Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
Like this article? We recommend

System Configuration

The system configuration procedures are:

  • "Following the Midframe Article" on page 7

  • "Creating the wcappKeyStore" on page 8

  • "Installing the FM Public Key In the wcappKeyStore" on page 11

  • "Installing the wcapp Public Key In the fmKeystore" on page 14

  • "Configuring wcapp To Use SSL" on page 15

Following the Midframe Article

To build a secure Sun Fire Link network, follow the recommendations of the "Building Secure Sun Fire Link Interconnect Networks Using Midframe Servers" article at: http://www.sun.com/solutions/blueprints/0203/817-1656.pdf.

If you are building a direct-connect topology, an MSP is not required. However, you still must set up the FM's proxy on each domain to use SSL for communication between it and the FM. If you do not deploy an MSP, you must select the machine where the FM resides with caution.

Creating the wcappKeyStore

"Building Secure Sun Fire Link Interconnect Networks Using Midframe Servers" discusses the motivation and technology behind SSL. For an overview of SSL and public key cryptography, refer to that article.

Two keystores were created: the FM Proxy keystore and the FM keystore. In this article, an additional keystore and another key to the FM keystore are created. FIGURE 4 shows where the certificate (public key) and private keys are distributed.

Figure 4FIGURE 4 Public and Private Key Locations

To Create the wcappKeyStore

  1. Create the keystore and generate the key pair by typing the following command in a safe private directory on the MSP.

  2. NOTE

    You must type this command as a single line. Multiple lines are used in the examples for legibility purposes only. Press return for the fmkey password.

    # /usr/bin/keytool -genkey -dname "cn=CommonName, ou=OrganizationName,
     o=CompanyName, s=SN c=US" -alias wcappKey -keystore 
    wcappKeyStore -validity 180
    Enter keystore password: YourPassword
    Enter key password for fmKey: Password
        (RETURN if same as keystore password): 

    The preceding command creates the keystore named fmKeyStore in the working directory, and assigns it the password YourPassword. Substitute a password for YourPassword. This password must be kept secret to the administrators. This password is referred to as the keystore password. You must remember this password because it is used in other steps.

    The italicized items in the preceding command represent a value and the keywords are abbreviations for the following:

TABLE 1 X.500 Distinguished Names

KeyWord

X.500 Distinguished Names

Example

cn

CommonName (Name of person)

John Smith

ou

OrganizationUnit (department)

Purchasing

on

OrganizationName (company)

ABC Systems, Inc.

ln

LocalityName (city name)

Burlington

s

Statement (state)

MA

c

Country

US


The distinguished names are used to identify entities, such as those named by the subject and issuer.

CAUTION

Keytool generates a public and private key pair for the entity fmkeys. The generated key expires in 180 days. Every 180 days you must generate a new private and public key and replace the private key on the proxy and public key on the FM.

  1. Verify that the keystore was correctly created and the key entry is contained in the keystore.

  2. Substitute your password for the keystore password you specified in the previous command.

    # keytool -list -keystore wcappKeyStore
    Enter keystore password: YourPassword
    
    Keystore type: jks
    Keystore provider: SUN
    
    Your keystore contains 1 entry:
    
    wcappkeys, Fri Apr 11 12:11:44 EDT 2003, keyEntry,
    Certificate fingerprint (MD5): 
    F1:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36

    The MD5 fingerprint and date will be will be different than those shown.

  3. Generate a file that contains the certificate (public key) for the wcapp key.

  4. This public key will be installed in the fmKeyStore.

    # /usr/bin/keytool -export -alias wcappKey
     -keystore wcappKeyStore > wcAppCert
    Enter keystore password: YourPassword
  5. Verify that the public key was created:

  6. # /usr/bin/keytool -printcert -file wcAppCert
    Owner: CN=CommonName, OU=OrganizationName,
     O=CompanyName, ST="SN c=US"
    Issuer: CN=CommonName,ls -OU=OrganizationName,
     O=CompanyName, ST="SN c=US"
    Serial number: 3cb70740
    Valid from: Fri Apr 11 12:11:44 EDT 2003 
    until: Thus Oct 09 12:11:44 EDT 2003
    Certificate fingerprints:
         MD5: F1:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36
         SHA1: 6C:76:5D:E9:64:84:08:E2:95:0B:64:95:70:6D:3F:E9:
         F5:D5:87:7E
    

    Assume that the strings for CommonName and the other keywords are what you entered in the -genkey keytool in Step 1. The certificate fingerprint and date should be the same as that displayed when the fmKeyStore was listed in Step 2.

Installing the FM Public Key In the wcappKeyStore

For the wcapp program to authenticate the SSL connection between the FM and wcapp the FM public key must be placed in the wcappKeyStore. First you must extract the public key from the FM keystore. For the following command to work, you must have followed the instructions in the article "Building Secure Sun Fire Link Interconnect Networks Using Midframe Servers."

