Using SSL Service for Encrypted Communication Between the i-Planet Server and the i-Planet Gateway

To use SSL service for encrypted communication between the i-Planet server and the i-Planet gateway, you must:

• Create a self-signed certificate

• Create a certificate signing request on the i-Planet server

• Obtain a signed certificate from the Certificate Authority

• Add the signed certificate to the rp.keystore file for the i-Planet server (the certificate database)

• Configure SSL service on the i-Planet gateway

• Configure SSL service on the i-Planet server

Self-Signed SSL Certificate on the i-Planet Server

You cannot use self-signed certificates for SSL service between the i-Planet server and the i-Planet gateway. You must use an SSL certificate from a certificate vendor.

You must generate a self-signed certificate in order to obtain an SSL certificate from certificate vendor who provides authority (CA) services.

To Generate a Self-Signed SSL Certificate for the i-Planet Server

1. As root, run the certadmin script on the i-Planet server:

   # /opt/SUNWsnrp/bin/certadmin

   The Certificate Administration menu is displayed:

   1) Generate Self-Signed Certificate 2) Generate Certificate Signing Request (CSR) 3) Add Root CA Certificate 4) Install Certificate from Certificate Authority (CA) 5) Quit choice: [5]

2. Enter 1 on the Certificate Administration menu to generate a self-signed certificate.

   The Certificate Administration script prompts you to enter specific information about your organization and a passphrase for the self-signed certificate:

   What is the fully qualified DNS name of this host? [hostname.domainname] What is the name of your organization? [] What is the name of your organizational unit? [] What is the name of your City or Locality? [] What is the name of your State or Province? [] What is the two-letter country code for this unit? [] ... Enter passphrase []

3. Enter the information for your organization and a passphrase for the self-signed certificate.

   A self-signed certificate is generated and added the file /etc/opt/SUNWstnr/rp.keystore on the i-Planet server. Your prompt returns.

4. Make a backup copy of the rp.keystore file on the i-Planet server.

SSL Certificates for the i-Planet Server

Using SSL service between the i-Planet server and the i-Planet gateway provides greater security for the information that must flow between them. SSL service requires a SSL certificate. In creating a self-signed certificate as part of this process for an SSL certificate for the i-Planet server, you enter specific information about your organization, such as company name and address, and a passphrase.

If you decide to enable SSL service so that you have secure communication between the i-Planet server and the i-Planet gateway after you have installed the i-Planet software, you must to run the certadmin script to install an SSL certificate that is signed by a certificate vendor who provides authority (CA) services.

SSL Certificates from Vendors

If you decide to enable SSL services between the i-Planet server and the i-Planet gateway after you have installed the i-Planet software, you must generate a self-signed certificate.

i-Planet software contains root certificates that can be used with SSL certificates from Verisign, Inc. If you decide to install an SSL certificate from a vendor other than Verisign, you must install a root certificate from that vendor first, and then install the web server certificate.

Certificates are stored in the rp.keystore file. Once you generate a certificate signing request (used to request a certificate from a third-party vendor), make sure you keep a backup copy of the rp.keystore file. This file contains your private key, which is associated with the certificate that you purchase; if you lose the file, you will not be able to use the certificate that you bought.

To Install SSL Certificates From Verisign

1. As root, run the certadmin script on the i-Planet server:

   # /opt/SUNWsnrp/bin/certadmin

   The Certificate Administration menu is displayed:

   1) Generate Self-Signed Certificate 2) Generate Certificate Signing Request (CSR) 3) Add Root CA Certificate 4) Install Certificate from Certificate Authority (CA) 5) Quit choice: [5]

2. Enter 2 on the Certificate Administration menu to generate a certificate signing request (CSR).

   • If no self-signed certificate exists on this machine, the Certificate Administration script notifies you that you must create one. Refer to the procedure "To Generate a Self-Signed SSL Certificate for the i-Planet Server" earlier in this chapter.

   • If a self-signed certificate exists on this machine, the information from the certificate is displayed. The Certificate Administration script asks the question:

     Is this information correct (y/n)? [n]

   1. Enter y if the information is correct, or enter n if it is not correct.

      • If you enter n, you are asked to enter information for a new self-signed certificate. See the procedure "To Generate a Self-Signed SSL Certificate for the i-Planet Server" in this chapter.

      • If you enter y, you are asked to enter some contact information for the webmaster of the machine for which the certificate is being generated:

        What is the name of the admin/webmaster for this server? [] What is the email address of the admin/webmaster for this server? [] What is the phone number of the admin/webmaster for this server? []

   2. Enter the name, the email address, and the telephone number of the administrator or webmaster for this server.

      The Certificate Administration script displays the values you enter and asks the question:

      Are these values correct (y/n)? [n]

   3. When prompted, enter y if the information is correct, or enter n if it is not correct.

      • If you enter y, the CSR is generated and added to the file /tmp/csr.hostname on the i-Planet server.

      • If you enter n, the Certificate Administration script asks you to enter the values again.

3. Go to the Certificate Authority's website and order your web server certificate.

   1. Provide information from your CSR, as requested by the CA.

   2. Provide other information as requested by the CA, such as a passphrase.

   3. Specify your web server type as: Java Webserver.

      Specifying Java Webserver means that you want your certificate in privacy enhance mail (PEM) format.

4. After you receive your certificate from the CA, save it in a file.

   The certificate begins with a line that reads:

 -----BEGIN
CERTIFICATE----

continues with the certificate itself, and ends with a line that reads:

-----END CERTIFICATE-----

Make sure you include both of these lines with the certificate in the file.

