EAServer Manager | Certificates folder allows you to manage keys and certificates used by EAServer.
This section describes the tasks involved in accessing and managing the server certificate database or the certificate database used by client applications. To manage the server certificate database, configure the top-level Certificates folder in EAServer Manager, while connected to the server. To manage the client certificate database, you must run the standalone Security Manager. Other than the tool used, the management tasks are identical for the client and server certificate database.
You can install and use the standalone Security Manager on a client machine to manage client keys, certificates, and trust information in a local database. The standalone Security Manager is completely independent of EAServer Manager and server installations. Except for the login screen, the standalone Security Manager is identical to EAServer Manager | Certificates folder used to manage server keys and certificates.
The Standalone Security Manager allows C++ CORBA clients and Java applications to access servers using SSL features over IIOPS connections. For more information, see these chapters:
Accessing the server certificate database in EAServer
Manager
To begin managing the server certificate database:
Start EAServer Manager as described in “Using EAServer Manager” in the EAServer System Administration Guide.
Expand the top level Certificates folder. The first time you put the focus on this folder in your session, you must enter the PIN for the PKCS #11 token. The default for new installations is “sybase”.
Starting the standalone Security Manager
Change to the EAServer bin subdirectory.
Run sasecmgr to start Sybase Central.
In Sybase Central, choose Tools | Connect.
Choose Security Manager.
Enter the PIN for the PKCS #11 token. The default for new installations is “sybase”. Make sure the Client Root setting matches the installation you want to configure; this field should match the value of the JAGUAR or JAGUAR_CLIENT_ROOT environment variable as set for the installation to be configured.
Changing the user PIN
The initial PIN for the PKCS #11 token is “sybase”. You can also use the same PIN to log in to EAServer Manager | Certificates folder and, if installed, the Sybase PKCS #11 token in Netscape. To change to a more secure PIN:
Select the Private Keys folder.
Select File | Change PIN.
Enter and verify the new PIN.
Restart Netscape for the new PIN to propagate to the Sybase PKCS #11 token.
Displaying PKCS #11 module information
Select the Private Keys folder.
To view information about the Sybase PKCS #11 module, including the library version and the Cryptoki version, select File | Module Information.
To view information about the Sybase PKCS #11 token that manages your key and certificate information, including status and version information, select File | Token Information.
Logging out of the PKCS #11 module
Select the Private Keys folder.
Select File | Logout.
You are still logged in to EAServer Manager but can no longer access keys or certificates.
The test CA is a signing authority that signs user certificate requests. These certificates can be used by clients and EAServer to test the security features of your applications. Certificates signed by the test CA are not intended for commercial applications. If you already have an in-house CA or other signing authority, you may not need to use the test CA.
The test CA must exist before you can access the Process
Certificate Request and Generate User Test Certificate options.
Creating a test CA
To verify that the test CA is available, highlight the CA Certificates folder. You should see the Sybase Jaguar User Test CA on the right side of the window. If not, you must generate the test CA.
Select the CA Certificates folder.
Select File | Generate Test CA.
The Sybase Jaguar User Test CA displays on the right side of the window. You can now generate test certificates signed by the test CA and process certificate requests.
Generating a user certificate signed by the test CA
Select the CA Certificates folder.
Select File | Generate User Test Certificate. The Generate User Test Certificate wizard displays.
Supply the required information described in Table 14-1. Click Back and Next to review and modify information.
You can use any of the following characters for the label:
Letters A – Z and a – z
Numeric values 0 – 9
(space) ’ ( ) + , - . / : = ?
Click Finish to exit the wizard and generate the certificate.
Click OK in the Info dialog. The certificate displays when you highlight the User Certificates folder.
