You can set up SSL on the Content Manager OnDemand for Linux server and certify the file by using
GSKCapiCmd tool.
Procedure
To set up SSL on the Linux server:
- Create the key database and store it in the config subdirectory
of Content Manager OnDemand server installation
directory: /opt/ondemand/config
To
create the key database, run a command similar to the following command:
gsk8capicmd_64 -keydb -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -stash -populate
The
following list describes why these parameters were chosen:
- -keydb -create -db "ondemand.kdb"
- Indicates that you want to create a key database called ondemand.kdb.
- -pw "myKeyDBpasswd" -stash
- Indicates that you want to create a stash file and store the password
(myKeyDBpasswd) in that stash file. The
GSKCapiCmd tool stores the stash file at the same path as the key
database. You must remember this path because you must specify it
in the ars.ini file. GSKCapiCmd creates the stash file with the same
file name as the key database (ondemand),
with the file extension of .sth. When Content Manager OnDemand starts, GSKit retrieves
the password to the key database from this stash file.
- -populate
- Populates the key database with a set of predefined trusted certificate
authority (CA) certificates. A trusted CA is a certificate authority
root certificate is noted as trusted in the key database. For the
list of default trusted root certificates, see Default GSKit trusted root certificates.
- Create a digital certificate. You can create a self-signed
certificate, which is useful for testing. When you are ready to move
to a production environment, create a CA-signed digital certificate.
- Configure the Content Manager OnDemand for Linux server. Add the
following lines to the ARS.INI file:
SSL_PORT=port_number
SSL_KEYRING_FILE=/opt/ondemand/config/ondemand.kdb
SSL_KEYRING_STASH=/opt/ondemand/config/ondemand.sth
SSL_KEYRING_LABEL=IBM Content Manager OnDemand
SSL_CLNT_USE_SSL=0
The following list describes these parameters: - SSL_PORT
- Specify one of the following values:
- port_number
- The port number on the Content Manager OnDemand server
dedicated to communicating with the SSL protocol.
- 0
- No port on the Content Manager OnDemand server
to communicate with the SSL protocol.
- -1
- All ports on the Content Manager OnDemand server
to communicate only with the SSL protocol.
- SSL_KEYRING_FILE
- Specify the full path and file name of the key database that contains
the digital certificates.
- SSL_KEYRING_STASH
- Specify the full path and file name of the stash file for the
key database.
- SSL_KEYRING_LABEL
- Specify the name of the certificate in the key database.
- SSL_CLNT_USE_SSL
- Specify whether the server-side clients (for example, ARSDOC, ARSMAINT,
or ARSLOAD) must communicate with the SSL protocol.
Specify 0 to indicate the clients not communicate with the SSL protocol.
Specify 1 to indicate the clients must communicate with the SSL protocol.
- Restart the Content Manager OnDemand server.
Because a trusted certificate authority provided the digital certificate,
the Content Manager OnDemand server accepts
the certificate. Communication between server and client can commence
without updating the key database on Content Manager OnDemand client.