Migrating Certificates From Previous Versions

When migrating from Sun ONE Web Proxy Server 3.6 (also known as Sun iPlanet Web Proxy Server) to iPlanet Web Proxy Server 4, your files, including your trust and certificate databases, are updated automatically.

Make sure that the Proxy Server 4 Administration Server has read permissions on the old 3.x database files. The files are alias-cert.db and alias-key.db, located in the 3.x-server-root/alias directory.

Key-pair files and certificates are migrated only if security is enabled for your server. You can also migrate keys and certificates by themselves using the Migrate 3.x Certificates option under the Security tab in the Administration Server and the Server Manager. For information about specific settings, see the online Help.

In previous versions, a certificate and key-pair file were referred to by an alias that could be used by multiple server instances. The Administration Server managed all of the aliases and their constituent certificates. In Proxy Server 4, the Administration Server and each server instance have their own certificate and key-pair file, referred to as a trust database instead of an alias.

The trust database and its constituent certificates are managed from the Administration Server for the Administration Server itself, and from the Server Manager for server instances. The certificate and key-pair database files are named after the server instance that uses them. If, in the previous version, multiple server instances shared the same alias, when migrated the certificate and key-pair file are renamed for the new server instance.

The entire trust database associated with the server instance is migrated. All CAs listed in your previous database are migrated to the Proxy Server 4 database. If duplicate CAs occur, use the previous CA until it expires. Do not attempt to delete duplicate CAs.

Proxy Server 3.x certificates are migrated to the supported Network Security Services (NSS) format. The certificate is named according to the Proxy Server page from which it was accessed, that is, from the Administration Server Security tab or the Server Manager Security tab.

To Migrate a Certificate

1. From your local computer, access either the Administration Server or the Server Manager and select the Security tab.

2. Click the Migrate 3.x Certificates link.

3. Specify the root directory where the 3.6 server is installed.

4. Specify the alias for this computer.

5. Type the administrator’s password and click OK.

Using the Built-in Root Certificate Module

The dynamically loadable root certificate module included with Proxy Server contains the root certificates for many CAs, including VeriSign. The root certificate module enables you to upgrade your root certificates to newer versions in a much easier way. In the past, you were required to delete the old root certificates one at a time and then install the new ones one at a time. To install well-known CA certificates, you can now simply update the root certificate module file to a newer version as it becomes available through future versions of the Proxy Server.

Because the root certificate is implemented as a PKCS #11 cryptographic module, you can never delete the root certificates it contains. The option to delete will not be offered when managing these certificates. To remove the root certificates from your server instances, disable the root certificate module by deleting the following entry in the server’s aliasdirectory:

• libnssckbi.so (on most UNIX platforms)

• nssckbi.dll (on Windows)

If you want to restore the root certificate module, you can copy the extension from server-root/bin/proxy/lib (UNIX) or server-root\\bin\\proxy\\bin (Windows) into the alias subdirectory.

You can modify the trust information of the root certificates. The trust information is written to the certificate database for the server instance being edited, not back to the root certificate module itself.