13.11.4 Verifying server certificates

This subsection explains the verification of server certificates that is performed by clients (connection sources) when encrypted communication begins.

When encrypted communication begins, a client receives a server certificate from the server (connection target). The client then checks the validity of the received server certificate.

The subsections below explain the contents of server certificates that clients verify by using the communication encryption function.

For details about the communication to be verified, see Table 13-20 Contents of certificates verified for Central Console, Table 13-21 Contents of certificates verified for Central Scope, or Table 13-22 Contents of certificates verified for IM Configuration Management.

Organization of this subsection

(1) Verifying signatures
(2) Verifying host names (CN and SAN) in server certificates
(3) Host names used for verifying host names (CN and SAN) in server certificates
(4) Expiration date of server certificates
(5) Contents of certificates that are verified for Central Console
(6) Contents of certificates that are verified for Central Scope
(7) Contents of certificates that are verified for IM Configuration Management

(1) Verifying signatures

A client receives a server certificate and verifies the signature in the server certificate by using the root certificate that has been placed on the client.

To Page Top

(2) Verifying host names (CN and SAN) in server certificates

The client verifies that the host name (CN and SAN) in the server certificate matches the host name of the client's connection target. This is done by comparing the host name specified for CN or SAN (dNSName) in the server certificate with the host name at the connection target that the client recognizes.^#

If the host name specified for CN or SAN (dNSName) in the server certificate is not a host name for the connection target that the client recognizes, communication is closed.

#: If the server certificate contains SAN (dNSName), only SAN (dNSName) is compared, in which case CN is not compared.

Figure 13‒36: Processing when the host name specified for the connection target differs from CN

For details about connection-target host names that are used for verifying host names (CN and SAN) in server certificates, see 13.11.4(3) Host names used for verifying host names (CN and SAN) in server certificates.

To Page Top

(3) Host names used for verifying host names (CN and SAN) in server certificates

The host names listed below are used to verify host names (CN and SAN) in server certificates. If the communication encryption function is used, IP addresses cannot be used for the following host names:

Connection-target host name in the JP1/IM - View - Login window
Manager host name specified in the -h option in the jcochstat command
Host name registered as the system hierarchy in IM Configuration Management

For details about communication for which host names (CN and SAN) in server certificates are to be verified by JP1/IM - Manager, see Table 13-20 Contents of certificates verified for Central Console, Table 13-21 Contents of certificates verified for Central Scope, or Table 13-22 Contents of certificates verified for IM Configuration Management.

To Page Top

(4) Expiration date of server certificates

A client checks the expiration date of the server certificate.

Because an expiration date is set for server certificates to maintain security, the client closes communication with the server if the server certificate has expired.

If you want to receive advance notice of server certificate expiration, use a public certificate authority service.

For details about renewing certificates, see 13.11.2(3) Maintaining certificates.

To Page Top

(5) Contents of certificates that are verified for Central Console

The following figure shows the range of Central Console communication that can be encrypted and the contents of certificates that are verified.

Figure 13‒37: Range of Central Console communication that can be encrypted

The parenthesized numbers in the figure correspond to the numbers in the following table.

Table 13‒20: Contents of certificates verified for Central Console
No.	Location of communication^#1		Verification of server certificate by the connection source			Verification of root certificate by the connection source^#2
No.	Connection source	Connection target	Verification of signature	Host name used for verifying the host name (CN and SAN) in server certificate	Expiration date	Expiration date
1	Central Console viewer	Event console service	Y	Y Host to connect in the Login window	Y	Y Verifies the root certificate that is placed in JP1/IM - View
2	Central Console viewer	Command execution	Y	Y Host to connect in the Login window	Y
3	`jcochstat` command	Event console service (another host)	Y	Y Manager host name specified in the `-h` option	Y	Y Verifies the root certificate that is placed on the manager host
4	Event console service	Authentication server	The communication encryption function of JP1/Base is used for communication. For details about the communication encryption function of JP1/Base, see the JP1/Base User's Guide.
5	Event console service	Event service (agent host)	Y	Y Search host name in the Event Search Conditions window	Y	Y Verifies the root certificate that is placed on the manager host

Legend:: Y: Verified
#1: For details, see 13.11.1 Range of communication that can be encrypted by the communication encryption function.
#2: For details about verifying root certificates, see 13.11.5 Verifying root certificates.

To Page Top

(6) Contents of certificates that are verified for Central Scope

The following figure shows the range of Central Scope communication that can be encrypted and the contents of certificates that are verified.

Figure 13‒38: Range of Central Scope communication that can be encrypted

The parenthesized numbers in the figure correspond to the numbers in the following table.

Table 13‒21: Contents of certificates verified for Central Scope
No.	Location of communication^#1		Verification of server certificate by the connection source			Verification of root certificate by the connection source^#2
No.	Connection source	Connection target	Verification of signature	Host name used for verifying the host name (CN and SAN) in server certificate	Expiration date	Expiration date
1	Central Scope viewer	Central Scope service	Y	Y Host to connect in the Login window	Y	Y Verifies the root certificate that is placed in JP1/IM - View
2	Central Scope service	Authentication server	The communication encryption function of JP1/Base is used for communication. For details about the communication encryption function of JP1/Base, see the JP1/Base User's Guide.

Legend:: Y: Verified
#1: For details, see 13.11.1 Range of communication that can be encrypted by the communication encryption function.
#2: For details about verifying root certificates, see 13.11.5 Verifying root certificates.

To Page Top

(7) Contents of certificates that are verified for IM Configuration Management

The following figure shows the range of IM Configuration Management communication that can be encrypted and the contents of certificates that are verified.

Figure 13‒39: Range of IM Configuration Management communication that can be encrypted

The parenthesized numbers in the figure correspond to the numbers in the following table.

Table 13‒22: Contents of certificates verified for IM Configuration Management
No.	Location of communication^#1		Verification of server certificate by the connection source			Verification of root certificate by the connection source^#2
No.	Source	Connection target	Verification of signature	Host name used for verifying the host name (CN and SAN) in server certificate	Expiration date	Expiration date
1	IM Configuration Management viewer	IM Configuration Management service	Y	Y Host to connect in the Login window	Y	Y Verifies the root certificate that is placed in JP1/IM - View
1	IM Configuration Management viewer (when Base View is running)	IM Configuration Management service	Y	Y Host registered in IM Configuration Management	Y	Y Verifies the root certificate that is placed in JP1/IM - View
2	IM Configuration Management service (integrated manager)	IM Configuration Management service (base manager)	Y	Y Host registered in IM Configuration Management	Y	Y Verifies the root certificate that is placed on the manager host
3	IM Configuration Management service	Authentication server	The communication encryption function of JP1/Base is used for communication. For details about the communication encryption function of JP1/Base, see the JP1/Base User's Guide.

Legend:: Y: Verified
#1: For details, see 13.11.1 Range of communication that can be encrypted by the communication encryption function.
#2: For details about verifying root certificates, see 13.11.5 Verifying root certificates.

To Page Top