To Install the FM Public Key in the wcappKeyStore

  1. Generate a file that contains the certificate (public key) for the proxyKey.

  2. This public key will be installed in the fmKeyStore.

    # /usr/bin/keytool -export -alias fmKey -keystore 
    /opt/SUNWwcfm/classes/fmKeyStore > fmCert

    Enter keystore password: YourPassword

  3. Verify that the public key was created.

  4. # /usr/bin/keytool -printcert -file fmCert
    Owner: CN=CommonName, OU=OrganizationName, 
    O=CompanyName, ST="SN c=US"
    Issuer: CN=CommonName,ls -OU=OrganizationName, 
    O=CompanyName, ST="SN c=US"
    Serial number: 3cb70740
    Valid from: Fri Apr 11 12:15:44 EDT 2003 until: 
    Thus Oct 09 12:11:44 EDT 2003
    Certificate fingerprints:
    MD5: F2:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36
    SHA1: 6C:76:5D:E9:64:84:08:E2:95:0B:64:95:70:6D:3F:
    E9:F5:D5:87:7E

    Assume that the strings for CommonName and the other keywords are what you entered in the -genkey keytool in Step 1"Creating the wcappKeyStore" on page 8.

  5. Import the FM public key into wcappKeyStore:

  6. # /usr/bin/keytool -import -file fmCert 
    -keystore wcappKeyStore
    Enter keystore password: YourPassword
    Owner: CN=CommonName, OU=OrganizationName, 
    O=CompanyName, ST="SN c=US"
    Issuer: CN=CommonName, OU=OrganizationName, 
    O=CompanyName, ST="SN c=US"
    Valid from: Fri Apr 11 12:11:44 EDT 2003 until: 
    Thus Oct 09 12:11:44 EDT 2003
    Certificate fingerprints:
    MD5: F1:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36 
    SHA1:6C:76:5D:E9:64:84:08:E2:95:0B:64:95:70:6D:
    3F:E9:F5:D5:87:7
    Trust this certificate? [no]: yes
    Certificate was added to keystore
  7. Validate that wcappKeyStore contains the private key for the proxy and the public key for the F:

  8. # /usr/bin/keytool -list -keystore wcappKeyStore
    keystore password: YourPassword
    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 2 entries:
    wcapp Key, Fri Apr 11 12:15:44 EDT 2003 
    Certificate fingerprints(MD5) F2:11:FF:90:B0:D8:C6:
    DE:23:CE:36:3F:81:B2:30:36
    fmkey, Fri Apr 11 12:11:44 EDT 2003 trustedCertEntry,
    Certificate fingerprint (MD5):
    F1:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36

Installing the wcapp Public Key In the fmKeystore

To Install the wcapp public key In the fmKeyStore

  1. Type the following command to install the fmKeyStore.

  2. The fmKeyStore needs a public key for the wcapp key pair.

    # /usr/bin/keytool -import -file wcappCert
     -keystore fmKeyStore
    Enter keystore password: YourPassword
    Owner: CN=CommonName, OU=OrganizationName, 
    O=CompanyName, ST="SN c=US"
    Serial Number:84848484
    Issuer: CN=CommonName, OU=OrganizationName, 
    O=CompanyName, ST="SN c=US"
    Valid from: Fri Apr 11 12:15:44 EDT 2003 until: 
    Thus Oct 09 12:11:44 EDT 2003
    Certificate fingerprints:
    MD5: F2:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36 
    SHA1:6C:76:5D:E9:64:84:08:E2:95:0B:64:95:70:6D:
    3F:E9:F5:D5:87:7
    Trust this certificate? [no]: yes
    Certificate was added to keystore
  3. Validate that wcappKeyStore contains the private key for the private key for the proxy and public key for the FM:

  4. # /usr/bin/keytool -list -alias -keystore 
    /opt/SUNWwcfm/classes/fmKeyStore
    keystore password: YourPassword
    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 2 entries:
    fmKey, Fri Apr 11 12:11:44 EDT 2003 
    Certificate fingerprints(MD5) F1:11:FF:90:B0:D8:C6:DE:23
    :CE:36:3F:81:B2:30:36
    wcappKey, Fri Apr 11 12:15:44 EDT 2003 trustedCertEntry,
    Certificate fingerprint (MD5):
    F2:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36

Configuring wcapp To Use SSL

These steps must be performed on every SC (both the primary and the backup) in your configuration. For example, if you have two Sun Fire 15K or Sun Fire 12K systems you must repeat the following installation steps on all four SCs:

  • "To Configure wcapp Java Virtual Machine to use SSL" on page 15

  • "To Install the wcappKeyStore" on page 17

  • "To Create the ssl.info File" on page 18

  • "To Stop and Restart wcapp" on page 18

To Configure wcapp Java Virtual Machine to use SSL

  1. Download the Java™ Secure Socket Extension (JSSE) 1.0.3 program.

  2. You can download the file to any location on your local disk. Note that JSSE 1.0.3 requires that you have Java 1.2.1 or greater already installed. You can download the file from:

    http://java.sun.com/products. 
    The file name is jsse-1_0_3-do.zip.
  3. Uncompress and extract the downloaded file by typing the following command to unzip the download.

