9.4.1 Newly using the communication encryption function

This subsection explains how a first-time user of the communication encryption function can specify settings on the manager host and the viewer host. There is no procedure to be set in JP1/IM - Manager. If there are multiple manager hosts, specify the settings on each host. For details about the system configuration, see 13.11.6 System configuration in the JP1/Integrated Management 2 - Manager Overview and System Design Guide.

JP1/IM - Manager, JP1/AJS3, and JP1/Base's communication encryption function all use the common definition information that is specified based on the private keys, CSRs, individual certificates, and the SSL communication definition file (jp1bs_ssl.conf) that are used on the manager host.

The following figures show the procedure for newly using the communication encryption function.

Figure 9‒8: Procedure for newly using the communication encryption function

Figure 9‒9: Overview of files that are edited by the user

The following provides a detailed explanation (the numbers below correspond to the numbers in the figures).

1. Creating a private key in JP1/Base^#1

   Do not set a passphrase for a private key. A private key with a passphrase cannot be used.

2. Creating a certificate signing request (CSR)^#1

   Create a CSR by specifying the private key created in step 1. Specify the manager host name for CN (common name). This manager host name is used to verify the host name (CN and SAN) in server certificates.

   For details about the verification of host names in server certificates (verification of CN and SAN), see 13.11.4(2) Verifying host names (CN and SAN) in server certificates in the JP1/Integrated Management 2 - Manager Overview and System Design Guide.

3. Send the CSR created in step 2 to the certificate authority to obtain certificates.^#1

   Send the CSR created in step 2 to the certificate authority to obtain a server certificate and a root certificate.

   If there is any intermediate CA certificate, obtain it.

   If you will be using self-signed certificates, not the certificates signed by the certificate authority, do not send the CSR to the certificate authority.

4. Place the private key and the certificates in JP1/Base.^{#1, #2}

   Place the private key created in step 1 and the server certificate and root certificate issued in step 3 in any folder on the server.

   If there are any intermediate CA certificates, use a text editor (for example) to combine the intermediate CA certificates with the server certificate according to the certificate hierarchy.

   The following shows combined server certificates:

   -----BEGIN CERTIFICATE-----

   contents-of-server-certificate

   -----END CERTIFICATE-----

   -----BEGIN CERTIFICATE-----

   contents-of-intermediate-CA-certificate

   -----END CERTIFICATE-----

5. In JP1/Base, enable the communication encryption function.^#1

   The following explains how to configure the communication encryption function:

   1. Define the SSL communication definition file (jp1bs_ssl.conf).

   Define in the SSL communication definition file the SSL communication settings, such as whether SSL communication is to be enabled, the file names of server certificates, and the storage locations of root certificates.

   For details about the SSL communication definition file, see the chapter on SSL communication definition files in the JP1/Base User's Guide.

   2. Execute the jbssetcnf command with the SSL communication definition file name specified in an argument.

   When the jbssetcnf command is executed, the specified settings are applied to the common definition information. These settings are used to run the communication encryption function in JP1/IM - Manager, JP1/AJS3, and JP1/Base.

   For details about the jbssetcnf command, see the JP1/Base User's Guide.

6. Place the root certificate issued in step 3 in JP1/IM - View.^#2

   • Storage location for the root certificate

     View-path\conf\ssl\rootcer

   JP1/IM - View enables you to place multiple root certificate files.

   When you place a root certificate in JP1/IM - View, you have to know the manager host to which the root certificate being placed corresponds. For details, see 13.11.3(1) Encryption between a manager host and a viewer host in the JP1/Integrated Management 2 - Manager Overview and System Design Guide.

7. Edit the file used to specify the hosts that will be able to establish non-encrypted communication.

   A non-encryption communication host configuration file is used to specify the hosts that will be able to establish non-encrypted communication. With the initial settings, all hosts are set to establish non-encrypted communication. For details, see Non-encryption communication host configuration file (nosslhost.conf) in Chapter 2. Definition Files in the manual JP1/Integrated Management 2 - Manager Command, Definition File and API Reference.

8. Place the root certificate on the remote manager host in the following cases:^#2

   • The handling procedure is changed from the remote manager host by executing the jcochstat command with the -j option specified

     If the remote manager host is not using the communication encryption function, enable the communication encryption function and add the root certificate issued in step 3 to the remote manager host's root certificate file.

   • The IM Configuration Management function is being used by the higher manager.

     Place the root certificate issued in step 3 in JP1/Base of the remote manager host that is the higher manager. In this case, you will have to specify the storage location of the root certificate (CACERTIFICATEFILE in the common definition information) in the remote manager host's JP1/Base, but you need not enable the communication encryption function.

   If the remote manager host is using the communication encryption function, add the root certificate issued in step 3 to the remote manager host's root certificate file.

   To add root certificates to the remote manager host, use a text editor (for example) to combine the root certificates.

   The following shows combined root certificates:

   -----BEGIN CERTIFICATE-----

   contents-of-root-certificate

   -----END CERTIFICATE-----

   -----BEGIN CERTIFICATE-----

   contents-of-root-certificate

   -----END CERTIFICATE-----

#1: For details, see the JP1/Base User's Guide.

#2: To combine multiple certificates, open the certificates with a text editor, and then combine them.

Important

Communication encryption function settings cannot be changed while JP1/IM - Manager and JP1/Base are running. If you need to change communication encryption function settings for a reason such as to replace expired server or root certificates, you must first stop JP1/IM - Manager and JP1/Base.

After you have configured the communication encryption function, check that the function has been configured correctly. For details about the checking procedure, see 9.4.5 Checking whether the communication encryption function has been configured correctly.

To Page Top