GUI certificate and private-key pairs

This topic describes steps to create and configure private-key pairs and certificates.

VM Recovery Manager HA GUI has server and agent components. The GUI agents are enabled on all managed KSYS nodes. You can deploy the GUI server on a KSYS subsystem or on a separate AIX LPAR. The GUI server subsystem and the GUI agent subsystem communicate through the network by using the secure sockets layer (SSL) protocol. This communication requires both the GUI server subsystem and the GUI agent subsystem to have their own private-key pairs and certificates. The certificate-private key pairs are used to create secure communication between the GUI server and the web application and between the GUI server and the GUI agent. The server.key and server.cert files are used to create secure communication between the GUI server and the web application. The agent.key and agent.cert files are used to create secure communication between the GUI server and the GUI agent. By default, the GUI server and the GUI agent use self-signed certificate-private key pairs. These private-key pairs are exchanged automatically, you do not need additional configuration for secure communication. However, if the GUI server and the GUI agent do not use the default self-signed certificate-private key pairs, you must configure the certificate-private key pairs.

Creating private-key pairs and certificates

The following procedure explains how to create one private-key pair and one certificate. You can determine if you want to use one private-key pair and one certificate for the entire network, one for each domain, or one for each workstation. The following procedure assumes that you will be creating a private-key pair and one certificate for each workstation and thus the name of the output files created during the process has been generalized as workstationname.

On each workstation, perform the following steps to create a private-key pair and a certificate:

Enter the following command from the SSL directory of your workstation to initialize the pseudorandom number generator (PRNG), otherwise subsequent commands might not work.
- On Windows operating systems:
```
$ openssl rand -out workstationname.rnd -rand ./openssl.exe 8192
```
- On UNIX and Linux operating systems:
```
$ openssl rand -out workstationname.rnd -rand ./openssl 8192
```
Enter the following command to create a private-key pair (this example shows triple-DES encryption), and then save the password that was requested to encrypt the private-key pair in a file named workstationname.pwd:
```
$ openssl genrsa -des3 -out workstationname.key 2048
```
Note: Verify that the workstationname.pwd file contains only the characters in the password. For example, if you specified the word maestro as the password, your workstationname.pwd file should not contain any CR or LF characters at the end (it should be 7-bytes long).
Enter the following command to save your password into the appropriate stash file after encoding the password by using base64 encoding schemes:
```
$ openssl base64 -in workstationname.pwd -out workstationname.sth
```
You can then delete the workstationname.pwd file.
Enter the following command to create a certificate signing request (CSR):
```
$ openssl req -new -key workstationname.key -out workstationname.csr -config ./openssl.cnf
```
Some values such as company name, personal name, and other details will be requested. For future compatibility, you can specify the workstation name as the distinguished name (DN).
Send the workstationname.csr file to your Certificate Authority (CA) to get the matching certificate for this private-key pair. Using the private-key pair (ca.key) and the certificate (ca.crt), the CA will sign the certificate signing request (CSR): workstationname.csr and create a signed certificate (workstationname.crt) by using the following command:
```
$ openssl x509 -req -CA ca.crt -CAkey ca.key -days 365 -in workstationname.csr -out workstationname.crt -CAcreateserial
```
Distribute the new workstationname.crt certificate and the ca.crt public CA certificate to the workstation and set the values for the workstation's local options.

The following table summarizes which of the files created during the process have to be set as values for the workstation's local options.

Table 1. Files for local options
Local option	File
SSL key	workstationname.key
SSL certificate	workstationname.crt
SSL key pwd	workstationname.sth
SSL ca certificate	ca.crt
SSL random seed	workstationname.rnd

Configuring private-key pairs and certificates

To configure the certificate-private key pairs and certificates, complete the following steps:

In the GUI server, go to the security folder at the following location:
/opt/IBM/ksys/ui/security/

The security folder contains all SSL certificates, private-key pairs and certificate signing requests, which the secure sockets layer (SSL) protocol uses.

The security folder contains the following files:

Table 2. Files in the security folder
File name	Description
ca.key	Certification authority key
ca.cert	Certification authority certificate used to self-sign certificates
server.key	Key generated for SSL connection between the GUI server and the web application
server.csr	Certificate signing request
server.cert	Certificate signed by certification authority
agent.key	Key generated for SSL connection between the GUI server and the GUI agent
agent.csr	Certificate signing request for the GUI agent
agent.cert	Certificate signed by certification authority

Stop the GUI sever by running the following command:
```
stopsrc -s vmruiserver
```
Stop the GUI agent by running the following command:
```
stopsrc -s vmruiagent
```
Open the security folder, and replace the following default certificates and default private-key pairs with the certificates and private-key pairs that you want.
Restart the GUI server by running the following command:
```
startsrc -s vmruiserver
```
Restart the GUI agent by running the following command:
```
startsrc -s vmruiagent
```