Appendix D. Creating a local Certificate Authority

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (9.81 MB, 506 trang )

Figure 316. AS/400 Tasks Page

3. Click Digital Certificate Manager.

430

iSeries Wired Network Security

Figure 317. Create a Certificate Authority

4. Click Create a Certificate Authority (CA).

If you have a 4758 Cryptographic Coprocessor installed and configured,

you will be presented first with a selection window to specify where to store

the Certificate Authority’s private key. An example is shown in Figure 318.

Otherwise the window in Figure 319 on page 432 is shown.

Figure 318. Select a Key Storage Location window

Appendix D. Creating a local Certificate Authority

431

Figure 319. Create Certificate Authority Form

5. Complete the Create a Certificate Authority (CA) window and click

Continue.

Table 20 shows the fields in the Create a Certificate Authority (CA) window

and the values used in this setup.

Table 20. Create a Certificate Authority (CA) window fields

Field

Key size

512

Certificate store password

password

Confirm password

password

Certificate Authority name

ITSO Certificate Authority

Organization unit

432

Value

iSeries ITSORaleigh

iSeries Wired Network Security

Field

Value

Organization name

IBM

Locality or city

Research Triangle Park

State or province

North Carolina

Country

US

Validity period of Certificate Authority

2000

Digital Certificate Manager processes the form and creates the following

files in the directory /QIBM/UserData/ICSS/Cert/CertAuth:

-

CA.TXT: Contains the CA certificate in Base64 encoded form

DEFAULT.KDB: Contains the private key and the CA certificate

DEFAULT.POL: Is the CA policy file

DEFAULT.RDB: Is the CA’s request database.

Note

Note that this directory in releases prior to V5R1 also contained a

stashed password file (DEFAULT.STH). This file contains the CA

certificate store password in stashed form and was used by system

functions to access the database. In V5R1 and through PTFs in V4R5,

the stashed password file no longer exists. Instead the stashed password

is stored in an internal system object not accessible by any user

program.

In the /QIBM/UserData/ICSS/Cert/Download/CertAuth directory is the

CA.CACRT file, the binary form of the CA certificate.

Appendix D. Creating a local Certificate Authority

433

Figure 320. Install Local CA Certificate window

The Install Certificate link allows you to install the CA certificate on your

browser.

6. Click the Install certificate link to receive the CA certificate and then click

Continue. Or you may just click Continue if you do not need the CA

certificate on the PC you are performing the configuration with.

The Certificate Authority (CA) Policy Data window is displayed.

434

iSeries Wired Network Security

Figure 321. Certificate Authority (CA) Policy Data window

7. Select Yes to Allow creation of user certificates and click Continue.

You have now created a local CA on your system and can use it to issue

certificates for server and client applications, object signing, and users.

Note

When you create a Certificate Authority (CA) with Digital Certificate

Manager, you can specify the policy data for the CA. The policy data for

a (CA) describes the signing privileges that it has. The policy data

determines whether the CA can issue and sign user certificates and

how long certificates that the CA issues are valid.

You see a confirmation message that the policy data has been accepted

(see Figure 322 on page 436.)

Appendix D. Creating a local Certificate Authority

435

Figure 322. Policy Data Accepted window

8. Click Continue.

The next step is to create a server certificate that secure server and client

applications can use during the SSL handshake.

9. Complete the Create a Server or Client Certificate form (Figure 323).

Table 21 shows the values you have to enter in each field in the window.

436

iSeries Wired Network Security

Figure 323. Create a Server of Client Certificate window

Table 21 shows the fields in the Create a Server or Client Certificate

window and the values used in this setup.

Table 21. Create a Server or Client Certificate window fields

Field

Value

Key size

512

Certificate label

Server cert for SSL (local CA)

Certificate store password

password

Confirm password

password

Server name

as4b

Organization unit

ITSO

Organization name

IBM

Appendix D. Creating a local Certificate Authority

437

Field

Value

Locality or city

Research Triangle Park

State or province

North Carolina

Country

US

Subject Alternative Name fields

blank

10.Click Continue.

DCM creates the system certificate in the *SYSTEM certificate store. The

*SYSTEM certificate store consists of the following files in the

/QIBM/UserData/ICSS/Cert/Server directory:

- DEFAULT.KDB: Contains server and client certificates with their private

keys

- DEFAULT.RDB: Is the certificate request database

DCM displays the next window to select applications that will use this

server certificate. At the top of the window a confirmation message is

displayed that the server certificate has been created.

438

iSeries Wired Network Security

Figure 324. Select applications that will use this certificate

11.Select the server applications that will use the new server certificate.

12.Click Continue at the bottom of the window.

A confirmation message is displayed saying that the selected applications

will use the new server certificate. See Figure 325 on page 440.

Appendix D. Creating a local Certificate Authority

439

Figure 325. Application Status window

The next steps are new in V5R1 and will create the object signing

certificate store.

13.Click Continue.

440

iSeries Wired Network Security

Xem Thêm

Appendix D. Creating a local Certificate Authority

Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về