|
| |
| Sun Java System Access Manager 6 2005Q1 �z��n | |
�� 2 ��
�b SSL �Ҧ����t�m Access Manager�ϥΨ㦳²��{�Ҫ��w���M���h (SSL) �i�H�O�Ҿ�K�ʩM��Ƨ���ʡC�Y�n�b SSL �Ҧ����ҥ� Access Manager�A�q�`�n�G
�H�U�U�`�y�z�o�ǨB�J�G
�ϥΦw�� Sun Java System Web Server �t�m Access Manager�Y�n�ϥ� Sun Java System Web Server �b SSL �Ҧ����t�m Access Manager�A�аѾ\�H�U�B�J�G
�B�J 2 ���B�J 25 �y�z Sun Java System Web Server�C
- �n�J Web Server �D���x�C�w�]�s���� 58888�C
- ��� Access Manager ���W��檺 Web Server ��ҡA�M���@�U [�z]�C
�t�η|��ܧ��㦡��A����t�m�w�ܧ�C��@�U [�T�w]�C
- ��@�U�e���k�W���� [�M��] ��s�C
- ��@�U [�M�γ]�w]�C
Web Server �|�۰ʭ��s�ҰʡC��@�U [�T�w] �H�~��C
- ������ Web Server ��ҡC
- ��@�U [�w��] ���ҡC
- ��@�U [�إ߸�Ʈw]�C
- ��J�s����Ʈw�K�X�ë�@�U [�T�w]�C
�нT�O�O�U��Ʈw�K�X�A�H�Ƶy��ϥΡC
- �إ߾��Ҹ�Ʈw��A��@�U [�ШD����]�C
- �b�e�����Ѫ���줤��J��ơC
�z�b [��ȹ����K�X] ��줤����J�P�z�b�B�J 9 ������J�ۦP�C�b��m��줤�A�ݭn����g�X�ԲӦ�m�C�Y�g�� (�p CA) �L�ġC�����w�q�Ҧ����C�b [�@�ΦW��] ��줤�A���ѱz Web Server ���D��W�١C
- �������A�z�N�ݨ�P�H�U�T������T���G
--BEGIN CERTIFICATE REQUEST---
afajsdllwqeroisdaoi234rlkqwelkasjlasnvdknbslajowijalsdkjfalsdflasdf
alsfjawoeirjoi2ejowdnlkswnvnwofijwoeijfwiepwerfoiqeroijeprwpfrwl
--END CERTIFICATE REQUEST--
- �ƻs�o�Ǥ�r�ô���A�H�ШD���ҡC
�нT�O�z��o�F Root CA ���ҡC
- �z�N������]�t���Ҫ����Ҧ^3�A�p�G
--BEGIN CERTIFICATE---
afajsdllwqeroisdaoi234rlkqwelkasjlasnvdknbslajowijalsdkjfalsdflasdf
alsfjawoeirjoi2ejowdnlkswnvnwofijwoeijfwiepwerfoiqeroijeprwpfrwl
--END CERTIFICATE---
- �N�o�Ǥ�r�ƻs��ŶKï�A���x�s�b�ɮפ��C
- ���� Web Server �D���x�ë�@�U [�w�˾���]�C
- ��@�U�� Server �����ҡC
- �b [��ȹ��ɮױK�X] ��줤��J���Ҹ�Ʈw�K�X�C
- �b���Ѫ���r��줤�K�W���ҡA�ή֨����s�æb��r����J�ɮצW�١C��@�U [����]�C
�s��N��ܸӾ��ҡA�ô��ѥ[�J���Ҫ���s�C
- ��@�U [�w�˾���]�C
- ��@�U [�i�H����ұ��v��쪺����]�C
- ��Ӿ��Ҧw�˧�����A��@�U Web Server �D���x���� [�ߦn�]�w] ���ҡC
- �p�G�n�b���P���s����W�ҥ� SSL�A�п�� [�[�J��ť�M���r]�C�M���� [�s�谻ť�M���r]�C
- �N�w�����A�q [����] �ܧ� [�ҥ�]�A�M���@�U [�T�w] �����ܧ�C
�B�J 26 ���B�J 28 ���� Access Manager�C
- �}�� AMConfig.properties �ɮסC�̹w�]�A���ɮצ�� etc/opt/SUNWam/config�C
- �� https:// ��N�X�{���Ҧ� http:// ��w�AWeb Server ��ҥؿ���~�CAMConfig.properties ���]��w�F�o�@�I�A��O��@�P�C
- �x�s AMConfig.properties �ɮסC
- �b Web Server �D���x���A��@�U�U�� Web ��A����Ҥ� Access Manager �� [�}��/��] ��s�C
Web Server �|�b [�Ұ�/����] ��������ܤ@�Ӥ�r���C
