A.5 Building an environment for using HTTPS with the external system linkage configuration
This section describes how to build an environment for using HTTPS connection with the external system linkage configuration and presents the commands to be used for this purpose.
- Organization of this subsection
(1) Building an environment
You have to take the following steps to use HTTPS connection with the external system linkage configuration.
Obtaining certificates for SSL communication for the management server
From a Certificate Authority, obtain certificates (root certificate and SSL server certificate) for SSL communication for the management server.
The flow of obtaining certificates for SSL communication for the management server is as follows:
-
Create a private key for the Web server (openssl.bat genrsa command).
-
Create a Certificate Signing Request (CSR) (openssl.bat req command).
-
Display the contents of a Certificate Signing Request (CSR) (openssl.bat req command).
If necessary, check the contents of the Certificate Signing Request (CSR).
-
Send the CSR to the CA.
-
Acquire a certificate from the CA.
- Tip
-
You can use the openssl.bat x509 command to check the contents of the certificate you obtained.
- Tip
-
In the certificate you obtained, save the part from -----BEGINCERTIFICATE----- to -----END CERTIFICATE---- in another file (httpsd.pem file defined in httpsd.conf provided as standard).
Related Topics:
-
(a) Creating a private key for the Web server (openssl.bat genrsa command)
-
(b) Creating a Certificate Signing Request (CSR) (openssl.bat req command)
-
(c) Displaying the contents of a Certificate Signing Request (CSR) (openssl.bat req command)
-
(d) Displaying certificate contents (openssl.bat x509 command)
-
(e) Converting the certificate format (openssl.bat x509 command)
Setting up the management server
-
Log on to the OS as a member of the Administrators group.
-
Stop the JP1/IT Desktop Management 2 services on the management server
Execute the following command:
stopservice
For details about the commands, see the JP1/IT Desktop Management 2 Administration Guide.
-
Store an SSL server certificate and a private key in the following folder on the management server:
JP1/IT Desktop Management 2 - Manager-installation-folder\mgr\uCPSB\httpsd\conf\ssl\server
You have to store the following files in the above folder:
-
The SSL server certificate file: httpsd.pem
-
The private key file: httpsdkey.pem
- Note
-
When you change the connection setting from HTTPS to HTTP, delete SSL server certificate and private key.
-
-
Edit the configuration file to include a statement.
The configuration file (jdn_manager_config.conf) exists in the following location:
JP1/IT Desktop Management 2 - Manager-installation-folder\mgr\conf
Edit the configuration file to include the following statement: RestAPIProtocol=1
- Note
-
When you change the connection setting from HTTPS to HTTP, change the statement of the configuration file RestAPIProtocol=1 to RestAPIProtocol=0. Do not delete the row of RestAPIProtocol that you added.
-
From the Windows Start menu, select All Programs, JP1_IT Desktop Management 2 - Manager, Tools, and then Setup.
-
In the Setup window, click the Next button.
-
In the Select a Setup view, select Settings Modification, and then click the Next button.
-
Click the Next button until the API settings view appears.
-
Select the Use the API check box.
-
Click the Next button.
-
Click the Next button until the Confirm Setup Settings view appears.
-
In the Confirm Setup Settings view, confirm that the specified settings are correct, and then click the Next button.
A dialog to confirm that Remote Install Manager and JP1/IT Desktop Management 2 - Asset Console have been stopped is displayed. After confirming, click the OK button. In the cluster system, make the cluster resources associated with the services displayed in the dialog offline, and then click the OK button.
-
In the Setup for Distribution by Using Remote Install Manager view, click the OK button.
The setup process begins, and a dialog box appears indicating that setup is in progress. When setup has finished, the Setup Complete view appears.
- Important
-
When the dialog box that says "Could not start the service. Service name=JP1_ITDM2_Web Server." appears, complete the setup by clicking the OK button to close the dialog box. Then, review the SSL server certificate file and the private key file in step 3, and then directly start the service of JP1_ITDM2_Web Server. When the dialog box of "An error occurred during Setup." appears, review the RestAPIProtocol value which is set in step 4 is correct.