  4. This will create a directory named jsse1.0.2, with two subdirectories named doc and lib. The following command will unzip the download:

    # unzip jsse-1_0_3-do.zip
    Archive: jsse-1_0_3-do.zip
     inflating: jsse1.0.3/BUGS.html   
     inflating: jsse1.0.3/CHANGES.txt  
     inflating: jsse1.0.3/COPYRIGHT.ht
    ... Many more files are listed
  5. The JSSE lib subdirectory contains the extension files jsse.jar, jcert.jar and jnet.jar. Copy these files into the /usr/java1.2/lib/ext (installed extension) directory:

  6. # cp lib/jsse.jar JRE/lib/ext/jsse.jar
    # cp lib/jcert.jar JRE/lib/ext/jcert.jar
    # cp lib/jnet.jar JRE/lib/ext/jnet.jar
  7. Verify that the files exist and they are owned by root.

  8. # ls -l $JRE/lib/ext
    -rw-r--r--  1 root   root 7637 Feb 20 10:17 jcert.jar
    -rw-r--r--  1 root   root 3098 Feb 20 10:17 jnet.jar
    -rw-r--r--  1 root   root 463471 Feb 20 10:17 jsse.jar
  9. Register the Sun JSSE provider.

  10. The standard JSSE comes with a cryptographic service provider (provider for short) named SunJSSE. Although the SunJSSE provider must be configured explicitly, this provider should be registered statically. The registration is done by editing the security properties file, which is located at:

    JRE/lib/security/java.security.

    One of the types of properties contained in the java.security file is of the following form:

    security.provider.n=providerClassName

    This line declares the security provider and its preference.

  11. Add a new line to that section and install the standard provider shipped with the Java run-time environment (JRE).

  12. The entries should now look like:

    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.sun.net.ssl.internal.ssl.Provider

To Install the wcappKeyStore

The previously created keystore (wcappKeyStore) must be distributed to each SC domain. To move the key, it is recommended that you use an encrypted file, that is, scp, to copy the file onto your system.

  1. Execute the following command.

  2. Substitute the machine name of MSP for the server that is acting as your MSP.

    # scp MSP:/privatedir/wcappKeyStore 
    /opt/SUNWSMS/SMS1.3/classes/wcappKeyStore
  3. Verify that this file is root read only.

  4. It is important to protect private key.

    # ls -l /opt/SUNWSMS/SMS1.3/wcappKeyStore
    -rw-------  1 root   root 7637 Feb 20 10:17
     /opt/SUNWSMS/SMS1.3/classes/wcappKeyStore
  5. Edit the java.policy file so that the proxy has access to the fmKeyStore file.

  6. Add the following lines above the }; in the policy file. The wcapp java.policy file is located in: /opt/SUNWSMS/SMS1.3/classes/com/sun/wildcat/common/server.policy

    permission java.io.FilePermission 
    "/opt/SUNWSMS/SMS1.3/classes/wcappKeyStore", "read"; 
    permission java.io.FilePermission 
    " /opt/SUNWSMS/SMS1.3/classes/ssl.info", "read";

To Create the ssl.info File

The ssl.info file contains the information that wcapp needs to use the SSL.

  1. Create a file called file /opt/SUNWSMS/SMS1.3/classes/ssl.info containing the following lines.

  2. Substitute the KeyStore password for YourPassword.

    KEY_STORE_PASSPHRASE=YourPassword
    KEY_STORE_LOCATION=/opt/SUNWSMS/SMS1.3/classes/wcappKeyStore
  3. Verify that the file is root read only.

  4. This information is sensitive. Access to the file should be restricted to root. The following command will verify the access to the file:

    # ls -l /opt/SUNWSMS/SMS1.3/classes/ssl.info 
    -rw-------  1 root   root 7637 Feb 20 10:17 
    /opt/SUNWSMS/SMS1.3/classes/ssl.info

To Stop and Restart wcapp

To make wcapp use SSL and the enhanced security settings, you must stop and restart wcapp by stopping and restarting the entire SMS. If failover is enabled, the SC will failover when SMS is stopped so failover should be disabled and one SC modified and tested before you define the other SC as main. Modify and test the SC before you re-enable failover.

  1. Type the following command to stop the proxy:

  2. # /etc/init.d/sms stop
  3. Type the following command to restart wcapp.

  4. # /etc/inid.d/sms start 
  5. Verify that wcapp restarted with enhanced security.

  6. Only the critical lines of output are listed. The rest are ignored for readability.

    # tail /tmp/scapout.out 
    .
    .
    .
    using SSL.
    .
    .
    .
  7. Repeat Steps 1 through 3 for each SC.

  • + Share This
  • 🔖 Save To Your Account