test

Sun Java System Mobile Enterprise Platform 1.0 Installation Guide

Chapter 2 Establishing Trust

This chapter explains how to establish trust between tier 1, the Gateway tier, and tier 2, the Enterprise tier. The procedure included in this chapter uses self-signed certificates that are automatically generated by the Application Server. In a production environment, you would obtain certificates from a certificate authority (CA), a trusted third party that issues digital certificates for use by other parties. There are many commercial CAs, such as Verisign, that charge for their services. Some institutions and governments have their own CAs and there are even some CAs that issue certificates free of charge.

A CA issues digital certificates that contain a public key and the identity of the owner. The CA attests that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. The CA verifies an applicant's credentials, so other users and parties that rely on the veracity of the credentials can trust the information in the CA's certificates.

A self-signed certificate, on the other hand, is an identity certificate that is signed by its own creator. The person that created the certificate also signed off on its legitimacy. The Gateway and Enterprise tiers in a MEP environment can use either self-signed or CA-issued certificates.

    Trust is established in two phases:

  1. Configuring the Enterprise tier to trust the Gateway tier

  2. Configuring the Gateway tier to trust the Enterprise tier

The following sections explain these phases.

Configuring the Enterprise Tier to Trust the Gateway Tier

    There is a two-step process to configure trust between the Gateway tier and the Enterprise tier:

  1. On the Gateway tier, export the keystore then copy it to the Enterprise tier.

    1. Change to the config subdirectory in the Gateway tier MEP installation:


      $ cd as-install/domains/domain-dir/config

    2. Export the keystore to a file:


      $ keytool -export
-keystore keystore.jks
-alias s1as
-file tier1_sjsas.cer
-storepass adminpass

    3. Copy the exported keystore to the config subdirectory in the Enterprise tier MEP installation:


      $ cp tier1_sjsas.cer /net/tier2-hostname/as-install/domains/domain-dir/config

      In this case, as-install is the location where the Application Server has been installed and domain-dir is the name of the MEP domain, usually mep.

  2. On the Enterprise tier, import the keystore from the Gateway tier.

    1. Change to the config subdirectory in the Enterprise tier MEP installation:


      $ cd as-install/domains/domain-dir/config

    2. Import the keystore that was exported from the Gateway tier:


      $ keytool -import
-keystore cacerts.jks
-alias tier1_sjsas
-file tier1_sjsas.cer
-storepass adminpass
-trustcacerts
-noprompt

  3. Stop then restart the Application Server on the Enterprise tier to use the new security settings.

    1. Stop the Application Server:


      $ asadmin stop-domain domain-dir

    2. Restart the Application Server:


      $ asadmin start-domain domain-dir

Configuring the Gateway Tier to Trust the Enterprise Tier

    There is a two-step process to configure trust between Enterprise tier and the Gateway tier.

  1. On the Enterprise tier, export the keystore and copy it to the Gateway tier.

    1. Change to the config subdirectory in the Enterprise tier MEP installation:


      $ cd as-install/domains/domain-dir/config

    2. Export the keystore to a file:


      keytool -export
-keystore keystore.jks
-alias s1as
-file tier2_sjsas.cer
-storepass adminpass

    3. Copy the exported keystore to the config subdirectory in the Gateway tier MEP installation:


      $ cp tier2_sjsas.cer /net/tier1-hostname/as-install/domains/domain-dir/config

  2. On the Gateway tier, import the keystore from the Enterprise tier.

    1. Change to the config subdirectory in the Gateway tier MEP installation:


      $ cd as-install/domains/domain-dir/config

    2. Import the keystore that was exported from the Enterprise tier:


    $ keytool -import
-keystore cacerts.jks
-alias tier2_sjsas
-file tier2_sjsas.cer
-storepass adminpass
-trustcacerts
-noprompt

  3. Stop then restart the Application Server on the Gateway tier to use the new security settings.

    1. Stop the Application Server:


      $ asadmin stop-domain domain-dir

    2. Restart the Application Server:


      $ asadmin start-domain domain-dir