-
In the Setup Complete view, click the OK button.
- Note
-
In case of a cluster system, setup the primary server and the standby server.
(2) Commands used to acquire certificates for SSL communication
The following describes the commands used to acquire certificates for SSL communication.
The commands are stored in the following folders:
JP1/IT Desktop Management 2 - Manager-installation-folder\mgr\uCPSB\httpsd\bin
(a) Creating a private key for the Web server (openssl.bat genrsa command)
Functionality
This section describes the openssl.bat genrsa command, which creates a private key for the Web server.
Format
openssl.bat∆genrsa∆-rand∆file-name[:file-name...]∆-out∆key-file∆[512|1024|2048|4096]
Operand
- -rand∆file-name[:file-name...]
-
Specify any file to be used for random number generation.
- -out∆key-file
-
Specify the file to which the Web server private key is output.
- 512|1024|2048|4096
-
Specify the bit length of the Web server private key. If this operand is omitted, 2048 is assumed.
Notes
If you enter a password that is 3 characters long or less, there will be a message prompting you to enter at least 4 characters and no more than 1,023 characters. In this version, enter a password of 4 characters to a maximum of 64 characters. Please note that even if you enter a password of 65 characters or longer, it will not be an error.
Example
To create the httpsdkey.pem Web server private key:
openssl.bat genrsa -rand C:\WINNT\NOTEPAD.EXE -out httpsdkey.pem 2048
Related Topics:
(b) Creating a Certificate Signing Request (CSR) (openssl.bat req command)
Functionality
This section describes the openssl.bat req command, which creates a Certificate Signing Request (CSR). The created CSR file is submitted to the CA, which then issues the signed certificate. The CSR is created in the format conforming to PKCS #10.
Format
openssl.bat∆req∆-new∆-sha256∆-key∆key-file∆-out∆CSR-file
Operand
- -sha256
-
Specify the signature algorithm sha256WithRSAEncryption is used when the CSR is created.
- -key∆key-file
-
Specify the Web server private key file.
- -out∆CSR-file
-
Specify the file to which the created CSR is output.
Example
To create a Certificate Signing Request (CSR) by using the Web server private key file httpsdkey.pem, specify as follows:
openssl.bat req -new -sha256 -key httpsdkey.pem -out httpsd.csr
If you have set a password when creating the private key for the Web server, you are prompted to enter the password. For the items to be set, follow the instructions from the CA to which you submit the Certificate Signing Request (CSR).
(c) Displaying the contents of a Certificate Signing Request (CSR) (openssl.bat req command)
Functionality
This section describes the openssl.bat req command, which displays the contents of a Certificate Signing Request (CSR).
Format
openssl.bat∆req∆-in∆CSR-file∆-text
Operand
- -in∆CSR-file
-
Specify the CSR file to be displayed.
Example
To display the CSR file httpsd.csr, specify as follows:
openssl.bat req -in httpsd.csr -text
(d) Displaying certificate contents (openssl.bat x509 command)
Functionality
This section describes the openssl.bat x509 command, which displays the contents of a certificate file. The following command displays the part of the certificate file that begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----.
Format
openssl.bat∆x509∆-in∆certificate-file∆-text
Operand
- -in∆certificate-file
-
Specify the certificate file to be displayed.
Example
To display the certificate file httpsd.pem, specify as follows:
openssl.bat x509 -in httpsd.pem -text
(e) Converting the certificate format (openssl.bat x509 command)
Functionality
This section describes the openssl.bat x509 command, which converts the certificate format. Use this functionality as necessary.
Format
openssl.bat∆x509∆-inform∆input-format∆-outform∆output-format∆-in∆input-file∆-out∆output-file
Operand
- -inform∆input-format
-
Specify the input format of the certificate file before conversion. The following input formats can be specified:
-
DER
-
PEM
-
- -outform∆output-format
-
Specify the input format of the certificate file after conversion. The following input formats can be specified:
-
DER
-
PEM
-
- -in∆input-file
-
Specify the certificate file before conversion.
- -out∆output-file
-
Specify the certificate file after conversion.