Setting up SSL for the Windows clients

You must complete tasks on the client workstation in order to use SSL.

The following tasks are required to set up and use SSL on the Content Manager OnDemand Windows clients:
  1. Confirm that you have completed the steps described in the following topics:
  2. Create a key database. Use the GSKCapiCmd tool to create the client key database.
    gsk8capicmd_64 -keydb -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -stash -populate
    Note: At GSKCapiCmd version 8.0.55.28 and later, when creating a keystore, the default is to generate a PBES2-formatted keystore with the -pqc true parameter setting. However, this keystore type requires Content Manager OnDemand to run in non-FIPS mode, unlike the Content Manager OnDemand default which is to run in FIPS mode. Therefore, it is recommended that the keystore be created by specifying -pqc false, which then allows Content Manager OnDemand to continue to run in FIPS mode. If the keystore was created using a version of GSKCapiCmd earlier than 8.0.55.28, then nothing needs to be done.
  3. If your server certificate is signed by a well-known certificate authority (CA), your client key database might already contain the CA certificate that signed your server certificate. If it does not, you must obtain the CA certificate, which is usually done by visiting the web site of the CA. Obtain the signer certificate of the server digital certificate on the client. The server certificate can either be a self-signed certificate or a certificate signed by a CA.
  4. If your server certificate is a self-signed certificate, you must extract its signer certificate to a file on the server computer and then distribute it to all computers running clients that will be establishing SSL connections to that server. For details regarding the creation of a self-signed certificate, see Setting up SSL on a Content Manager OnDemand AIX server, Setting up SSL on a Content Manager OnDemand Linux server, or Setting up SSL on a Content Manager OnDemand Windows server.
    Add the signer certificate into the client key database. For example, the following GSK8CapiCmd command adds the certificate from the file named ondemand.arm into the key database named ondemand.kdb:
    gsk8capicmd_64 -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" 
    -label "myselfsigned" -file "ondemand.arm" -format ascii
  5. The Windows clients require that the SSL files be named ondemand.kdb and ondemand.sth. If they were created with different names, rename them to ondemand.kdb and ondemand.sth. Place the ondemand.kdb and ondemand.sth files in the config subdirectory that is located under the client installation directory on the workstation. Ensure that client users have read permissions to the files.
  6. After launching one of the clients, you now can select the Use Secure Sockets Layer check box when defining or updating a Content Manager OnDemand server definition. Be sure to specify the SSL port number defined on the Content Manager OnDemand server. The client will then use the ondemand.kdb and ondemand.sth files to manage and validate any certificate that is received from the Content Manager OnDemand server.