System Configuration
The system configuration procedures are:
"Following the Midframe Article" on page 7
"Creating the wcappKeyStore" on page 8
"Installing the FM Public Key In the wcappKeyStore" on page 11
"Installing the wcapp Public Key In the fmKeystore" on page 14
"Configuring wcapp To Use SSL" on page 15
Following the Midframe Article
To build a secure Sun Fire Link network, follow the recommendations of the "Building Secure Sun Fire Link Interconnect Networks Using Midframe Servers" article at: http://www.sun.com/solutions/blueprints/0203/817-1656.pdf.
If you are building a direct-connect topology, an MSP is not required. However, you still must set up the FM's proxy on each domain to use SSL for communication between it and the FM. If you do not deploy an MSP, you must select the machine where the FM resides with caution.
Creating the wcappKeyStore
"Building Secure Sun Fire Link Interconnect Networks Using Midframe Servers" discusses the motivation and technology behind SSL. For an overview of SSL and public key cryptography, refer to that article.
Two keystores were created: the FM Proxy keystore and the FM keystore. In this article, an additional keystore and another key to the FM keystore are created. FIGURE 4 shows where the certificate (public key) and private keys are distributed.
FIGURE 4 Public and Private Key Locations
To Create the wcappKeyStore
-
Create the keystore and generate the key pair by typing the following command in a safe private directory on the MSP.
NOTE
You must type this command as a single line. Multiple lines are used in the examples for legibility purposes only. Press return for the fmkey password.
# /usr/bin/keytool -genkey -dname "cn=CommonName, ou=OrganizationName, o=CompanyName, s=SN c=US" -alias wcappKey -keystore wcappKeyStore -validity 180 Enter keystore password: YourPassword Enter key password for fmKey: Password (RETURN if same as keystore password):
The preceding command creates the keystore named fmKeyStore in the working directory, and assigns it the password YourPassword. Substitute a password for YourPassword. This password must be kept secret to the administrators. This password is referred to as the keystore password. You must remember this password because it is used in other steps.
The italicized items in the preceding command represent a value and the keywords are abbreviations for the following:
TABLE 1 X.500 Distinguished Names
KeyWord |
X.500 Distinguished Names |
Example |
cn |
CommonName (Name of person) |
John Smith |
ou |
OrganizationUnit (department) |
Purchasing |
on |
OrganizationName (company) |
ABC Systems, Inc. |
ln |
LocalityName (city name) |
Burlington |
s |
Statement (state) |
MA |
c |
Country |
US |
The distinguished names are used to identify entities, such as those named by the subject and issuer.
CAUTION
Keytool generates a public and private key pair for the entity fmkeys. The generated key expires in 180 days. Every 180 days you must generate a new private and public key and replace the private key on the proxy and public key on the FM.
-
Verify that the keystore was correctly created and the key entry is contained in the keystore.
-
Generate a file that contains the certificate (public key) for the wcapp key.
-
Verify that the public key was created:
Substitute your password for the keystore password you specified in the previous command.
# keytool -list -keystore wcappKeyStore Enter keystore password: YourPassword Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry: wcappkeys, Fri Apr 11 12:11:44 EDT 2003, keyEntry, Certificate fingerprint (MD5): F1:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36
The MD5 fingerprint and date will be will be different than those shown.
This public key will be installed in the fmKeyStore.
# /usr/bin/keytool -export -alias wcappKey -keystore wcappKeyStore > wcAppCert Enter keystore password: YourPassword
# /usr/bin/keytool -printcert -file wcAppCert Owner: CN=CommonName, OU=OrganizationName, O=CompanyName, ST="SN c=US" Issuer: CN=CommonName,ls -OU=OrganizationName, O=CompanyName, ST="SN c=US" Serial number: 3cb70740 Valid from: Fri Apr 11 12:11:44 EDT 2003 until: Thus Oct 09 12:11:44 EDT 2003 Certificate fingerprints: MD5: F1:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36 SHA1: 6C:76:5D:E9:64:84:08:E2:95:0B:64:95:70:6D:3F:E9: F5:D5:87:7E
Assume that the strings for CommonName and the other keywords are what you entered in the -genkey keytool in Step 1. The certificate fingerprint and date should be the same as that displayed when the fmKeyStore was listed in Step 2.
Installing the FM Public Key In the wcappKeyStore
For the wcapp program to authenticate the SSL connection between the FM and wcapp the FM public key must be placed in the wcappKeyStore. First you must extract the public key from the FM keystore. For the following command to work, you must have followed the instructions in the article "Building Secure Sun Fire Link Interconnect Networks Using Midframe Servers."
