You can set up Secure Sockets Layer (SSL) on Content Manager OnDemand.
To set up SSL on Content Manager OnDemand:
- Create the key database and store it in the config subdirectory
of Content Manager OnDemand server installation
directory: /opt/IBM/ondemand/V10.1.
To create the key database, run a command similar to the
following command:
gsk8capicmd_64 -keydb -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -stash -populate
The
following list describes why these parameters were chosen:
- -keydb -create -db "ondemand.kdb"
- Indicates that you want to create a key database called ondemand.kdb.
- -pw "myKeyDBpasswd" -stash
- Indicates that you want to create a stash file and store the password
(myKeyDBpasswd) in that stash file. The
GSKCapiCmd tool stores the stash file at the same path as the key
database. You must remember this path because you must specify it
in the ars.ini file. GSKCapiCmd creates the stash file with the same
file name as the key database (ondemand),
with the file extension of .sth. When Content Manager OnDemand starts, GSKit retrieves
the password to the key database from this stash file.
- -populate
- Populates the key database with a set of predefined trusted certificate
authority (CA) certificates. A trusted CA is a certificate authority
root certificate is noted as trusted in the key database. For the
list of default trusted root certificates, see Default GSKit trusted root certificates.
- Create a digital certificate. You can create a self-signed
certificate, which is useful for testing. When you are ready to move
to a production environment, create a CA-signed digital certificate. Creating a self-signed certificate and Creating a CA-signed digital certificate
- Configure the Content Manager OnDemand initialization file. Add
the following lines to the ARS.INI file:
SSL_PORT=port_number
SSL_KEYRING_FILE=/opt/IBM/ondemand/V10.1/config/ondemand.kdb
SSL_KEYRING_STASH=/opt/IBM/ondemand/V10.1/config/ondemand.sth
SSL_KEYRING_LABEL=IBM Content Manager OnDemand
SSL_CLNT_USE_SSL=0
The following list describes these parameters:
- SSL_PORT
- Specify one of the following values:
- port_number
- The port number on the Content Manager OnDemand server dedicated to
communicating with the SSL protocol. To set the Content Manager OnDemand server to
only use the SSL protocol, also set the PORT parameter in the ARS.INI file to a value of -1
(
PORT=-1
).
- 0
- No port on the Content Manager OnDemand server
communicates with the SSL protocol.
- SSL_KEYRING_FILE
- Specify the full path and file name of the key database that contains
the digital certificates.
- SSL_KEYRING_STASH
- Specify the full path and file name of the stash file for the
key database.
- SSL_KEYRING_LABEL
- Specify the name of the certificate in the key database.
- SSL_CLNT_USE_SSL
- Specify whether the server-side clients (for example, ARSDOC,
ARSMAINT, or ARSLOAD) must communicate with the SSL protocol. Specify
0 to indicate that the clients do not communicate with the SSL protocol.
Specify 1 to indicate that the clients must communicate with the SSL
protocol.
- Restart the Content Manager OnDemand server.
Because a trusted certificate authority provided the digital
certificate, the Content Manager OnDemand server
accepts the certificate. Both ondemand.kdb and ondemand.sth files
need to be placed on the workstation where the Content Manager OnDemand clients are installed. Download
both files to the config subdirectory under the
client installation directory.