Property |
Description |
Comments/example |
|---|---|---|
Key Strength |
Select the authentication key strength. The greater the number, the stronger the encryption. Your options are:
|
For international users, key strength is 512. |
Key Label |
The name that identifies the certificate. |
Required field. The label must be unique among all labels used for all certificates. |
Validity Period |
From the drop-down list, select the length of time that the certificate is valid. |
When a client (or server) presents a certificate for authentication, EAServer (or the browser) checks to see if the certificate has expired. |
Cert Usage |
Click the check box for either or both:
|
The same certificate can be used by a client and/or EAServer. |
Common Name |
Your first and last name. |
Required field. |
User ID |
Any ID that would further identify you. |
|
Organization |
The name of your company, university, or other organization. |
Required field. |
Organization Unit |
The name of a department within your organization. |
|
Locality |
The location of your organization. |
You must supply at least one of:
|
State/Province |
State or province name. |
|
Country |
Your two-digit country code; for example, “U.S.” |
|
Requester Name |
The person requesting the certificate. |
|
Server Admin |
The name, if any, of the server administrator. |
|
Your e-mail address. |
||
Mark Private Key Exportable |
Checked by default, this property allows you to export this certificate along with its private key. |
See “Installing and exporting certificates” for more information.
|
Processing a certificate request
EAServer Manager | Certificates folder can process a certificate request generated from elsewhere. The test CA signs the request and generates the certificate.
Select the CA Certificates folder.
Select File | Process Certificate Request.
Paste the certificate request into the window as indicated. Here is an example of a base64 certificate request. You must include the entire contents, including the BEGIN and END lines:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIH4MIGjAgEAMD4xCjAIBgNVBAMTAWExCjAIBgNVBAoTAWExCjAIBgNVBAcTAWEx CzAJBgNVBAgTAmNhMQswCQYDVQQGEwJ1czBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC QQC9Yn9AOzflqIarPCC7eRdr3C0wrIG+3B2T+pEs9sdgEjnc/bw1GfxcZKYamWXg G1KQycFqkdrFNP79fgRCOd3xAgMBAAGgADANBgkqhkiG9w0BAQQFAANBAIEljmCB HbFdNj0MtFDa002f/Trl6FtGCh7Gs23pZlWIUzDlGFowiuJY6iMDzd/1bJz5yYB+ IvlM9Ath/zTF2eY=
-----END NEW CERTIFICATE REQUEST-----
Set the following certificate properties:
Click Next. The certificate is generated and displays in the dialog. Here is the signed base64 certificate:
-----BEGIN CERTIFICATE-----
MIICYTCCAcqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBgjEzMDEGA1UEAxMqU3li YXNlIEphZ3VhciBVc2VyIFRlc3QgQ0EgKFRFU1QgVVNFIE9OTFkpMSAwHgYDVQQK ExdTeWJhc2UgSmFndWFyIFVzZXIgVGVzdDEpMCcGA1UEBxMgU3liYXNlIEphZ3Vh ciBVc2VyIFRlc3QgTG9jYWxpdHkwHhcNOTgwNzAyMDIzOTEzWhcNOTgwOTAyMDIz OTEzWjBHMQ0wCwYDVQQDEwR0ZXN0MQ0wCwYDVQQKEwR0ZXN0MQ0wCwYDVQQHEwR0 ZXN0MQswCQYDVQQIEwJjYTELMAkGA1UEBhMCdXMwXDANBgkqhkiG9w0BAQEFAANL ADBIAkEAvzvqs9yjW/PDCt/Rotp9x9PHrULLeGOLlVSubo9poY1f5OYwsrjfaOtT bkhWDrakuwJJk8smDNSAl93tdP9r8wIDAQABo2UwYzAMBgNVHRMEBTADAQEAMB0G A1UdDgQWBBTAT0n9qsvdfqc9NzGPA5oLKsMzJjAhBgNVHSMEGjAYoBYEFGLT8qZb 3LtGjw84nxna9YBHb7q6MBEGCWCGSAGG+EIBAQQEAwIAwDANBgkqhkiG9w0BAQQF AAOBgQB3OStVqhoWT66yXNsrznCg9t8yNClobnKGOJTqt+VbhV7BUgBH+fVSjf7v xJyV4twwlBvU08PsKYQGj4sJ1Ao3lsOXWrr6YZIHZZ6p9P8JXjY016Vg9g5SDmEV jgGbwy6ZOZYx27npp4X31WXY27KDZrV/FrwvF6/Pv6mZY7ijUw==
-----END CERTIFICATE-----
Select Save to File and enter the full path name to save the generated certificate as a file. You can also select Browse to specify the location for the file.