- �b��r��줤��J���Ҹ�Ʈw�K�X�ÿ�� [�Ұ�]�C
�ϥΦw�� Sun Java System Application Server �t�m Access Manager�N Access Manager �]�w���b�w�ҥ� SSL ��Sun Java System Application Server �W���A�L�{�(�B�J�C����A�N Application Server ��һP�w�˪� Access Manager �w�����X�b�@�_�A�M��t�m Access Manager �����C
�ϥ� SSL �]�w Application Server 6.2
�n�w�����X Application Server ��ҡG
- �z�L�b�z���s���J�H�U��}�A�H�z���n�J Sun Java System Application Server �D���x�G
http://fullservername:port
�w�]�s���� 4848�C
- ��J�z�b�w�ˮɿ�J���ϥΪ̦W�٩M�K�X�C
- ���z�b��W�w�� (�αN�n�w��) Access Manager �� Application Server ��ҡC�k�ج[�|��ܰt�m�w�ܧ�C
- ��@�U [�M���ܧ�]�C
- ��@�U [���s�Ұ�]�CApplication Server �|�۰ʭ��s�ҰʡC
- �b���ج[���A��@�U [�w��]�C
- ��@�U [�z��Ʈw] ���ҡC
- ��@�U [�إ߸�Ʈw] (�p�G�����)�C
- ��J�s����Ʈw�K�X�ýT�{�A�M���@�U [�T�w] ��s�C�нT�O�O�U��Ʈw�K�X�A�H�Ƶy��ϥΡC
- �إ߾��Ҹ�Ʈw��A��@�U [���Һz] ���ҡC
- ��@�U [�ШD] �s�� (�p�G�����)�C
- �����ҿ�J�H�U�ШD���
- �p�G�Ӿ��Ҭ��s���ҩΧ�s�����ҡA�h���C�\�h���ҷ|�b�@�q�S�w�ɶ���L�aA�Y�Ǿ��ұ��v��� (CA) �|�۰ʵ��z�ǰe���s�q���C
- ��w�z�n������ҽШD���覡�C
�p�G�Ʊ� CA �����q�l�l��T���Φ����ШD�A�Ю֨� [CA �q�l�l��] �ÿ�J CA ���q�l�l���}�C�p�� CA �M��A�Ы�@�U [�i�ξ��ұ��v���M��]�C
�p�G�z�q�ϥ� Sun Java System Certificate Server ������ CA �ШD���ҡA�h�Ы�@�U [CA URL] �ÿ�J Certificate Server �� URL�C�� URL 3�ӫ�V�B�z���ҽШD�����Ҧ�A���{���C
- ��J�z��ȹ��ɮת��K�X (�z�b�B�J 9 ����w���K�X)�C
- ��J�H�U�ѧO��T�G
[�@�ΦW��]�C��A��������W�١A�]�t�s���C
[�ШD�̦W��]�C�ШD�̪��W�١C
[�q�ܸ��X]�C�ШD�̪��q�ܸ��X�C
[�@�ΦW��]�C�N�b��W�w�˼Ʀ���Ҫ� Sun Java System Application Server ������W�١C
[�q�l�l���}]�C�z��q�l�l���}�C
[��´�W��]�C�z��´���W�١C���ұ��v���i��|�n�D�b���ݩʤ���J���Ҧ��D��W�٧��ݩ��U��Ӳ�´�����C
[��´�椸�W��]�C��´���$�B����Ψ�L�B�@����W�١C
[�a�ϦW�� (����)]�C�z�Ҧb�����Ϋ��?�W�١C
[�{���W��]�C�p�G�z����´�'O�b���Υ[���j�A�������´�Ҧb�{�ά٪��W�١C�Ф��Y�g�C
[��a/�a�ϥN�X]�C�N��z��a/�a�Ϫ���Ӧr�*� ISO �N�X�C�Ҧp�A��ꪺ�N�X�� US�C
- ��@�U [�T�w] ��s�C�e���W�N�|��ܰT���A�Ҧp�G
--BEGIN NEW CERTIFICATE REQUEST---
afajsdllwqeroisdaoi234rlkqwelkasjlasnvdknbslajowijalsdkjfalsdfla
alsfjawoeirjoi2ejowdnlkswnvnwofijwoeijfwiepwerfoiqeroijeprwpfrwl
--END NEW CERTIFICATE REQUEST--
- �N�Ҧ��o�Ǥ�r�ƻs��@���ɮרë�@�U [�T�w]�C�нT�w�z��o�F Root CA ���ҡC
- ���@�� CA�A�è̴`���v����W��������A�H��o�Ʀ���ҡC�z�i�H�q CMS�BVerisign �� Entrust.net ��o����
- �q���ұ��v��챵����Ʀ���ҫ�A�z�i�H�N��r�ƻs��ŶKï�A�αN���x�s���ɮפ��C