To Install the FM Public Key in the wcappKeyStore
-
Generate a file that contains the certificate (public key) for the proxyKey.
-
Verify that the public key was created.
-
Import the FM public key into wcappKeyStore:
-
Validate that wcappKeyStore contains the private key for the proxy and the public key for the F:
This public key will be installed in the fmKeyStore.
# /usr/bin/keytool -export -alias fmKey -keystore /opt/SUNWwcfm/classes/fmKeyStore > fmCert
Enter keystore password: YourPassword
# /usr/bin/keytool -printcert -file fmCert Owner: CN=CommonName, OU=OrganizationName, O=CompanyName, ST="SN c=US" Issuer: CN=CommonName,ls -OU=OrganizationName, O=CompanyName, ST="SN c=US" Serial number: 3cb70740 Valid from: Fri Apr 11 12:15:44 EDT 2003 until: Thus Oct 09 12:11:44 EDT 2003 Certificate fingerprints: MD5: F2:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36 SHA1: 6C:76:5D:E9:64:84:08:E2:95:0B:64:95:70:6D:3F: E9:F5:D5:87:7E
Assume that the strings for CommonName and the other keywords are what you entered in the -genkey keytool in Step 1"Creating the wcappKeyStore" on page 8.
# /usr/bin/keytool -import -file fmCert -keystore wcappKeyStore Enter keystore password: YourPassword Owner: CN=CommonName, OU=OrganizationName, O=CompanyName, ST="SN c=US" Issuer: CN=CommonName, OU=OrganizationName, O=CompanyName, ST="SN c=US" Valid from: Fri Apr 11 12:11:44 EDT 2003 until: Thus Oct 09 12:11:44 EDT 2003 Certificate fingerprints: MD5: F1:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36 SHA1:6C:76:5D:E9:64:84:08:E2:95:0B:64:95:70:6D: 3F:E9:F5:D5:87:7 Trust this certificate? [no]: yes Certificate was added to keystore
# /usr/bin/keytool -list -keystore wcappKeyStore keystore password: YourPassword Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries: wcapp Key, Fri Apr 11 12:15:44 EDT 2003 Certificate fingerprints(MD5) F2:11:FF:90:B0:D8:C6: DE:23:CE:36:3F:81:B2:30:36 fmkey, Fri Apr 11 12:11:44 EDT 2003 trustedCertEntry, Certificate fingerprint (MD5): F1:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36
Installing the wcapp Public Key In the fmKeystore
To Install the wcapp public key In the fmKeyStore
-
Type the following command to install the fmKeyStore.
-
Validate that wcappKeyStore contains the private key for the private key for the proxy and public key for the FM:
The fmKeyStore needs a public key for the wcapp key pair.
# /usr/bin/keytool -import -file wcappCert -keystore fmKeyStore Enter keystore password: YourPassword Owner: CN=CommonName, OU=OrganizationName, O=CompanyName, ST="SN c=US" Serial Number:84848484 Issuer: CN=CommonName, OU=OrganizationName, O=CompanyName, ST="SN c=US" Valid from: Fri Apr 11 12:15:44 EDT 2003 until: Thus Oct 09 12:11:44 EDT 2003 Certificate fingerprints: MD5: F2:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36 SHA1:6C:76:5D:E9:64:84:08:E2:95:0B:64:95:70:6D: 3F:E9:F5:D5:87:7 Trust this certificate? [no]: yes Certificate was added to keystore
# /usr/bin/keytool -list -alias -keystore /opt/SUNWwcfm/classes/fmKeyStore keystore password: YourPassword Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries: fmKey, Fri Apr 11 12:11:44 EDT 2003 Certificate fingerprints(MD5) F1:11:FF:90:B0:D8:C6:DE:23 :CE:36:3F:81:B2:30:36 wcappKey, Fri Apr 11 12:15:44 EDT 2003 trustedCertEntry, Certificate fingerprint (MD5): F2:11:FF:90:B0:D8:C6:DE:23:CE:36:3F:81:B2:30:36
Configuring wcapp To Use SSL
These steps must be performed on every SC (both the primary and the backup) in your configuration. For example, if you have two Sun Fire 15K or Sun Fire 12K systems you must repeat the following installation steps on all four SCs:
"To Configure wcapp Java Virtual Machine to use SSL" on page 15
"To Install the wcappKeyStore" on page 17
"To Create the ssl.info File" on page 18
"To Stop and Restart wcapp" on page 18
To Configure wcapp Java Virtual Machine to use SSL
Download the Java Secure Socket Extension (JSSE) 1.0.3 program.