If you want to use this certificate for authentication, you must install the certificate on the same machine that generated the certificate request, since this is where the private key is stored.
Certificates signed by the test CA are intended for
testing only. In a real-life situation, the CA would verify user
information to establish identity.
Exporting the test CA certificate
You can export certificates, including the test CA certificate. Exporting the test CA certificate allows you to load it into Netscape 4.0x browsers and mark it trusted. This prevents Netscape from displaying warnings about untrusted certificate authorities when you use listeners that use certificates signed by the test CA.
Select the CA Certificates folder.
Highlight the Sybase Jaguar User Test CA.
Select File | Export Certificate.
From the Export Certificate wizard, select the format type for the exported certificate. For the Test CA, select Binary Encode X509 Certificate. Click Next.
Select Save to File and enter the full path name to a file that will contain the test CA.
Do not add any extension to the file name. A .crt extension is automatically added to the exported certificate. Netscape 4.0x recognizes this extension as a X.509 certificate and handles it accordingly.
Click Finish to export the certificate to the file you specified.
For general information about the Export Certificate wizard and certificate types, see “Installing and exporting certificates”.
Loading the test CA’s certificate into Netscape
4.0x
You must be logged in to the Netscape token.
Enter the full path of the file that contains the exported test CA’s certificate in Netscape’s URL/Netsite field.
Select Open and click OK.
Click Install Certificate. Netscape recognizes the .crt extension as belonging to a certificate authority and displays a series of dialogs asking if you want to accept the CA.
If Netscape does not recognize the .crt file extension, perform these steps and restart Netscape before trying to load the test CA:
From Netscape, select Edit | Preferences.
Under Category, click Applications.
Under Description, scroll down and select “Internet Security Certificate.” Click Edit.
Verify that the Mime Type field contains:
application/x-x509-ca-cert
Click OK.
If you are using UNIX, make sure the following line
is in your ~/.mime.types file before
you start Netscape:
application/x-x509-ca-cert crt cer ber der
This line ensures that Netscape recognizes the .crt file extension.
Follow the instructions in the dialogs to accept this certificate.
Netscape now allows you to connect to EAServer ports that require authentication, and accepts the certificates signed by the test CA without displaying warnings.
This section describes the tasks involved in key management.
To view the private keys installed in the security module, select the Private Keys folder. The private keys display on the right side of the window.
EAServer Manager | Certificates folder displays any private key that does not have a certificate associated with it, including private keys that have an outstanding certificate request. For example, you may generate a key pair and request a certificate from a CA at the same time. It may take several days to receive your certificate. In the meantime, the private key displays when you highlight the Private Keys folder.
Sybase recommends that you delete any private key that does not have an outstanding certificate request associated with it.
Viewing information about
a private-key
Select the Private Keys folder.
Highlight the key whose information you want to view.
Select File | Key Information. The Key Information dialog box displays the length of the key.
Deleting a private key
Select the Private Keys folder. The private keys display on the right side of the window.
Select the key that you want to delete.
Select File | Delete Key.
EAServer Manager | Certificates folder comes with several preinstalled CA certificates. EAServer accepts client certificates only if they have been signed by a trusted CA. You can modify the trust attribute for any of the preinstalled certificates. See “Viewing certificate, trust, and export information” for more information.
Generating a key pair and requesting a certificate
You can generate a key pair and send the certificate request to a CA to be signed. Once the CA has signed and returned the request, you can install the certificate.
Select the Private Keys folder.
Select File | Key/Cert Wizard.
Supply the required information, described in Table 14-2. Use Back and Next to review or change any information.
You can use any of the following characters:
Letters A – Z and a – z
Numeric values 0 – 9
(space) ’ ( ) + , - . / : = ?
In Asian-language editions of EAServer, you can enter an Asian-language date in the Certificate Signing Request wizard in Security Manager. Before generating requests that contain UTF-8 characters, check with your certificate authority (CA) whether UTF-8 data is supported.
Click Finish to exit the wizard. EAServer Manager | Certificates folder generates the key pair and saves the certificate request to a file that you specify, or installs a certificate if you have pasted one into the certificate dialog.
