Hitachi

JP1 Version 12 JP1/Automatic Job Management System 3 Configuration Guide

21.4.2 SSL communication setup procedure (in a manager/agent configuration)

This subsection describes the SSL communication setup procedure to be performed when a manager/agent configuration is used.

The following figure shows an overview of setup operations on individual hosts.

Figure 21‒3: Overview of how to set up SSL communication in a manager/agent configuration

[Figure]

The setup operation on a host involves not only the setup of the JP1/AJS3 components installed in the host but also the setup of communication-destination components.

Perform this operation on all the hosts constituting the JP1/AJS3 system. When, however, the value of the AJS3SSL environment setting parameter is INETD, do not specify settings to enable JP1/AJS3 - Agent to communicate in SSL but specify settings to enable JP1/AJS3 - View and JP1/AJS3 - Manager to communicate in SSL. If the setup of SSL communication is performed for the wrong component, an error will occur in the communication between hosts.

Organization of this subsection

(1) Setup to enable JP1/AJS3 - Manager to communicate in SSL

The following describes the setup operation to enable JP1/AJS3 - Manager to communicate in SSL:

  1. Create a private key and CSR by using JP1/Base.

    For details about how to create a private key and a CSR, see the JP1/Base User's Guide.

  2. Send the CSR to a CA.

    When the CA receives the sent CSR, the CA issues a server certificate and a root certificate to verify the server certificate.

  3. Obtain the server certificate and root certificate from the CA.

  4. If a server certificate issued by an intermediate CA excludes an intermediate certificate, obtain an intermediate certificate from the intermediate CA, and put the server certificate and intermediate certificate together into a file.

    If the server certificate excludes the intermediate certificate, validity of the server certificate cannot be verified. Obtain the intermediate certificate to verify that the server certificate is valid.

    After obtaining the intermediate certificate, open the server certificate and intermediate certificate by using a text editor, copy the content of the intermediate certificate, and paste the copy at the end of the server certificate.

    If multiple intermediate certificates exist, integrate all certificates according to their hierarchical structure into a file.

  5. Stop the JP1/AJS3 and JP1/Base services.

  6. Place the private key and server certificate in a folder, and specify the path to the folder in the common definition information CERTIFICATEFILE of JP1/Base.

    For details about the common definition information CERTIFICATEFILE of JP1/Base, see the JP1/Base User's Guide.

  7. Deploy a PEM-format root certificate to communication-destination hosts.

    To verify the server certificate for the manager host at the communication destination (client), deploy, to communication-destination hosts, the root certificate for the CA that issued the server certificate for the manager host.

    The following lists the hosts to which to deploy the root certificate:

    • Working manager host (local host)

    • All manager hosts for which communication is to be established

    • All agent hosts for which communication is to be established (when the value of the AJS3SSL environment parameter is ALL)

    • All JP1/AJS3 - View hosts for which communication is to be established

    The following table describes the paths to the storage folders.

    Table 21‒10: Storage folders for root certificate

    No.

    Host type

    Path to storage folder (in Windows)

    Path to storage folder (in Linux)

    1

    Manager host

    Root certificates are stored in a folder of JP1/Base. For details, see the JP1/Base User's Guide.

    2

    Agent host

    3

    JP1/AJS3 - View host

    JP1/AJS3 - View-installation-folder\conf\ssl\rootcer

    Not applicable

    When a root certificate has already been deployed to a communication-destination host, check whether the CA that issued the deployed root certificate is the same as the CA from which the server certificate was obtained as described in step 3.

    When the CA is the same:

    You can use the root certificate deployed already. You do not need to overwrite the root certificate.

    When the CA is different:

    Bind the already deployed root certificate and the obtained root certificate together in a file. Then, bind the certificates in a way that allows individual root certificates to be associated with the corresponding parts of the bound root certificate. This is to enable any expiring part of the bound root certificate to be replaced appropriately. Because root certificates are Base64-encoded, in the file of bound root certificates, you cannot see which parts of the file correspond to individual root certificates.

    For details, see the JP1/Base User's Guide.

  8. Check that the root certificates for the agent hosts are placed on the manager hosts.

    Perform deployment of the root certificates for the agent hosts as part of the setup operation to enable JP1/AJS3 - Agent to communicate in SSL. Check the operation to set up JP1/AJS3 - Agent.

  9. Enable SSL communication.

    For details about how to enable SSL communication, see the description of the communication encryption function in the JP1/Base User's Guide.

To Page Top

(2) Setup to enable JP1/AJS3 - Agent to communicate in SSL

The following describes the setup operation to enable JP1/AJS3 - Agent to communicate in SSL:

  1. Create a private key and CSR by using JP1/Base.

    For details about how to create a private key and a CSR, see the JP1/Base User's Guide.

  2. Send the CSR to a CA.

    When the CA receives the sent CSR, the CA issues a server certificate and a root certificate to verify the server certificate.

  3. Obtain the server certificate and root certificate from the CA.

  4. If a server certificate issued by an intermediate CA excludes an intermediate certificate, obtain an intermediate certificate from the intermediate CA, and put the server certificate and intermediate certificate together into a file.

