Setting up SSL on the Content Manager OnDemand for Linux server

You can set up SSL on the Content Manager OnDemand for Linux server and certify the file by using GSKCapiCmd tool.

Procedure

To set up SSL on the Linux server:

  1. Create the key database and store it in the config subdirectory of Content Manager OnDemand server installation directory: /opt/ondemand/config
    To create the key database, run a command similar to the following command: 
    gsk8capicmd_64 -keydb -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -stash -populate
    The following list describes why these parameters were chosen:
    -keydb -create -db "ondemand.kdb"
    Indicates that you want to create a key database called ondemand.kdb.
    -pw "myKeyDBpasswd" -stash
    Indicates that you want to create a stash file and store the password (myKeyDBpasswd) in that stash file. The GSKCapiCmd tool stores the stash file at the same path as the key database. You must remember this path because you must specify it in the ars.ini file. GSKCapiCmd creates the stash file with the same file name as the key database (ondemand), with the file extension of .sth. When Content Manager OnDemand starts, GSKit retrieves the password to the key database from this stash file.
    -populate
    Populates the key database with a set of predefined trusted certificate authority (CA) certificates. A trusted CA is a certificate authority root certificate is noted as trusted in the key database. For the list of default trusted root certificates, see Default GSKit trusted root certificates.
  2. Create a digital certificate. You can create a self-signed certificate, which is useful for testing. When you are ready to move to a production environment, create a CA-signed digital certificate.
  3. Configure the Content Manager OnDemand for Linux server. Add the following lines to the ARS.INI file: 
    SSL_PORT=port_number
SSL_KEYRING_FILE=/opt/ondemand/config/ondemand.kdb
SSL_KEYRING_STASH=/opt/ondemand/config/ondemand.sth
SSL_KEYRING_LABEL=IBM Content Manager OnDemand
SSL_CLNT_USE_SSL=0
    The following list describes these parameters:
    SSL_PORT
    Specify one of the following values:
    port_number
    The port number on the Content Manager OnDemand server dedicated to communicating with the SSL protocol.
    0
    No port on the Content Manager OnDemand server to communicate with the SSL protocol.
    -1
    All ports on the Content Manager OnDemand server to communicate only with the SSL protocol.
    SSL_KEYRING_FILE
    Specify the full path and file name of the key database that contains the digital certificates.
    SSL_KEYRING_STASH
    Specify the full path and file name of the stash file for the key database.
    SSL_KEYRING_LABEL
    Specify the name of the certificate in the key database.
    SSL_CLNT_USE_SSL
    Specify whether the server-side clients (for example, ARSDOC, ARSMAINT, or ARSLOAD) must communicate with the SSL protocol. Specify 0 to indicate the clients not communicate with the SSL protocol. Specify 1 to indicate the clients must communicate with the SSL protocol.
  4. Restart the Content Manager OnDemand server. Because a trusted certificate authority provided the digital certificate, the Content Manager OnDemand server accepts the certificate. Communication between server and client can commence without updating the key database on Content Manager OnDemand client.
Parent topic: SSL with Content Manager OnDemand