Send your certificate request to a CA for signing. Depending on the CA, this could be through e-mail or by attaching to the CA’s URL.
When you receive it, install the certificate. See “Installing and exporting certificates”.
The new private key appears on the right side of the window when you highlight the Private Keys folder. Once the certificate is received and installed, the private key is removed from the private key list.
Property |
Description |
Comments/example |
|---|---|---|
Key Strength |
Select the authentication key strength. The greater the number, the stronger the encryption. Your options are:
|
For international users, key strength is 512. |
Key Label |
The name that identifies the private key/certificate. |
Required field. The label must be unique among all labels used for certificates. |
Mark Private Key Exportable |
Check this box to allow the export of this certificate along with its private key. |
See “Installing and exporting certificates” for more information.
|
UTF-8 Encoding |
Check this box to allow entry of UTF-8 encoded characters. |
Allows entry of Asian-language text. Before generating requests that contain UTF-8 characters, check with your certificate authority (CA) whether UTF-8 data is supported. |
Common Name |
This could be your first and last name or name of a university or EAServer host name. |
Required field. |
User ID |
Any user ID that would further identify you. |
|
Organization |
The name of your company, university, or other organization. |
Required field. |
Organization Unit |
The name of a department within your organization. |
|
Locality |
The location of your organization. |
You must supply at least one of:
|
State/Province |
The name of your state or province. |
|
Country |
Your two-digit country code; for example, “U.S.” |
|
Requester Name |
The person requesting the certificate. |
|
Server Admin |
The name, if any, of the server administrator. |
|
Your e-mail address. |
||
Server Certificate Request |
Displays the request information along with the generated public key. |
Depending on the CA, you might be able to copy and paste the certificate request from this window into an e-mail and forward it for signing. |
Save to File |
Select this option and enter the full path name to save the generated certificate request as a text file. You can also use the browse feature to locate and save the file. |
If you do not immediately send the certificate request to be signed, save the certificate request to a file and send it for signature later. |
Cut and Paste the Certificate |
If available, paste the signed certificate in this window for installation. |
If you do not install the signed certificate now, you can use the Install Certificate option when you receive your signed certificate. |
Format Type |
Identifies the format of the certificate request. Your options are “base64” or “binary.” |
For server certificates, you would normally use a base64 format. |
When installing or exporting a certificate, EAServer Manager | Certificates folder determines the type of certificate based on the file extension. The extensions and the type of certificates they represent are:
.crt Belongs to X.509 certificates, including CA certificates. In addition, Netscape certificate chains end with a .crt extension.
.p12 and .pfx Belong to transferred user certificates. Sybase’s PKCS #12 implementation generates PKCS #12 files with a .p12 file extension. This extension is recognized by both Netscape and Internet Explorer. The earlier PKCS #12 standard specified a .pfx file extension. You can install a PKCS #12 file that uses either extension into Sybase’s PKCS #11 token.
Binary and base64 Certificates can either be encoded/decoded using a binary or base64 scheme. Base64 is based on an ASCII format and certificates of this type can be installed from a file or pasted into the appropriate window. Binary certificates, on the other hand, must be read from a file. The encoding scheme has no effect on a certificate’s file extension.
Transferring versus importing and exporting:
Transferring user certificates and private keys allows you
to use the certificate and private key in the target security environment.
Exporting, installing, and marking a CA certificate trusted in the
target security environment simply allows you to accept certificates
that have been signed by that CA.
Installing and exporting certificates
EAServer Manager | Certificates folder allows you to export or import (install):
Certificates signed by the test CA.
Certificates signed by another CA.
Certificate chains – a certificate chain is a certificate that has been signed by a CA, which in turn has been signed by a CA, and so on. The certificate contains information that traces the path of the certificate back to the root CA (the original signer).
A signer’s (CA) certificate. You need to install a signer’s certificate and mark it as trusted so that EAServer accepts certificates signed by that CA.
User certificates and their corresponding private key using the PKCS #12 standard.
