Working With Certificates

This chapter explains the authentication mechanisms provided by the Sun™ ONE Secure Remote Access along with the necessary configuration information.

Certificate Management

The Secure Remote Access provides certificate-based authentication for remote users. Secure Remote Access uses Secure Sockets Layer (SSL) to enable secure communication. The SSL protocol enables secure communication between two machines.

Secure Remote Access also supports client authentication with Personal Digital Certificates (PDCs). PDCs are a mechanism to authenticate a user through SSL client authentication. With SSL client authentication, the SSL handshake ends at the gateway. The gateway extracts the user’s PDC and passes it to the authenticated server. This server uses the PDC to authenticate the user.

You can either use a certificate that is issued by a Certificate Authority (CA), or generate and use self-signed certificates.

Certificate Files

When Sun ONE Portal Server, Secure Remote Access is installed, a self-signed SSL certificate is created and installed if you have chosen to install a self-signed certificate. If you have chosen not to install a self-signed certificate, only the certificate database is created. Certificate related files are located in /etc/opt/SUNWps/cert/default. This directory contains 5 files by default. The files and their descriptions are listed in Table 6-1.

Table 6-1 Certificate Files
Filename	Type	Description
cert7.db, key3.db, secmod.db	Binary	Contain the data for certificates, keys, and cryptographic modules. Can be manipulated using the certadmin script. Have the same format as the database files used by the Sun™ ONE Web Server and are located in InstallDir/netscape/server4/alias. If necessary, these files can be shared between the portal server host and gateway components or the gateway proxy.


.jsspass	hidden text file	Contains the password for the encryption module that portal server gateway currently uses. The default module is the internal software module.
.nickname	hidden text file	Stores the names of the token and certificate that the gateway needs to use in the format token_name:certificate_name. If you are using the default token (the token on the default internal software encryption module), omit the token name. In most cases, the .nickname file stores only the certificate name. As an administrator, you can modify the certificate name in this file. The certificate that you specify will now be used by the gateway.

Trust Attributes

There are three available trust categories for each certificate, expressed in this order: “SSL, email, object signing”. For the gateway component, only the first category is useful. In each category position, zero or more trust attribute codes are used.

The attribute codes for the categories are separated by commas, and the entire set of attributes is enclosed by quotation marks. For example, the self-signed certificate generated and installed during the gateway installation is marked "u,u,u" which means it is a server certificate (user certificate) as opposed to a root CA certificate.

The possible attribute values and the meaning of each value are listed in Table 6-2.

Table 6-2 Certificate Trust Attributes
Attribute	Description
p	Valid peer
P	Trusted peer (implies p)
c	Valid CA
T	Trusted CA to issue client certificates (implies c)
C	Trusted CA to issue server certificates (SSL only) (implies c)
u	Certificate can be used for authentication or signing
w	Send warning (use with other attributes to include a warning when the certificate is used in that context)

Certificate Authorities (CAs)

Most well-known public CAs are already included in the certificate database. The following is the list of all the public CAs included by default, and their trust attributes. See "Modifying the Trust Attributes of a Certificate" for information on modifying the trust attributes of a public CA. Table 6-3 lists the most common Certificate Authorities with the trust attributes.

