Configuring Web Server to Run Delegated Administrator in SSL Mode

If you have deployed the Delegated Administrator console to Web Server 6 or Web Server 7.x, you can run the Delegated Administrator console in SSL mode, over a secure port.

If the Delegated Administrator server is deployed to Web Server 6 or Web Server 7.x, you can run the Delegated Administrator utility (commadmin) in SSL mode.

To enable the Delegated Administrator console and utility to use SSL access:

• For the console, complete all the steps in the SSL-configuration procedure.

• For the utility, you only have to complete Step 1 in the SSL-configuration procedure. Use the -s option with the commadmin commands to run in SSL mode.

For Web Server 6, follow this procedure:

• To Configure Web Server 6 to Enable Delegated Administrator to Run in SSL Mode

For Web Server 7.x, follow this procedure:

• To Configure Web Server 7.x to Enable Delegated Administrator to Run in SSL Mode

To Configure Web Server 6 to Enable Delegated Administrator to Run in SSL Mode

In this procedure, the certificate truststore is created in the Delegated Administrator configuration directory. For example: /var/opt/SUNWcomm/config

1. Request and install a certificate.

   In a production environment, you must request a certificate from a Certificate Authority (CA), which issues the certificate to you. Next, you install the certificate.

   In a test environment, you can create and install a self-signed certificate.

   For information about requesting and installing certificates for Web Server 6, see “Using Certificates and Keys” in the Sun Java System Web Server 6.1 SP6 Administrator’s Guide.

   After you complete this step, you can run the Delegated Administrator utility in SSL mode.

2. Export the specific certificate in ASCII encoding.

   For example:

   /opt/SUNWwbsvr/bin/https/admin/bin/certutil -L -n Server-Cert -d \ -P https-host.domain-host- /opt/SUNWwbsvr/alias -a > /tmp/host.cert

   where

   • Server-Cert is the default name created by the Administration interface

   • host is the host name of the machine where Web Server 6 is running. For example: myhost.

   • host.domain is the host and domain name of the machine where Web Server 6 is running. For example: myhost.siroe.com.

3. Use the java keytool utility to import the certificate into a truststore.

   This step assumes that you are creating a new truststore in the Delegated Administrator configuration directory.

   1. Import the certificate.

      For example:

      cd /var/opt/SUNWcomm/config keytool -import -alias Server-Cert -file /tmp/host.cert -keystore truststore

   2. Enter a password when the keytool prompts you for one.

4. Define the ssl.truststore property in the JVM Setting for the Web Server 6 instance configuration.

   For example:

   -Djavax.net.ssl.trustStore=/var/opt/SUNWcomm/config/truststore Djavax.net.ssl.trustStorePassword=password

   where password is the password you entered at the keytool prompt.

5. Modify the following property in the JVM Setting for the Web Server 6 instance configuration.

   Change

   -Djava.protocol.handler.pkgs=com.iplanet.services.comm

   to the following value:

   -Djava.protocol.handler.pkgs=com.sun.identity.protocol

6. Change the following properties in the daconfig.properties file:

   1. Open the daconfig.properties file in a text editor.

      The daconfig.properties file is located by default in the Delegated Administrator configuration directory:

      da-base/data/da/WEB-INF/classes/com/sun/comm/da/resources

      (In a later step, you will deploy the daconfig.properties file to the Web Server 6 configuration directory.)

   2. Change the property values as follows:

      commadminserver.host=host.domain commadminserver.port=port commadminserver.usessl=true

      where host.domain is the host and domain name of the machine where Web Server 6 is running. For example: myhost.siroe.com.

      And where port is the SSL port. For example: 443.

7. Deploy the Web Server 6 configuration and restart the instance:

   1. Run the Web Server 6 deploy script:

      /opt/SUNWcomm/sbin/config-wbsvr-da

   2. Restart the Web Server 6 instance.

To Configure Web Server 7.x to Enable Delegated Administrator to Run in SSL Mode

In this procedure, the certificate truststore is created in the Delegated Administrator configuration directory. For example: /var/opt/SUNWcomm/config

1. Request and install a certificate.

   In a production environment, you must request a certificate from a Certificate Authority (CA), which issues the certificate to you. Next, you install the certificate.

   In a test environment, you can create and install a self-signed certificate.

   For information about requesting and installing certificates for Web Server 7.x, see Managing Certificates in Sun Java System Web Server 7.0 Administrator’s Guide.

   After you complete this step, you can run the Delegated Administrator utility in SSL mode.

2. Run the certutil utility to list all certificates in the certificate database.

   For example:

   cd /var/opt/SUNWcomm/config /usr/sfw/bin/certutil -L -d /var/opt/SUNWwbsvr7/https-host.domain/config

   where host.domain is the host and domain name of the machine where Web Server 7.x is running. For example: myhost.siroe.com

3. Export the specific certificate in ASCII encoding.

   For example:

   /usr/sfw/bin/certutil -L -n cert-host.domain -d /var/opt/SUNWwbsvr7/https-host.domain/config -a > host.cert

   where host and host.domain are the host name or host and domain name of the machine where Web Server 7.x is running.

4. Use the java keytool utility to import the certificate into a truststore.

   This step assumes that you are creating a new truststore in the Delegated Administrator configuration directory.

   1. Import the certificate.

      For example:

      keytool -import -alias cert-host.domain -file host.cert -keystore truststore

   2. Enter a password when the keytool prompts you for one.

5. Define the ssl.truststore property in the JVM Setting for the Web Server 7.x instance configuration.

   For example:

   -Djavax.net.ssl.trustStore=/var/opt/SUNWcomm/config/truststore -Djavax.net.ssl.trustStorePassword=password

   where password is the password you entered at the keytool prompt.

6. Modify the following property in the JVM Setting for the Web Server 7.x instance configuration.

   Change

   -Djava.protocol.handler.pkgs=com.iplanet.services.comm

   to the following value:

   -Djava.protocol.handler.pkgs=com.sun.identity.protocol

7. Change the following properties in the daconfig.properties file:

   1. Open the daconfig.properties file in a text editor.

      The daconfig.properties file is located by default in the Delegated Administrator configuration directory:

      da-base/data/da/WEB-INF/classes/com/sun/comm/da/resources

      (In a later step, you will deploy the daconfig.properties file to the Web Server 7.x configuration directory.)

   2. Change the property values as follows:

      commadminserver.port=port commadminserver.usessl=true

      where port is the SSL port. For example: 443.

8. Deploy the Web Server 7.x configuration and restart the instance:

   1. Run the Web Server 7.x deploy script:

      /opt/SUNWcomm/sbin/config-wbsvr7x-da

   2. Restart the Web Server 7.x instance.