1. As root, run the certadmin script on the i-Planet server.

   # /opt/SUNWsnrp/bin/certadmin

2. Enter 4 on the Certificate Administration menu to install your certificate from the CA.

   The Certificate Administration script asks the question:

   What is the name (including path) of the file that contains the certificate? []

3. Enter the full path to the file containing the certificate from the CA.

   Your certificate is stored in the file /etc/opt/SUNWstnr/rp.keystore on the i-Planet server.

4. Enable SSL service on the i-Planet server.

   See the procedure "To Enable SSL Service on the i-Planet Server" in this chapter.

5. Make a backup copy of the rp.keystore file on the i-Planet server.

6. Enable SSL service on the i-Planet gateway.

   See the procedure "To Enable SSL Service on the i-Planet Gateway" in this chapter.

To Install SSL Root Certificates and SSL Certificates From Other Vendors

You must have already generated a self-signed certificate to install a root certificate. See the procedure "To Generate a Self-Signed SSL Certificate for the i-Planet Server" in this chapter.

1. Go to the Certificate Authority's website and download its root certificate.

   The website should contain instructions for downloading the certificate.

2. As root, run the certadmin script on the i-Planet server:

   # /opt/SUNWsnrp/bin/certadmin

   The Certificate Administration menu is displayed:

   1) Generate Self-Signed Certificate 2) Generate Certificate Signing Request (CSR) 3) Add Root CA Certificate 4) Install Certificate from Certificate Authority (CA) 5) Quit choice: [5]

3. Enter 3 on the Certificate Administration menu to add a root certificate.

   The Certificate Administration script asks the question:

   What is the name (including path) of the file that contains the root certificate that you would like to add to your database? []

   1. Enter the full path to the file containing the root certificate from the CA.

      The file is displayed and the Certificate Administration script asks the question:

      Is this information correct (y/n)? [n]

   2. Enter y if the file is correct, or n if it is not.

      • If you enter y, the root certificate is stored in the etc/opt/SUNWstnr/rp.CAstore file and your prompt returns.

      • If you enter n, the root certificate is not added and your prompt returns.

4. As root, run the certadmin script on the i-Planet server.

   # /opt/SUNWsnrp/bin/certadmin

5. Enter 2 on the Certificate Administration menu to generate a certificate signing request (CSR).

   • If no self-signed certificate exists on this machine, the Certificate Administration script notifies you that you must create one. Refer to the procedure "To Generate a Self-Signed SSL Certificate for the i-Planet Server" earlier in this chapter.

   • If a self-signed certificate exists on this machine, the information from the certificate is displayed. The Certificate Administration script asks the question:

     Is this information correct (y/n)? [n]

   1. Enter y if the information is correct or enter n if it is not correct.

      • If you enter n, you are asked to enter information for a new self-signed certificate. Refer to the procedure "To Generate a Self-Signed SSL Certificate for the i-Planet Server" earlier in this chapter.

      • If you enter y, the Certificate Administration script asks you to enter specific information about your organization:

        What is the name of the admin/webmaster for this server? [] What is the email address of the admin/webmaster for this server? [] What is the phone number of the admin/webmaster for this server? []

   2. Enter your specific information about your organization.

      The Certificate Administration script displays the values you enter and asks the question:

      Are these values correct (y/n)? [n]

   3. Enter y if the information is correct or enter n if it is not correct.

      • If you enter y, a CSR is generated and stored in the file /tmp/csr.hostname.

      • If you enter n, the Certificate Administration script asks you to enter the values again.

6. Go to the Certificate Authority's website and order your web server certificate.

   1. Provide information from your CSR, as requested by the CA.

   2. Provide other information as requested by the CA, such as a passphrase.

   3. Specify your web server type as: Java Webserver.

      Specifying Java Webserver means that you want your certificate in PEM format.

7. After you receive your certificate from the CA, save it in a file.

   The certificate begins with a line that reads:

   -----BEGIN CERTIFICATE----

   continues with the certificate itself, and ends with a line that reads:

   -----END CERTIFICATE-----

   Make sure you include both of these lines with the certificate in the file.

8. As root, run the certadmin script on the i-Planet server:

   # /opt/SUNWsnrp/bin/certadmin

   The Certificate Administration menu is displayed:

   1) Generate Self-Signed Certificate 2) Generate Certificate Signing Request (CSR) 3) Add Root CA Certificate 4) Install Certificate from Certificate Authority (CA) 5) Quit choice: [5]

9. Enter 4 on the Certificate Administration menu to install your certificate from the CA.

   The Certificate Administration script asks the question:

   What is the name (including path) of the file that contains the certificate? []

10. Enter the full path to the file containing the certificate from the CA.

    Your certificate is added to the /etc/opt/SUNWstnr/rp.keystore file on the i-Planet server.

11. Enable SSL service on the i-Planet server.

    See the procedure "To Enable SSL Service on the i-Planet Server" in this chapter.

12. Stop and restart the web server on the i-Planet server for the certificate to take effect.

    See the procedure "To Stop and Restart the Web Server on the i-Planet Server" in Chapter 3, Other Administrative Tasks.

13. Make a backup copy of the rp.keystore file on the i-Planet server.

14. Enable SSL service on the i-Planet gateway.

    See the procedure "To Enable SSL Service on the i-Planet Gateway" in this chapter.