Each SGD server has three certificate stores. These include a CA certificate truststore and a client certificate store used by the SGD server, and a certificate truststore used with the SGD Gateway.
Each SGD server has its own CA certificate
truststore. This is the
/opt/tarantella/bin/jre/lib/security/cacerts
file.
The CA certificate truststore contains the CA certificates that the SGD server trusts.
The /opt/tarantella/etc/data/cacerts.txt file
contains the X.500 Distinguished Names (DNs) and MD5 signatures
of all the CA certificates that are in the CA certificates
truststore when SGD is first installed. These are
the CAs that SGD supports by default. To add
support for additional CAs, you can import CA certificates to
the truststore.
You might need to import CA certificates in the following circumstances:
Active Directory authentication – If SSL connections to Active Directory are used, and the SSL certificate for an Active Directory server is signed by an unsupported CA, or by an Intermediate CA.
LDAP authentication – If SSL connections to LDAP directories are used, and the SSL certificate for an LDAP directory server is signed by an unsupported CA, or by an Intermediate CA.
See Section 2.4.3.2, “Network Requirements for LDAP Authentication”.
Hypervisor hosts – If SSL connections to a hypervisor host are used, and the SSL certificate for the host is signed by an unsupported CA, or by an Intermediate CA.
See Section 4.8.12, “Integrating SGD With Oracle Hypervisor Hosts”.
The certificates that must be imported are as follows:
Unsupported CA – Import the CA or root certificate
Intermediate CA – Import the CA certificate chain
If the tarantella security customca command is used to install a CA certificate, or CA certificate chain, this command also imports the CA certificates into the CA certificate truststore. It only does this on the SGD server on which the command is run.
To manually import CA certificates, use the
keytool application. See the
JDK
Tools and Utilities documentation for details on how to
use the keytool application. The
/opt/tarantella/var/tsp/ca.pem file on the
SGD host contains the CA certificate or certificate
chain.
If you need to import a CA certificate chain, import each certificate in the chain separately.
The password for the CA certificate truststore is
changeit.
Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.
Repeat the following procedure on each SGD server in the array.
Log in as superuser (root) on the SGD host.
Import the CA certificate.
To import a CA certificate chain, you must import each certificate in the chain separately.
Use the following command:
# /opt/tarantella/bin/jre/bin/keytool -importcert \ -keystore /opt/tarantella/bin/jre/lib/security/cacerts \ -storepass changeit -file
CA-certificate-path\ -aliasaliasUse the
-aliasoption to uniquely identify the certificate.Restart the SGD server.
You must restart the SGD server for the CA certificate to become effective.
Each SGD server has its own client certificate
store. This is the
/opt/tarantella/var/info/certs/sslkeystore
file.
The client certificate store contains the client certificates that an SGD server uses to identify itself when connecting to another server.
You create and install server client certificates with the keytool application. See the JDK Tools and Utilities documentation for details on how to use the keytool application.
You must provide a password when adding or removing certificates
from the client certificate store. The password for the client
certificate store is unique to each SGD server and
can be found in the
/opt/tarantella/var/info/key file. Use this
password for both the
-storepass and
-keypass options.
Log in as superuser (root) on the SGD host.
Generate the key pair for the client certificate.
# /opt/tarantella/bin/jre/bin/keytool -genkeypair \ -keyalg rsa \ -keystore /opt/tarantella/var/info/certs/sslkeystore \ -storepass "$(cat /opt/tarantella/var/info/key)" \ -alias
alias\ -keypass "$(cat /opt/tarantella/var/info/key)"Use the
-aliasoption to uniquely identify the key pair.Generate a Certificate Signing Request (CSR) for the client certificate.
# /opt/tarantella/bin/jre/bin/keytool -certreq \ -keystore /opt/tarantella/var/info/certs/sslkeystore \ -storepass "$(cat /opt/tarantella/var/info/key)" \ -alias
alias\ -keypass "$(cat /opt/tarantella/var/info/key)" \ -fileCSR-pathThe
aliasmust be the same as the alias used when generating the key pair. Aliases are case-insensitive.
Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.
Repeat the following procedure on each SGD server in the array.
Log in as superuser (root) on the SGD host.
Install the client certificate.
# /opt/tarantella/bin/jre/bin/keytool -importcert \ -file
certificate-path-keystore /opt/tarantella/var/info/certs/sslkeystore \ -storepass "$(cat /opt/tarantella/var/info/key)" \ -aliasalias\ -keypass "$(cat /opt/tarantella/var/info/key)"The
aliasmust be the same as the alias used when generating the CSR for the client certificate. Aliases are case-insensitive.Restart the SGD server.
You must restart the SGD server for the client certificate to become effective.
Each SGD server has its own gateway certificate
store. This is the
/opt/tarantella/var/info/gatewaykeys file.
The gateway certificate store contains certificates for all SGD Gateways used with the SGD server. The SGD server uses these certificates to encrypt routing tokens used for communications with an SGD Gateway.
See the Oracle Secure Global Desktop Gateway Administration Guide for more details of certificates used with the SGD Gateway.