Sun ONE logo      Previous      Contents      Index      Next     

Sun ONE Web Server 6.1 Administrator's Guide

The Security Tab

The Server Manager Security tab contains the following pages:

The Create Database Page

The Create Database page allows you to create a new trust database with the default CA settings and protect it with a password. The server can have only one trust database, so you can create a trust database only if one does not already exist. The trust database is created with the default CA entries which are configured so that they are not trusted CAs for client certificates. To configure the server to trust these CAs for use with client certificates, see The Manage Certificates Page. For more information about creating a trust database, see Creating a Trust Database.

The following elements are displayed:

Database Password. Specifies the certificate database password.

Note

The database password is sent in plain text from the client to the Administration Server. To minimize security risks, you should run the browser used for server administration on the same machine as the Administration Server or run your administration server with SSL.

Password (again). Confirms the password specified in the Database Password field. If what you enter is different from what you entered in the Database Password field, you will be prompted to try again.

OK. Saves your entries.

Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.

Help. Displays online help.

The Request a Certificate Page

The Request a Certificate page allows you to add or renew a server certificate. For more information, see Migrating Certificates When You Upgrade.

The following elements are displayed:

New certificate. Specifies that the certificate being requested is new.

Certificate renewal. Specifies that the certificate being requested is a renewal of an existing certificate.

Submit to Certificate Authority Via. Specifies the manner in which to submit the certificate request. Select from the following options:

Select the module to use with the certificate. Specifies the following:

Requestor name. Specifies the name under which the certificate will be issued.

Telephone number. Specifies the telephone number of the requestor.

Common name. Specifies the fully qualified hostname used in DNS lookups (for example, www.sun.com). This is the hostname in the URL that a browser uses to connect to your site. It is important that these two names are the same. Otherwise, a client is notified that the certificate name does not match the site name, which often makes uses doubt the authenticity of your certificate.

Email address. Specifies the business email address used for correspondence between you and the CA.

Organization. Specifies the official, legal name of your company, educational institution, organization, and so on. Most CAs require that you verify this information with legal documents (such as a copy of a business license).

Organizational Unit. Specifies a description of an organizational unit within your company. This field is optional.

Locality. Specifies a description of the city, principality, or country for the organization. This field is optional.

State or Province. Specifies the state or province in which the business is located.

Country. Specifies the two-character abbreviation of your country name (in ISO format). The country code for the United States is US.

OK. Saves your entries. You must restart the server in order for your changes to take effect.

Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.

Help. Displays online help.

The Install Certificate Page

The Install Certificate page allows you to install a certificate for a server. You can install your own certificate to present to clients, or a CA’s certificate for use in a certificate chain.

When you receive a certificate from the CA, it will be encrypted with your public key so that only you can decrypt it. The server will use the key-pair file password you specify to decrypt the certificate when you install it. For more information, see Requesting and Installing Other Server Certificates.

Note

Install certificates for use in a certificate chain using the same process as installing your own certificate. Many CAs include their certificate in the same email that contains your certificate. If your CA does not automatically send you their certificate, you should request it. Your server installs both certificates at the same time.

The following elements are displayed:

Certificate For. Specifies where the certificate will be used. Select from the following options:

Cryptographic Module. Specifies the module to be used with the certificate. Choose internal unless you have installed an external encryption module.

Key Pair File Password. Specifies the password for the certificate database.

Certificate Name. Specifies the common name of the certificate. Enter the certificate name only if it differs from the fully qualified hostname of your server used in DNS lookups (for example, www.iplanet.com).

Message is in This File. Specifies the file that contains the CA certificate.

Message Text (with headers). Contains the content of the CA certificate. If you copy and paste the text, be sure to include the headers “Begin Certificate” and “End Certificate.”

OK. Takes you to The Add or Replace Certificate Page.

Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.

Help. Displays online help.

The Add or Replace Certificate Page

The Add or Replace Certificate Page displays the new certificate information you have just installed.

Add Server Certificate or Replace Server Certificate. Adds or replaces your previous certificate with the one displayed.

Back. Takes you back to the Install a Certificate Page.

Help. Displays online help.