Uncompress and extract the downloaded file by typing the following command to unzip the download.
The JSSE lib subdirectory contains the extension files jsse.jar, jcert.jar and jnet.jar. Copy these files into the /usr/java1.2/lib/ext (installed extension) directory:
Verify that the files exist and they are owned by root.
Register the Sun JSSE provider.
Add a new line to that section and install the standard provider shipped with the Java run-time environment (JRE).
You can download the file to any location on your local disk. Note that JSSE 1.0.3 requires that you have Java 1.2.1 or greater already installed. You can download the file from:
http://java.sun.com/products. The file name is jsse-1_0_3-do.zip.
This will create a directory named jsse1.0.2, with two subdirectories named doc and lib. The following command will unzip the download:
# unzip jsse-1_0_3-do.zip Archive: jsse-1_0_3-do.zip inflating: jsse1.0.3/BUGS.html inflating: jsse1.0.3/CHANGES.txt inflating: jsse1.0.3/COPYRIGHT.ht ... Many more files are listed
# cp lib/jsse.jar JRE/lib/ext/jsse.jar # cp lib/jcert.jar JRE/lib/ext/jcert.jar # cp lib/jnet.jar JRE/lib/ext/jnet.jar
# ls -l $JRE/lib/ext -rw-r--r-- 1 root root 7637 Feb 20 10:17 jcert.jar -rw-r--r-- 1 root root 3098 Feb 20 10:17 jnet.jar -rw-r--r-- 1 root root 463471 Feb 20 10:17 jsse.jar
The standard JSSE comes with a cryptographic service provider (provider for short) named SunJSSE. Although the SunJSSE provider must be configured explicitly, this provider should be registered statically. The registration is done by editing the security properties file, which is located at:
JRE/lib/security/java.security.
One of the types of properties contained in the java.security file is of the following form:
security.provider.n=providerClassName
This line declares the security provider and its preference.
The entries should now look like:
security.provider.1=sun.security.provider.Sun security.provider.2=com.sun.net.ssl.internal.ssl.Provider
To Install the wcappKeyStore
The previously created keystore (wcappKeyStore) must be distributed to each SC domain. To move the key, it is recommended that you use an encrypted file, that is, scp, to copy the file onto your system.
-
Execute the following command.
-
Verify that this file is root read only.
-
Edit the java.policy file so that the proxy has access to the fmKeyStore file.
Substitute the machine name of MSP for the server that is acting as your MSP.
# scp MSP:/privatedir/wcappKeyStore /opt/SUNWSMS/SMS1.3/classes/wcappKeyStore
It is important to protect private key.
# ls -l /opt/SUNWSMS/SMS1.3/wcappKeyStore -rw------- 1 root root 7637 Feb 20 10:17 /opt/SUNWSMS/SMS1.3/classes/wcappKeyStore
Add the following lines above the }; in the policy file. The wcapp java.policy file is located in: /opt/SUNWSMS/SMS1.3/classes/com/sun/wildcat/common/server.policy
permission java.io.FilePermission "/opt/SUNWSMS/SMS1.3/classes/wcappKeyStore", "read"; permission java.io.FilePermission " /opt/SUNWSMS/SMS1.3/classes/ssl.info", "read";
To Create the ssl.info File
The ssl.info file contains the information that wcapp needs to use the SSL.
-
Create a file called file /opt/SUNWSMS/SMS1.3/classes/ssl.info containing the following lines.
-
Verify that the file is root read only.
Substitute the KeyStore password for YourPassword.
KEY_STORE_PASSPHRASE=YourPassword KEY_STORE_LOCATION=/opt/SUNWSMS/SMS1.3/classes/wcappKeyStore
This information is sensitive. Access to the file should be restricted to root. The following command will verify the access to the file:
# ls -l /opt/SUNWSMS/SMS1.3/classes/ssl.info -rw------- 1 root root 7637 Feb 20 10:17 /opt/SUNWSMS/SMS1.3/classes/ssl.info
To Stop and Restart wcapp
To make wcapp use SSL and the enhanced security settings, you must stop and restart wcapp by stopping and restarting the entire SMS. If failover is enabled, the SC will failover when SMS is stopped so failover should be disabled and one SC modified and tested before you define the other SC as main. Modify and test the SC before you re-enable failover.
Type the following command to stop the proxy:
Type the following command to restart wcapp.
Verify that wcapp restarted with enhanced security.
Repeat Steps 1 through 3 for each SC.
# /etc/init.d/sms stop
# /etc/inid.d/sms start
Only the critical lines of output are listed. The rest are ignored for readability.
# tail /tmp/scapout.out . . . using SSL. . . .