- ���� Sun Java System Application Server �D���x�ë�@�U [�w��] �s���C
- ��� [����A��������]�C
- �b [��ȹ��ɮױK�X] ��줤��J���Ҹ�Ʈw�K�X�C(�P�b�B�J 9 ����J���K�X�ۦP)�C
- �b���Ѫ���r���B [�T��] ��r (�a�����Y) ���K�W���ҡA�Φb���ɮפ�r��� [�T��] ����J�ɮצW�١C����3������s�C
- ��@�U [�T�w] ��s�C�s��|��ܾ��ҡA�ô��ѥ[�J���Ҫ���s�C
- ��@�U [�[�J��A������]�C
- �w�˧���Ӿ��ҫ�A�i�}���ج[���� [HTTP ��A��] �`�I
- ��� [HTTP ��A��] �U�� [HTTP ��ť�{��]�C
- ��� http-listener-1�C�s��|��ܮM���r��T�C
- �N http-listener-1 �ϥΪ��s���𪺭ȱq�w�� Application Server �ɿ�J�����ܧ�A�?�� (�p 443)�C
- ��� [�ҥ� SSL/TLS]�C
- ��� [���ҧO�W]�C
- ��w�^�Ǧ�A���C�Ӧ�A��3�ӻP�B�J 12 ����w���@�ΦW�٬۲šC
- ��@�U [�x�s]�C
- ���z�n�b��W�w�� Sun Java System Access Manager �n�骺 Application Server ��ҡC�k�ج[�|��ܰt�m�w�ܧ�C
- ��@�U [�M���ܧ�]�C
- ��@�U [���s�Ұ�]�CApplication Server �|�۰ʭ��s�ҰʡC
�ϥ� SSL �]�w Application Server 8.1
�n�w�����X Application Server ��ҡG
- �T�{�w���� Application Server ��ҡC
- �ϥ� asadmin>change-master-password ��O���ܧ�O���K�X�C
- ���� Application Server �D���x�A�ÿ�� [�t�m]>[HTTP �A��]>[HTTP ��ť�{��]�C
- ��@�U�z�n�ҥΪ���ť�{���A�M��b���T���椤��� Security:Enabled�C
- �ˬd�O�_�w�� certutil�C
- �ϥ� certutil ���ˬd certdb ���w�˪����ҡG
- ���;��ҽШD�C�n��檺�y�k�O�G
certutil -R -s subj -o cert-request-file [-d certdir] [-P dbprefix] [-p phone] [-a]
�Ҧp�G
certutil -R -s "CN=test.company1.com, O=company1.com, C=US" -o cert.req -d . -a
- �ϥΥH�U��O�A�q CA �^����ҡG
certutil -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]
- �N��A�������x�s���ɮסC
- �ϥΤU�C��O�y�k�w�˫H�� CA ���ҡG
certutil -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]
�N�i�H�� CA �����x�s���ɮפ��A�Ҧp cacert.txt�C
- �C�X certdb �H�T�O�w�˦��\�C�п�J�H�U��O�G
/var/opt/SUNWappserver/domains/domain1/config/% certutil -L -d
- ���� Application Server �z�D���x�A�ÿ�� HTTP ��ť�{���C
�b [�@��]�w] �U�A�ϥηs��A�����Ұt�m HTTP ��ť�{���C
- ���s�Ұ� Application Server�C
�b SSL �Ҧ����t�m Access Manager
�Y�n�b SSL �Ҧ����t�m Access Manager�G
- �b Access Manager �D���x���A���ܪA�Ȱt�m�Ҳըÿ�� [���x] �A�ȡC�b [��A���M��] �ݩʤ��A�[�J�ϥ� HTTPS ��w���ۦP�� URL �M�@�Ӥw�ҥ� SSL ���s���C��@�U [�x�s]�C
�Ƶ�
�p�G Access Manager ��@��ҥ��b��ť��ӳs���� (�@�� HTTP�A�@�� HTTPS)�A�B�z�չϥH��� Cookie �s�� Access Manager�AAccess Manager �N�S���^3�C�o�ëD�䴩���t�m�C
- �q�H�U�w�]��m�}�� AMConfig.properties �ɮסG
/etc/opt/SUNWam/config.
