Setting up SSL on a Content Manager OnDemand Linux server
You can set up Secure Sockets Layer (SSL) for Content Manager OnDemand.
Procedure
To set up SSL on a Linux server:
-
Create the key database and store it in the config subdirectory of
Content Manager OnDemand server installation directory: /opt/ibm/ondemand/V10.5.
To create the key database, run a command similar to the following command:
The following list describes why these parameters were chosen:gsk8capicmd_64 -keydb -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -stash -populate
- -keydb -create -db "ondemand.kdb"
- Indicates that you want to create a key database called ondemand.kdb.
- -pw "myKeyDBpasswd" -stash
- Indicates that you want to create a stash file and store the password (myKeyDBpasswd) in that stash file. The GSKCapiCmd tool stores the stash file at the same path as the key database. You must remember this path because you must specify it in the ARS.INI file. GSKCapiCmd creates the stash file with the same file name as the key database (ondemand), with the file extension of .sth. When Content Manager OnDemand starts, IBM® Global Security Kit (GSKit) retrieves the password to the key database from this stash file.
- -populate
- Populates the key database with a set of predefined trusted certificate authority (CA) certificates. A trusted CA is a certificate authority root certificate is noted as trusted in the key database. For the list of default trusted root certificates, see Default IBM Global Security Kit (GSKit) trusted root certificates.
Note: At GSKCapiCmd version 8.0.55.28 and later, when creating a keystore, the default is to generate a PBES2-formatted keystore with the-pqc true
parameter setting. However, this keystore type requires Content Manager OnDemand to run in non-FIPS mode, unlike the Content Manager OnDemand default which is to run in FIPS mode. Therefore, it is recommended that the keystore be created by specifying-pqc false
, which then allows Content Manager OnDemand to continue to run in FIPS mode. If the keystore was created using a version of GSKCapiCmd earlier than 8.0.55.28, then nothing needs to be done. - Create a digital certificate. You can create a self-signed certificate, which is useful for testing. When you are ready to move to a production environment, create a CA-signed digital certificate. See Creating a self-signed certificate and Creating a CA-signed digital certificate.
- Configure the Content Manager OnDemand initialization file. Add
the following lines to the ARS.INI file:
The following list describes these parameters:SSL_PORT=port_number SSL_KEYRING_FILE=/opt/ibm/ondemand/V10.5/config/ondemand.kdb SSL_KEYRING_STASH=/opt/ibm/ondemand/V10.5/config/ondemand.sth SSL_KEYRING_LABEL=IBM Content Manager OnDemand SSL_CLNT_USE_SSL=0
- SSL_PORT
- Specify one of the following values:
- port_number
- The port number on the Content Manager OnDemand server dedicated to
communicating with the SSL protocol. This port number must be different than the non-SSL
port number. To set the Content Manager OnDemand server to only use the
SSL protocol, also set the PORT parameter in the ARS.INI file to a value of -1
(
PORT=-1
). - 0
- No port on the Content Manager OnDemand server communicates with the SSL protocol.
- SSL_KEYRING_FILE
- Specify the full path and file name of the key database that contains the digital certificates.
- SSL_KEYRING_STASH
- Specify the full path and file name of the stash file for the key database.
- SSL_KEYRING_LABEL
- Specify the name of the certificate in the key database. This value must match the value
specified for the
-label
option used when creating the certificate. - SSL_CLNT_USE_SSL
- Specify whether the server-side clients (for example, ARSDOC, ARSMAINT, or ARSLOAD) must communicate with the SSL protocol. Specify 0 to indicate that the clients do not communicate with the SSL protocol. Specify 1 to indicate that the clients must communicate with the SSL protocol.
- Restart the Content Manager OnDemand server to apply the changes.
- Complete the steps outlined in Setting up SSL for the Content Manager OnDemand clients.