agent.

  27. Provide the keystore password for the Local Distributor and Remote Agent.

  28. Create a new host.

  29. On the new host, add a Remote Agent with the connection type SSL.

  30. Test the connection to the Remote Agent.

Example 8–5 How to Configure SSL Authentication Between a CLI Client and Master Server

  1. Install the Master Server and the CLI Client and select SSL when the installation program prompts you to select a connection type. When prompted to select a cipher suite, select encryption with authentication.

  2. Generate a key pair for the Master Server and store it in the private store for the Master Server.


    % server/bin/crkeys –private –generate –alias mshostname.cr.com –validity 365

  3. Generate a key pair for the CLI Client and store it in the private store for the CLI Client.


    % cli/bin/crkeys -private -generate -alias clihostname.cr.com.cr.com -validity 365

  4. Export the self-signed certificate from the private store for Master Server private store into a file.


    % server/bin/crkeys –private –export –file ms.cert –alias mshostname.cr.com

  5. Copy the Master Server self-signed certificate to the CLI Client.

  6. Import the self-signed certificate into CLI Client trust store.


    % cli/bin/crkeys –trust –import –file ms.cert –alias mshostname.cr.com

  7. Export the self-signed certificate from the private store for CLI Client into a file.


    % cli/bin/crkeys -private -export -file cli.cert -alias clihostname.cr.com

  8. Copy the CLI Client self-signed certificate to the Master Server.

  9. Import the self-signed certificate into the Master Server trust store.


    % server/bin/crkeys -trust -import -file cli.cert -alias clihostname.cr.com

  10. If the Master Server is running, stop the Master Server.

  11. Start the Master Server.

  12. Provide the keystore password for the Master Server.

  13. On the CLI Client, edit the config.properties file to include the following line:


    net.ssl.key.store.pass=trust-store-password

  14. Run a CLI Client command to verify the connection.