- �� https://��N�X�{���Ҧ� http://��w�A�ñN�s�����ܧw�ҥ� SSL ���s���C
- �x�s AMConfig.properties �ɮסC
- ���s�Ұ� Application Server�C
�ϥΦw�� BEA WebLogic Server �t�m AMSDK�b SSL ���ϥ� AMSDK �i��t�m���e�A������w�� BEA WebLogic Server �ðt�m�� Web �e���C�p�ݦw�˻���A�аѾ\ BEA WebLogic ��A�����C�Y�n�� Access Manager �N WebLogic �t�m�� Web �e���A�аѾ\�� 1 ���uAccess Manager 2005Q1 �t�m�{���� �v�C
�Y�n�t�m�w�� WebLogic ��ҡG
- �ϥΧֳt�}�l�\���ӫإߺ��
- ���� WebLogic �w�˥ؿ�ò��;��ҽШD�C
- �ϥ� vetri_csr.txt CSR �N��A�����ҮM�Φ� CA
- �N�֭㪺�����x�s���r�ɤ��C�Ҧp�Aapprovedcert.txt�C
- �ϥΥH�U��O�A��J cacerts ���� Root CA�G
cd jdk141_03/jre/lib/security/
jdk141_03/jre/bin/keytool -keystore cacerts -keyalg RSA -import -trustcacerts -alias "Greenday CA" -storepass changeit -file /opt/bea81/cacert.txt
- �ϥΥH�U��O�Ӹ�J��A�����ҡG
jdk141_03/jre/bin/keytool -import -keystore keystore -keyalg RSA -import -trustcacerts -file approvedcert.txt -alias "mykey"
- �ϥαz���ϥΪ̦W�٩M�K�X�n�J WebLogic �D���x�C
- �s��ܥH�U��m�G
yourdomain> Servers> myserver> Configure Keystores
- ���ۭq����M Java Standard Trust
- ��J����x�s�Ϧ�m�C�Ҧp�A/opt/bea81/keystore�C
- ��J����x�s�ϱK�X�M����x�s�ϳq��K�y�C�Ҧp�G
����x�s�ϱK�X�GJKS/Java Standard Trust (��� WL 8.1�A�o�ȬO JKS)
����x�s�ϳq��K�y�Gchangeit
- �o�ӨB�J�O����N��??????�Ьd�� SSL �p�K�K�_�]�w�p�K�K�_�O�W�Gmykey and passwd: secret12
- �b Access Manager ���AAmConfig.properties ���U�C�ѼƱN��w�˴v��۰ʰt�m�C�p�G���۰ʰt�m�A�z�i�H�A��a�s�襦�̡G
com.sun.identity.jss.donotInstallAtHighestPriority=true [ this is not required for AM 6.3 and above]
com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.SecureRandomFactoryImpl
com.iplanet.security.SSLSocketFactoryImpl=netscape.ldap.factory.JSSESocketFactory
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption2
�p�G�z�� JDK ��|�p�U�ҥܡG
com.iplanet.am.jdk.path=/usr/jdk/entsys-j2se
����Шϥ���u�㤽�ε{���A�b���Ҹ�Ʈw���פJ Root CA�C�Ҧp�G
/usr/jdk/entsys-j2se/jre/lib/security
/usr/jdk/entsys-j2se/jre/bin/keytool -keystore cacerts -keyalg RSA -import -trustcacerts -alias "machinename" -storepass changeit -file
/opt/bea81/cacert.txt
��u�㤽�ε{�����H�U�ؿ�G
/usr/jdk/entsys-j2se/jre/bin/keytool
- �q Access Manager amadmin ��O�椽�ε{������ -D"java.protocol.handler.pkgs=com.iplanet.services.comm"�C
- �b SSL �Ҧ����t�m Access Manager�C�p�ݧ�h��T�A�аѾ\�b SSL �Ҧ����t�m Access Manager�C
