3.4.7 Settings for using a certificate issued by a CA
The setting procedure for using a certificate issued by a CA (Certificate Authority) is described below.
-
Creating a private key file for the Web server.
Use the openssl.bat genrsa or openssl.sh genrsa command to create a private key file for the Web server. The locations of these files are as follows:
In Windows:
$SSO_JRE\httpsd\sbin\openssl.bat
In Linux:
$SSO_JRE/httpsd/sbin/openssl.sh
Note that the name of the private key file for the Web server must be ssoconsole.key.
-
Creating a password file.
If the encryption type is specified in the file created in step 1, use the sslpasswd.bat or sslpasswd.sh command to create a password file. The locations of these commands are as follows:
In Windows:
$SSO_JRE\httpsd\sbin\sslpasswd.bat
In Linux:
$SSO_JRE/httpsd/sbin/sslpasswd.sh
Note that the name of the password file must be certpass.key.
-
Creating a CSR (Certificate Signing Request).
Use the openssl.bat req or openssl.sh req command to create a CSR (certificate signing request). The locations of these commands are as follows:
In Windows:
$SSO_JRE\httpsd\sbin\openssl.bat
In Linux:
$SSO_JRE/httpsd/sbin/openssl.sh
-
Check the contents of the CSR.
If necessary, use the openssl.bat req or openssl.sh req command to check the contents of the CSR. The locations of these commands are as follows:
In Windows:
$SSO_JRE\httpsd\sbin\openssl.bat
In Linux:
$SSO_JRE/httpsd/sbin/openssl.sh
-
Acquiring a certificate.
Send the CSR to the CA, and then receive a signed certificate encoded in PEM format.
-
Check the contents of the certificate issued by the CA.
If necessary, use the openssl.bat x509 or openssl.sh x509 command to check the contents of the certificate issued by the CA. The locations of these commands are as follows:
In Windows:
$SSO_JRE\httpsd\sbin\openssl.bat
In Linux:
$SSO_JRE/httpsd/sbin/openssl.sh
-
Edit the certificate issued by the CA.
In the certificate issued by the CA, copy the text from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, and then save that text in a file named ssoconsole.crt.
-
Place the certificate issued by the CA and the private key file for the Web server in the appropriate directory.
Place the ssoconsole.crt file (certificate issued by the CA) and ssoconsole.key file (private key file) in the directory shown below. When you do so, overwrite the default files that already exist in the directory. If you have created a password file (certpass.key), also place it in this directory.
In Windows:
$SSO_JRE\httpsd\conf\ssl\server
In Linux
$SSO_JRE/httpsd/conf/ssl/server
-
Place the intermediate CA certificate in the appropriate directory.
To use an SSL server certificate issued by a chained CA, place the intermediate CA certificate (chained CA certificate) file named chain-ca.crt in the following directory:
In Windows:
$SSO_JRE\httpsd\conf\ssl\cacert
In Linux:
$SSO_JRE/httpsd/conf/ssl/cacert
-
Edit the ssoconsoled action definition file.
To use an SSL server certificate issued by a chained CA, set on for the ssl-ca-cert key in the ssoconsoled action definition file.
-
Customize the URL action definition.
If you have registered a URL action in item #3 or #4 of Table 3-2, you must modify the URL action definition.#
- #:
-
You can modify the definition by using Menu Items in the NNMi console. For details about Menu Items, see the Help of the NNMi console.
In the full URL of Launch Action in the URL action definition, change the entry shown below to the host name (in FQDN format) of the server certificated by the CA certificate.
For the URL action definition of the map cooperation function (action cooperation):
${customAttributes[name=jp.co.hitachi.jp1.sso.address].value}For the URL action definition of the incident cooperation function (action cooperation):
${cias[name=event-issuer-ip-address].value}Note that you must not customize the URL action definition if there are multiple instances of SSO in a distributed configuration. In such an environment, you can use action cooperation although a security prompt is displayed by the Web browser and Java.
-
Restart SSO.