Table 6-3 Public Certificate Authorities (1 of 4)
Certificate Authority Name	Trust Attributes
ABAecom (sub., Am. Bankers Assn.) Root CA	CG,C,C
American Express CA	C,C,
American Express Global CA	C,C,
Baltimore CyberTrust Code Signing Root	,,C
Baltimore CyberTrust Mobile Commerce Root	CG,C,
Baltimore CyberTrust Root	CG,C,
BelSign Object Publishing CA	,,C
BelSign Secure Server CA	C,,
Deutsche Telekom AG Root CA	C,C,C
Digital Signature Trust Co. Global CA 1	CG,C,C
Digital Signature Trust Co. Global CA 2	CG,C,C
Digital Signature Trust Co. Global CA 3	CG,C,C
Digital Signature Trust Co. Global CA 4	CG,C,C
E-Certify Commerce ID	C,,
E-Certify Internet ID	,C,
Entrust.net Premium 2048 Secure Server CA	C,C,C
Entrust.net Secure Personal CA	C,C,C
Entrust.net Secure Server CA	C,C,C
Equifax Premium CA	C,C,C
Equifax Secure CA	C,C,C
Equifax Secure Global eBusiness CA	C,C,C
Equifax Secure eBusiness CA 1	C,C,C
Equifax Secure eBusiness CA 2	C,C,C
GTE CyberTrust Global Root	CG,C,C
GTE CyberTrust Japan Root CA	CG,C,C
GTE CyberTrust Japan Secure Server CA	CG,C,C
GTE CyberTrust Root 2	CG,C,C
GTE CyberTrust Root 3	CG,C,C
GTE CyberTrust Root 4	CG,C,C
GTE CyberTrust Root 5	CG,C,C
GTE CyberTrust Root CA	CG,C,C
GlobalSign Partners CA	C,C,C
GlobalSign Primary Class 1 CA	C,C,C
GlobalSign Primary Class 2 CA	,C,
GlobalSign Primary Class 3 CA	,C,
GlobalSign Root CA	C,C,C
TC TrustCenter, Germany, Class 0 CA	Cw,C,C
TC TrustCenter, Germany, Class 1 CA	,C,
TC TrustCenter, Germany, Class 2 CA	C,C,C
TC TrustCenter, Germany, Class 3 CA	C,C,C
TC TrustCenter, Germany, Class 4 CA	C,C,C
Thawte Personal Basic CA	,C,C
Thawte Personal Freemail CA	,C,
Thawte Personal Premium CA	,C,C
Thawte Premium Server CA	CG,,C
Thawte Server CA	CG,,C
Thawte Universal CA Root	CG,C,C
ValiCert Class 1 VA	C,C,C
ValiCert Class 2 VA	C,C,C
ValiCert Class 3 VA	C,C,C
ValiCert OCSP Responder	C,C,C
VeriSign Class 4 Primary CA	CG,C,C
Verisign Class 1 Public Primary Certification Authority	,C,
Verisign Class 1 Public Primary Certification Authority - G2	,C,
Verisign Class 1 Public Primary Certification Authority - G3	,C,
Verisign Class 2 Public Primary Certification Authority	,C,C
Verisign Class 2 Public Primary Certification Authority - G2	,C,C
Verisign Class 2 Public Primary Certification Authority - G3	,C,C
Verisign Class 3 Public Primary Certification Authority	CG,C,C
Verisign Class 3 Public Primary Certification Authority - G2	CG,C,C
Verisign Class 3 Public Primary Certification Authority - G3	CG,C,C
Verisign Class 4 Public Primary Certification Authority - G2	CG,C,C
Verisign Class 4 Public Primary Certification Authority - G3	CG,C,C
Verisign/RSA Commercial CA	C,C,
Verisign/RSA Secure Server CA	C,C,

The certadmin Script

When the Sun ONE Portal Server, Secure Remote Access is installed, a self-signed SSL certificate is created and installed.

You can use the certadmin script to do additional certificate administration such as:

gwcertutil


Note	certadmin does not support multibyte entries. When you invoke any of the options of the certadmin tool, and supply a multibyte entry as a value for the questions asked, certadmin will not accept the value. If you generate a certificate signing request (CSR) with multibyte entries using some other utility, certadmin will sign the request and handle the certificate.

The certadmin script in InstallDir/SUNWps/bin/ is a script that wraps around the gwcertutil command for convenience. The certadmin script helps you carry out the conventional tasks related to certificate administration. For any additional functionality, use the gwcertutil command directly. For example, use gwcertutil to delete a certificate from the certificate database. The command gwcertutil -H lists usage.

Generating a Self-signed SSL Certificate

See “Generating Self-Signed Certificates” in Chapter 4, “Installing SSL Certificates” in the Sun ONE Portal Server, Secure Remote Access Installation Guide for details.

Obtaining and Installing an SSL Certificate From a CA

During the installation of the gateway component of the Secure Remote Access, a self-signed certificate is created and installed by default. At any point after installation, you can install SSL certificates signed by vendors who provide official certificate authority (CA) services, or by your corporate CA.

See “Installing Certificates from a Certificate Authority” in Chapter 4, “Installing SSL Certificates” in the Sun ONE Portal Server, Secure Remote Access Installation Guide for details.

Listing Root CA Certificates

To View the List of Root CAs

List All Certificates

All certificates and their corresponding trust attributes can be viewed by using the certificate administration script.

To List all the Certificates

Modifying the Trust Attributes of a Certificate

One case in which the trust attributes of a certificate needs to be modified is if client authentication is used with the gateway. An example of client authentication is PDC (Personal Digital Certificate). The CA that issues the PDCs must be trusted by the gateway, for example, the CA certificate should be marked "T" for SSL.

If the gateway component is set up to communicate with an HTTPS site that presents a self-signed certificate, allowing the gateway component to trust any unknown CAs can be a useful approach. However, for a serious deployment, this approach should be used with caution.

To Modify the Trust Attributes for a Certificate

As root, run the certadmin script.

InstallDir/SUNWps/bin/certadmin -n profilename

where profilename is the name of the gateway instance.

The Certificate Administration menu is displayed.

1) Generate Self-Signed Certificate

2) Generate Certificate Signing Request (CSR)

3) Add Root CA Certificate

4) Install Certificate From Certificate Authority (CA)

5) Modify Trust Attributes of Certificate (e.g., for PDC)

6) List Root CA Certificates

7) List All Certificates

8) Quit

choice: [8] 5

Choose option 5 on the certificate administration menu.

Enter the name of the certificate. For example, Thawte Personal Freemail C.

Please enter the name of the certificate:

Thawte Personal Freemail CA

Enter the trust attribute for the certificate.

Please enter the trust attribute you want the certificate to have [CT,CT,CT]

Chapter 6 Working With Certificates