�ϥΦw�� IBM WebSphere Application Server �t�m AMSDK�b SSL ���ϥ� AMSDK �i��t�m���e�A������w�� IBM WebShpere Server �ðt�m�� Web �e���C�p�ݦw�˻���A�аѾ\ WebSphere ��A�������C�Y�n�� Access Manager �N WebLogic �t�m�� Web �e���A�аѾ\�� 1 ���uAccess Manager 2005Q1 �t�m�{���� �v�C
�Y�n�t�m�w�� WebSphere ��ҡG
- �Ұ� ikeyman.sh (��� Websphere/bin �ؿ�)�C
- �q [ñ�W��] �\��?�פJ���ұ��v��� (CA) ���ҡC
- �q [�ӤH����] �\��?�� CSR�C
- �^��b�W�ӨB�J���إߪ����ҡC
- ��� [�ӤH����] �öפJ��A�����ҡC
- �q WebSphere �D���x�A�ܧ�w�] SSL �]�w�ÿ��K�X�C
- �]�w�w�] IBMJSSE SSL ���Ѫ̡C
- ��J�H�U��O�A�q�z��~�إߪ��ɮסA�N Root CA ���ҶפJ�� Application Server JVM ����x�s�ϡG
$ appserver_root-dir/java/bin/ keytool -import -trustcacerts -alias cmscacert -keystore ../jre/lib/security/cacerts -file /full_path_cacert_filename.txt
app-server-root-dir �O Application Server ���ڥؿ�A�B full_path_cacert_filename.txt �O�]�t���Ҥ��ɮת������|�C
- �b Access Manager ���A��s AmConfig.properties ���ѼƥH�ϥ� JSSE�G
com.sun.identity.jss.donotInstallAtHighestPriority=true
com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.SecureRandomFactoryImpl
com.iplanet.security.SSLSocketFactorImpl=netscape.ldap.factory.JSSESocketFactory
com.iplanet.security.encyptor=com.iplanet.services.unil.JCEEncryption
- �b SSL �Ҧ����t�m Access Manager�p�ݧ�h��T�A�аѾ\�b SSL �Ҧ����t�m Access Manager�C
�b SSL �Ҧ����t�m Access Manager �� Directory Server���F�b���W���Ѧw���q�T�AAccess Manager �]�t LDAPS �q�T��w�CLDAPS �O�зǪ� LDAP �q�T��w�A��� Secure Sockets Layer (SSL) ���h���C���ҥ� SSL �q�T�A�z������b SSL �Ҧ����t�m Directory Server�A�M��s�� Access Manager �� Directory Server�C�B�J�p�U�G
�b SSL �Ҧ����t�m Directory Server
���F�b SSL �Ҧ����t�m Directory Server�A������o�ðt�m�@�Ӧ�A�����ҡA�t�m Directory Server �H�H�� CA ���Ҩñҥ� SSL�C����p���o�Ǥu�@���Բӫ�ܡA�аѾ\�uDirectory Server �z��n�v���� 11 ���u�z�{�ҩM�[�K�v�C�������H�U��m�G
�z�]�i�H�q�U�C��m�U���U�� PDF �ɡG
http://docs.sun.com/coll/DirectoryServer_04q2 �P http://docs.sun.com/coll/DirectoryServer_04q2_zh_TW
�p�G�z�� Directory Server �w�g�ҥ� SSL�A�e���U�@�`�H�ѦҦ���s�� Access Manager �� Directory Server ���ԲӸ�ơC
�s�� Access Manager ��ҥ� SSL �� Directory Server
�N Directory Server �t�m�� SSL �Ҧ���A�z�����w���a�N Access Manager �s���� Directory Server ��ݡC�Y�n�p���A�СG