Starting certTool

To start the certificate configuration tool named certTool for the adapter, complete these steps:

Procedure

Click Start > Programs > Accessories > Command Prompt.
At a DOS command prompt, change to the bin directory for the adapter.
If the directory is in the default location, type the following command:
```
cd C:\Program Files\IBM\ISIM\Agents\adapter_name\bin\
```

Type CertTool -agent agent_name at the prompt.

For example, to display the main menu, type: CertTool -agent NotesAgent

Main menu - Configuring agent: agentnameAgent 
 ------------------------------    
A. Generate private key and certificate request   
B. Install certificate from file   
C. Install certificate and key from PKCS12 file   
D. View current installed certificate    

E. List CA certificates
F. Install a CA certificate   
G. Delete a CA certificate    

H. List registered certificates   
I. Register certificate   
J. Unregister a certificate   

K. Export certificate and key to PKCS12 file    

X. Quit   

Choice:

Results

From the Main menu, you can generate a private key and certificate request, install and delete certificates, register and unregister certificates, and list certificates. The following sections summarize the purpose of each group of options.

By using the first set of options (A through D), you can generate a CSR and install the returned signed certificate on the adapter.

A. Generate private key and certificate request: Generate a CSR and the associated private key that is sent to the certificate authority.
B. Install certificate from file: Install a certificate from a file. This file must be the signed certificate that is returned by the CA in response to the CSR that is generated by option A.
C. Install certificate and key from a PKCS12 file: Install a certificate from a PKCS12 format file that includes both the public certificate and a private key. If options A and B are not used to obtain a certificate, the certificate that you use must be in PKCS12 format.
D. View current installed certificate: View the certificate that is installed on the workstation where the adapter is installed.

With the second set of options, you can install root CA certificates on the adapter. A CA certificate validates the corresponding certificate that is presented by a client, such as the IBM® Security Identity server.

E. List CA certificates: Show the installed CA certificates. The adapter communicates only with IBM Security Identity server whose certificates are validated by one of the installed CA certificates.
F. Install a CA certificate: Install a new CA certificate so that certificates generated by this CA can be validated. The CA certificate file can either be in X.509 or PEM encoded formats.
G. Delete a CA certificate: Remove one of the installed CA certificates.

Options H through K apply to adapters that must authenticate the application to which the adapter is sending information. An example of an application is the IBM Security Identity server or the web server. Use these options to register certificates on the adapter. For IBM Security Identity Manager version 4.5 or earlier, register the signed certificate of the IBM Security Identity server with an adapter to enable client authentication on the adapter. If you do not upgrade an existing adapter to use CA certificates, you must register the signed certificate that is presented by the IBM Security Identity server with the adapter.

If you configure the adapter for event notification or enable client authentication in DAML, you must install the CA certificate. The CA certificate must correspond to the signed certificate of the IBM Security Identity server. Use option F, Install a CA certificate.

H. List registered certificates: List all registered certificates that are accepted for communication.
I. Register a certificate: Register a new certificate. The certificate for registration must be in Base 64 encoded X.509 format or PEM.
J. Unregister a certificate: Unregister (remove) a certificate from the registered list.
K. Export certificate and key to PKCS12 file: Export a previously installed certificate and private key. You are prompted for the file name and a password for encryption.