Setting up SSL on the Content Manager OnDemand for Windows server

Procedure

To set up SSL on Content Manager OnDemand:

Create the key database and store it in the config subdirectory of Content Manager OnDemand server installation directory: C:\Program Files\IBM\OnDemand Server\V9.5\config. To create the key database, run a command similar to the following command:
```
gsk8capicmd_64 -keydb -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -stash -populate
```
The following list describes why these parameters were chosen:
-keydb -create -db "ondemand.kdb"

Indicates that you want to create a key database called ondemand.kdb.

-pw "myKeyDBpasswd" -stash

Indicates that you want to create a stash file and store the password (myKeyDBpasswd) in that stash file. The GSKCapiCmd tool stores the stash file at the same path as the key database. You must remember this path because you must specify it in the ars.ini file. GSKCapiCmd creates the stash file with the same file name as the key database (ondemand), with the file extension of .sth. When Content Manager OnDemand starts, GSKit retrieves the password to the key database from this stash file.

-populate

Populates the key database with a set of predefined trusted certificate authority (CA) certificates. A trusted CA is a certificate authority root certificate is noted as trusted in the key database.
Create a digital certificate. You can create a self-signed certificate, which is useful for testing. When you are ready to move to a production environment, create a CA-signed digital certificate.
To create a self-signed certificate, do the following steps:
1. Create a self-signed certificate by using GSKCapiCmd. The following example creates a self-signed certificate with the label myselfsigned:
```
gsk8capicmd_64 -cert -create -db "ondemand.kdb" –pw "myKeyDBpasswd" -label "myselfsigned" \
–dn "CN=myhost.mycompany.com,O=myOrganization,OU=myOrganizationUnit,L=Boulder,ST=CO,C=US"
```
2. Extract the certificate to a file by using GSKCapiCmd. The following example extracts the certificate created into a file called ondemand.arm:
```
gsk8capicmd_64 -cert -extract -db "ondemand.kdb" -pw " myKeyDBpasswd " -label "myselfsigned" \
-target "ondemand.arm" -format ascii
```
3. Distribute the file you created to all computers running clients that will establish SSL connections to your Content Manager OnDemand server.
To create a CA-signed digital certificate, do the following steps:
1. Create a Certificate Signing Request (CSR) by using GSKCapiCmd. You create a CSR for the following reasons:
  - Create a new RSA private-public key pair and PKCS10 certificate request, which are stored in the key database in a file with the extension .rdb.
  - Specify the name of the file, with the -fileoption, that you send to the CA.
  The following example shows how to create a CSR that is stored in ondemand.kdb.
```
gsk8capicmd_64 -certreq -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "mycert" \
-dn "CN=myhost.mycompany.com,O=myOrganization,OU=myOrganizationUnit,L=Boulder,ST=CO,C=US" \
-file "mycertRequestNew"
```
2. Verify the contents of the CSR by using GSKCapiCmd. The following example shows how to display the contents of the CSR created:
```
gsk8capicmd_64 -certreq -details -db "ondemand.kdb" -pw "myKeyDBpasswd" –label "mycert"
```
  If you need to delete this CSR, run GSKCapiCmd similar to the following example:
```
gsk8capicmd_64 -certreq -delete -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "mycert"
```
3. Go to the web site of a well known CA (for example, Verisign) and follow their instructions for registering and obtaining a signed digital certificate. The instructions include paying the CA for their services and providing them with the file you specified with the -file option. In the following example and for the rest of these instructions, a trial version of a digital certificate is used.
4. The CA sends you an e-mail with the following information:
  - The MyCertificate.arm file, your trial signed digital certificate.
  - A link to download IntermediateCert.arm, the trial intermediate digital certificate.
  - A link to download RootCert.arm, the root digital certificate.
  Use a text editor (for example, notepad) to save each certificate into a file.
5. Add the trial root digital certificate to the key database. The following example adds RootCert.arm to ondemand.kdb:
```
gsk8capicmd_64 -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "trialRootCACert" \
-file RootCert.arm -format ascii
```
6. Add the trial intermediate certificate to the key database. The following example adds IntermediateCert.arm to ondemand.kdb:
```
gsk8capicmd_64 -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" –label "trialIntermediateCACert" \
-file IntermediateCert.arm -format ascii
```
7. Receive your signed digital certificate to the key database. The following example receives MyCertificate.arm to ondemand.kdb:
```
gsk8capicmd_64 -cert -receive -file MyCertificate.arm -db "ondemand.kdb" –pw “myKeyDBpasswd” \
–format ascii
```
8. Verify that all the certificates were stored in the key database by using GSKCapiCmd. The following example lists the certificates stored in ondemand.kdb:
```
gsk8capicmd_64 -cert -list all -db "ondemand.kdb" -pw "myKeyDBpasswd"
```
  GSKCapCmd displays the following result:
```
Certificates found
* default, - personal, ! trusted
-! mycert
! trialIntermediateCACert
! trialRootCACert
-! myselfsigned
```
Configure the server:
1. Start the Content Manager OnDemand OnDemand Configurator V9.5 program.
2. Open the Server window.
3. Select the Enable check box in the SSL Port Number group. Then, specify the port number you want to use for SSL communications.
4. Click Close.
Restart the Content Manager OnDemand server. Because a trusted certificate authority provided the digital certificate, the Content Manager OnDemand server accepts the certificate. Both ondemand.kdb and ondemand.sth files need to be placed on the workstation where the Content Manager OnDemand clients are installed. Download both files to the config subdirectory under the client installation directory.