The Change Password Page

The Change Password page allows you to change the password used to access your trust database. For more information, see Changing Passwords or PINs.

The following elements are displayed:

Cryptographic Module. Specifies the module to be used with the certificate. Choose internal unless you have installed an external encryption module.

Old Password. Specifies the current key pair password.

New Password. Specifies the new key pair password.

Password (again). Confirms the password specified in the New Password field. If what you enter is different from what you entered in the New Password field, you will be prompted to try again.

OK. Saves your entries. You must restart the server in order for your changes to take effect.

Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.

Help. Displays online help.

The Manage Server Certificates Page

The Manage Certificates page displays all the installed certificates associated with the server and allows you to manage the certificates. For more information, see Changing Passwords or PINs.

If you have an external module installed you will be warned to only do this on your local machine. You will need to enter the password for the external module and click OK for the external module to be made accessible for management.

The following elements are displayed:

Certificate Name. Specifies the name of the certificate authority.

Type. Specifies the type of certificate.

Expires (Time in UTC). Displays the date and time that the certificate expires. Once a certificate has expired, you must renew it to use it again.

Help. Displays online help.

When you double click on a certificate, information about the certificate is displayed. Internally issued certificates have the following options:

Certificates issued by a Certificate Authority have the following options:

You must restart the server for your changes to take effect.

The Request VeriSign Certificate Page

This page describes the process of requesting a VeriSign certificate, including the eight basic steps. For more information, see Requesting and Installing a VeriSign Certificate.

The following elements are displayed:

OK. Activates the VeriSign Enrollment Wizard.

Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.

Help. Displays online help.

The Install VeriSign Certificate Page

This page allows you to retrieve the server certificate requested from VeriSign for installation on your server. For more information, see Requesting and Installing a VeriSign Certificate.

The following elements are displayed:

Select the Module to Use with the Certificate. Specifies the following:

Cryptographic Module. Specifies the module to be used with the certificate. Choose internal unless you have installed an external encryption module.

Key Pair File Password. Specifies the trust database password.

Select the Transaction ID to Retrieve. Allows you to select the requested certificate from the drop-down list.

OK. Installs the selected certificate. You must restart the server in order for your changes to take effect.

Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.

Help. Displays online help.

The Install CRL/CKLs Page

The Install a CRL /CKLs page allows you to add or replace Certificate Revocation Lists (CRLs) or Compromised Key Lists (CKLs). For more information, see Installing and Managing CRLs and CKLs.

The following elements are displayed:

File Contains. Allows you to select one of the following:

The CRL/CKL is in this file: Specifies the CRL/CKL location.

OK. Based on your selections, takes you to:

Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.

Help. Displays online help.

You must restart the server in order for your changes to take effect.

The Add Certificate Revocation List Page

The following elements are displayed:

Add CRL. Installs the specified CRL.

Back. Takes you to the previous page.

Help. Displays online help.

The Replace Certificate Revocation List Page

The following elements are displayed:

Replace CRL. Replaces the specified CRL.

Back. Takes you to the previous page.

Help. Displays online help.

The Add Compromised Key List Page

The following elements are displayed:

Add CKL. Installs the specified CKL.

Back. Takes you to the previous page.

Help. Displays online help.

The Replace Compromised Key List Page

The following elements are displayed:

Replace CKL. Replaces the specified CKL.

Back. Takes you to the previous page.

Help. Displays online help.

The Manage CRL/CKLs Page

The Manage Certificate Revocation Lists /Compromised Key Lists page displays the CRLs and CKLs you have installed by certificate name. The date of expiration is also shown. This page allows you to view and delete CRLs and CKLs. For more information, see Installing and Managing CRLs and CKLs.

The following elements are displayed:

Server CRLs. Displays more information and options about a CRL when selected.

Server CKLs. Displays more information and options about a CKL when selected.

Clicking on a CRL/CKL displays The Edit CKL/CRL Page.

Help. Displays online help.

The Edit CKL/CRL Page

Based on your selection, the Edit CKL/CRL Page displays information for Compromised Key List or for Certificate Revocation List.

The following elements are displayed:

Delete. Deletes the CKL or CRL displayed.

Quit. Takes you back to the previous page.



Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.