    If the server certificate excludes the intermediate certificate, validity of the server certificate cannot be verified. Obtain the intermediate certificate to verify that the server certificate is valid.

    After obtaining the intermediate certificate, open the server certificate and intermediate certificate by using a text editor, copy the content of the intermediate certificate, and paste the copy at the end of the server certificate.

    If multiple intermediate certificates exist, integrate all certificates according to their hierarchical structure into a file.

  5. Stop the JP1/AJS3 and JP1/Base services.

  6. Place the private key and server certificate in a folder, and specify the path to the folder in the common definition information CERTIFICATEFILE of JP1/Base.

    For details about the common definition information CERTIFICATEFILE of JP1/Base, see the JP1/Base User's Guide.

  7. Deploy a PEM-format root certificate to all the manager hosts for which communication is to be established.

    To verify the server certificate for the agent host at the communication destinations (manager hosts) deploy the root certificate for the CA that issued the server certificate for the agent host to communication-destination hosts. For details about the path to the certificate storage folder, see the JP1/Base User's Guide.

    When a root certificate has already been deployed to a communication-destination manager host, check whether the CA that issued the deployed root certificate is the same as the CA from which the server certificate was obtained as described in step 3.

    When the CA is the same:

    You can use the root certificate deployed already. You do not need to overwrite the root certificate.

    When the CA is different:

    Bind the already deployed root certificate and the obtained root certificate together in a file. Then, bind the certificates in a way that allows individual root certificates to be associated with the corresponding parts of the bound root certificate. This is to enable any expiring part of the bound root certificate to be replaced appropriately. Because root certificates are Base64-encoded, in the file of bound root certificates, you cannot see which parts of the file correspond to individual root certificates.

    For details, see the JP1/Base User's Guide.

  8. Check that the root certificates for the manager hosts are placed on the agent hosts.

    Perform deployment of the root certificates for the manager hosts as part of the setup operation to enable JP1/AJS3 - Manager to communicate in SSL. Check the operation to set up JP1/AJS3 - Manager.

  9. Enable SSL communication.

    For details about how to enable SSL communication, see the description of the communication encryption function in the JP1/Base User's Guide.

To Page Top

(3) Setup to enable JP1/AJS3 - View to communicate in SSL

The following describes the setup operation to enable JP1/AJS3 - View to communicate in SSL:

  1. If you have logged in from JP1/AJS3 - View to JP1/AJS3 - Manager, log out of JP1/AJS3 - Manager.

  2. Open the unencrypted-communication host settings file (nosslhost.conf) by using a text editor.

    The unencrypted-communication host settings file (nosslhost.conf) of JP1/AJS3 - View defines the manager hosts that do not encrypt messages in the communication with JP1/AJS3 - View.

    For details about the nosslhost.conf file, see 21.4.6 Details on the settings in the unencrypted-communication host settings file (nosslhost.conf).

  3. In the nosslhost.conf file, define the manager host that does not perform SSL communication with JP1/AJS3 - View.

    By default, the nosslhost.conf file specifies an asterisk (*) for all manager hosts so that the communication with any manager host will not be encrypted. Edit the file as shown below so that only the manager hosts not communicating in SSL are specified while the manager hosts communicating in SSL are excluded. 

    [NO_SSL_HOST]
host-name-or-IP-address-of-a-manager-host-that-does-not-communicate-in-SSL
host-name-or-IP-address-of-a-manager-host-that-does-not-communicate-in-SSL
...
host-name-or-IP-address-of-a-manager-host-that-does-not-communicate-in-SSL

    When communications with all manager hosts are to be encrypted, write only [NO_SSL_HOST].

  4. Save and close the nosslhost.conf file.

  5. Check that the root certificates for the manager hosts are placed on the View hosts.

    Perform deployment of the root certificates for the manager hosts as part of the setup operation to enable JP1/AJS3 - Manager to communicate in SSL. Check the operation to set up JP1/AJS3 - Manager.

To Page Top

(4) Checking the connection of SSL communication

The following describes the procedure for checking that the communication between components is encrypted:

(a) Checking the connection of SSL communication between the manager host and JP1/AJS3 - View host

  1. From JP1/AJS3 - View, log in to JP1/AJS3 - Manager.

  2. Check the integrated trace log of the manager host to determine that the KNAD3995-I and KAVS0532-I messages have been output.

    The KNAD3995-I message indicates that SSL communication is enabled.

    The KAVS0532-I message indicates that the user has normally logged in to JP1/AJS3 - Manager by using JP1/AJS3 - View.

(b) Checking the connection of SSL communication between the manager host and agent host

  1. From JP1/AJS3 - View, log in to JP1/AJS3 - Manager.

  2. Create a jobnet by using JP1/AJS3 - View, define PC or Unix jobs under the jobnet, and specify the agent host to be connected by SSL communication in the Exec-agent field.

  3. Register the defined jobnet for immediate execution.

  4. Check that the jobnet ends normally.

    When the jobnet ends normally, the SSL communication between the manager and agent hosts is operating normally.

To Page Top

Copyright (C) 2019, 2022, Hitachi, Ltd.

Copyright (C) 2019, 2022, Hitachi Solutions, Ltd.