13.11.3 Placing certificates

This subsection explains the placement of certificates that are used by the communication encryption function.

Organization of this subsection

(1) Encryption between a manager host and a viewer host
(2) Encryption between a manager host and an authentication server
(3) Using IM Configuration Management on a higher manager
(4) Details about placing root certificates

(1) Encryption between a manager host and a viewer host

The following figure shows the certificates required for encrypting communication between a manager host and a viewer host.

Figure 13‒29: Certificates required for encrypting communication between a manager and a viewer

Certificates needed for a manager host
- Server certificate for the manager host
- Root certificate that corresponds to the manager host's server certificate
- If there is an intermediate certificate authority, an intermediate certificate from the intermediate certificate authority that issued the manager host's server certificate
Certificates needed for a viewer host
- Root certificate that corresponds to the manager host's server certificate

In addition to Figure 13-29 Certificates required for encrypting communication between a manager and a viewer, the following figure shows the certificates required for changing the manager support status on another host by using the -h option in the jcochstat command.

Figure 13‒30: Certificates required for specifying the -h option in the jcochstat command

Certificates needed for a manager host
- Server certificate for the manager host
- Root certificate that corresponds to the manager host's server certificate
- If there is an intermediate certificate authority, an intermediate certificate from the intermediate certificate authority that issued the manager host's server certificate
- Root certificate that corresponds to another manager host's server certificate
Certificates needed for another manager host
- Server certificate for the other manager host
- Root certificate that corresponds to the other manager host's server certificate
- An intermediate certificate from the intermediate certificate authority that issued the other manager host's server certificate (if there is an intermediate certificate authority)

To Page Top

(2) Encryption between a manager host and an authentication server

The figure below shows the certificates required for encrypting communication between a manager host and an authentication server. For details about encryption of communication with authentication servers (SSL communication), see the JP1/Base User's Guide.

Figure 13‒31: Certificates required for encrypting communication between a manager and an authentication server

Certificates needed for a manager host
- Server certificate for the manager host^#
- Root certificate that corresponds to the manager host's server certificate^#
- If there is an intermediate certificate authority, an intermediate certificate from the intermediate certificate authority that issued the manager host's server certificate^#
- Root certificate for the server certificate of JP1/Base (authentication server) that the manager host uses
#: This certificate is not needed if communication between the manager host and the viewer host is not encrypted. For details about encrypting communication between a manager host and a viewer host, see 13.11.3(1) Encryption between a manager host and a viewer host.
Certificates needed for an authentication server
- Server certificate for the authentication server
- Root certificate for the server certificate of the authentication server
- If there is an intermediate certificate authority, the intermediate certificate from the intermediate certificate authority that issued the authentication server's server certificate

To Page Top

(3) Using IM Configuration Management on a higher manager

In a hierarchical configuration (IM configuration), if the IM Configuration Management function is used on a higher manager and the communication encryption function is used on a lower manager, place a root certificate for the lower manager host on the higher manager host.

For details about the IM Configuration Management function, see Chapter 7. System Hierarchy Management Using IM Configuration Management.

Figure 13‒32: Certificates needed when a higher manager uses the IM Configuration Management function

Certificates needed for a higher manager host
- Server certificate for the higher manager host
- Root certificate that corresponds to the higher manager host's server certificate^#
- If there is an intermediate certificate authority, the intermediate certificate from the intermediate certificate authority that issued the higher manager host's server's server certificate^#
- Root certificate that corresponds to the lower manager host's server certificate
#: This certificate is not needed if communication between the higher manager host and the viewer host is not encrypted. For details about encrypting communication between a manager host and a viewer host, see 13.11.3(1) Encryption between a manager host and a viewer host.
Certificates needed for a lower manager host
- Server certificate for the lower manager host
- Root certificate that corresponds to the lower manager host's server certificate
- If there is an intermediate certificate authority, the intermediate certificate from the intermediate certificate authority that issued the lower manager host's server's server certificate

To Page Top

(4) Details about placing root certificates

The communication encryption function updates and deletes the root certificates placed on clients. Therefore, you need to place the correct root certificates for servers on clients.

Client hosts for encrypted communication include viewer hosts and manager hosts.

If you are placing multiple root certificates on a manager host, combine all root certificates into one file.

If you are placing multiple root certificates on a viewer host, there is no need to combine the root certificates into one file.

A root certificate is updated and deleted mainly at the following times:

When the root certificate is changed by the certificate authority
When no more servers correspond to the root certificate because, for example, the hosts using the server certificates that correspond to the root certificate have stopped using the communication encryption function.

The following examples using viewer hosts (clients) and manager hosts (servers) provide details about the placement of root certificates.

Connection is established from one viewer host to one manager host.

This example places one root certificate on the viewer host because there is only one manager host.

Communication between the viewer host and the integrated manager host is encrypted.

The following figure shows a configuration in which the communication encryption function is enabled on the integrated manager, and the base manager and the relay manager are configured as a hierarchy.

Figure 13‒33: Placement of the root certificate for the viewer host (example 1)

Connection is established from one viewer host to multiple manager hosts and the root certificate corresponding to the server certificates differs from one manager host to another.

This example places the root certificate corresponding to each manager host on the viewer host. Therefore, as many root certificates as there are manager hosts must be placed on the viewer host.

Communication is encrypted between the viewer host and the integrated manager and between the viewer host and the base manager host.

The figure below shows a configuration in which the communication encryption function is enabled on the integrated manager and the base manager, the root certificate corresponding to the server certificate for the integrated manager differs from that for the base manager, and multiple manager hosts are monitored by one viewer host. The integrated manager has a hierarchical configuration with the base manager and the relay manager.

Figure 13‒34: Placement of the root certificates for the viewer host (example 2)

Connection is established from one viewer host to multiple manager hosts and the root certificate corresponding to the server certificates is the same for all manager hosts.

This example places one root certificate on the viewer host because the root certificates for all manager hosts are the same. If the same root certificate is placed under different file names, a one-to-one correspondence can be maintained between manager host and root certificate. This helps to identify the correct root certificate for each manager host when root certificates are to be deleted. To delete a root certificate that corresponds to multiple manager hosts, you must verify that the root certificate has no corresponding manager hosts.

Communication is encrypted between the viewer host and the integrated manager host and between the viewer host and the base manager host.

The same root certificate is placed on JP1/IM - View for both the integrated manager and the base manager because the root certificates corresponding to server certificates for these managers are the same.

The figure below shows a configuration in which the communication encryption function is enabled on the integrated manager and the base manager, the root certificates corresponding to the server certificates for the integrated manager and the base manager are the same, and multiple manager hosts are monitored by one viewer host. The integrated manager has a hierarchical configuration with the base manager and the relay manager.

Figure 13‒35: Placement of the root certificate for the viewer host (example 3)

To Page Top