Setting up SSL on Content Manager OnDemand for AIX

You can set up Secure Sockets Layer (SSL) on Content Manager OnDemand.

To set up SSL on Content Manager OnDemand:

  1. Create the key database and store it in the config subdirectory of Content Manager OnDemand server installation directory: /opt/IBM/ondemand/V10.1.
    To create the key database, run a command similar to the following command: 
    gsk8capicmd_64 -keydb -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -stash -populate
    The following list describes why these parameters were chosen:
    -keydb -create -db "ondemand.kdb"
    Indicates that you want to create a key database called ondemand.kdb.
    -pw "myKeyDBpasswd" -stash
    Indicates that you want to create a stash file and store the password (myKeyDBpasswd) in that stash file. The GSKCapiCmd tool stores the stash file at the same path as the key database. You must remember this path because you must specify it in the ars.ini file. GSKCapiCmd creates the stash file with the same file name as the key database (ondemand), with the file extension of .sth. When Content Manager OnDemand starts, GSKit retrieves the password to the key database from this stash file.
    -populate
    Populates the key database with a set of predefined trusted certificate authority (CA) certificates. A trusted CA is a certificate authority root certificate is noted as trusted in the key database. For the list of default trusted root certificates, see Default GSKit trusted root certificates.
  2. Create a digital certificate. You can create a self-signed certificate, which is useful for testing. When you are ready to move to a production environment, create a CA-signed digital certificate. Creating a self-signed certificate and Creating a CA-signed digital certificate
  3. Configure the Content Manager OnDemand initialization file. Add the following lines to the ARS.INI file: 
    SSL_PORT=port_number
SSL_KEYRING_FILE=/opt/IBM/ondemand/V10.1/config/ondemand.kdb
SSL_KEYRING_STASH=/opt/IBM/ondemand/V10.1/config/ondemand.sth
SSL_KEYRING_LABEL=IBM Content Manager OnDemand
SSL_CLNT_USE_SSL=0
    The following list describes these parameters:
    SSL_PORT
    Specify one of the following values:
    port_number
    The port number on the Content Manager OnDemand server dedicated to communicating with the SSL protocol. To set the Content Manager OnDemand server to only use the SSL protocol, also set the PORT parameter in the ARS.INI file to a value of -1 (PORT=-1).
    0
    No port on the Content Manager OnDemand server communicates with the SSL protocol.
    SSL_KEYRING_FILE
    Specify the full path and file name of the key database that contains the digital certificates.
    SSL_KEYRING_STASH
    Specify the full path and file name of the stash file for the key database.
    SSL_KEYRING_LABEL
    Specify the name of the certificate in the key database.
    SSL_CLNT_USE_SSL
    Specify whether the server-side clients (for example, ARSDOC, ARSMAINT, or ARSLOAD) must communicate with the SSL protocol. Specify 0 to indicate that the clients do not communicate with the SSL protocol. Specify 1 to indicate that the clients must communicate with the SSL protocol.
  4. Restart the Content Manager OnDemand server.
    Because a trusted certificate authority provided the digital certificate, the Content Manager OnDemand server accepts the certificate. Both ondemand.kdb and ondemand.sth files need to be placed on the workstation where the Content Manager OnDemand clients are installed. Download both files to the config subdirectory under the client installation directory.
Parent topic: SSL for Content Manager OnDemand