PKCS #12 is an RSA standard that specifies a transfer syntax for personal identity information. EAServer’s support of the PKCS #12 standard allows you to move user certificates and private keys between systems and programs that support the PKCS #12 standard, such as Netscape Communicator and Microsoft’s Internet Explorer.
Sybase’s PKCS #12 implementation allows you to transfer certificates and private keys in either a domestic format (128-bit encryption) or international format (40-bit encryption). You can find more information about domestic and international support in “Configuring security profiles”.
Installing a certificate
Select the folder that corresponds to the type of certificate you are installing.
Select File | Install Certificate.
Either paste the entire contents of the certificate into the box (base64 encoded certificates only), or click the Import from File box.
If you select Import from File, the cut and paste area is dimmed. Use the browse feature to locate the certificate.
Click Install. If the certificate is of type .crt or .p7c, it is installed. If the file is a PKCS #12 type (has either a .p12 or .pfx extension) the PKCS #12 Certificate/Private Key window displays:
Enter the password that allows access to the file. This is the password you entered when you exported the certificate and private key.
To export the certificate and its private key at a later time you must check the Mark private key as exportable check box, which is, by default, already selected.
Click Done.
The certificate is assigned to a folder based on its type:
User Your certificates and other user certificates, including certificates signed by the test CA used to authenticate EAServer. These are the certificates that have a matching private key stored in the PKCS #11 token.
CA Certificates obtained from CAs. These identify the signers of certificates that EAServer recognizes.
Trusted A subset of the CA certificates. These are the signers of certificates that EAServer trusts. EAServer accepts the certificates from clients that have been signed by trusted CAs. You must mark a CA as trusted before it appears in the Trusted folder. See “Viewing certificate, trust, and export information” for more information.
Other Certificates obtained from other users or organizations that cannot be identified as User or CA.
Once installed, you can assign a user certificate to a security profile. For more information, see “Configuring security profiles”.
After installing a signer’s certificate, mark it as trusted if you want to accept certificates signed by that signer. See “Viewing certificate, trust, and export information” for more information.
Exporting a certificate
Select the Certificates folder that contains the certificate to be exported.
Highlight the certificate to be exported.
Select File | Export Certificate.
From the Export Certificate wizard, select the format type of the certificate to be exported.
If you have chosen Export Certificate from the User Certificate folder, and you selected “Mark Private Key Exportable” when you generated the key pair and requested a certificate, the PKCS #12 option is available.
Depending on the type of certificate you select, one of two windows appears:
If you have selected a certificate format that is not PKCS #12, select Save to File and enter the full path name to a file that contains the certificate.
Do not add any extension to the file name. The appropriate extension is automatically added to the exported certificate.
If you have selected PKCS #12, enter and confirm a password used to protect access to the exported certificate and its private key. When you try to install the certificate, you are prompted for this password; there are also several advanced options you can configure that affect the exported certificate. See “Advanced PKCS #12 options”. When you are finished, click Next.
Select Save to File and enter the full path name to a file to contain the certificate.
Do not add any extension to the file name. The appropriate extension is automatically added to the exported certificate.
Click Finish to export the certificate to the file you specified.
The advanced screen allows you to modify the PKCS #12 options listed below. The default settings are appropriate in most cases and should only be modified by experienced users:
Include certificate trust chain If the certificate is part of a chain, clicking this box adds information about the CAs in the certificate’s chain. See “Verifying a certificate” for additional information about certificate chains.
Private key encoding algorithm The password-based algorithm used to protect the contents of the exported private key. The default algorithm is 40BitRC2, which is accepted by most browsers. If you want to export the private key using stronger or weaker encryption, select an algorithm from the drop-down list, but be sure that the target browser accepts the stronger encryption. EAServer Manager | Certificates folder can export or import private keys that are shrouded with any of the listed algorithms.
Certificate encoding algorithm The password-based algorithm used to protect the contents of the exported user certificate. The default algorithm is 40BitRC2, which is accepted by most browsers. If you want to export the certificate using stronger or weaker encryption, select an algorithm from the drop-down list, but be sure that the target browser accepts the stronger encryption. EAServer Manager | Certificates folder can export or import user certificates that are shrouded with any of the listed algorithms. See “Configuring security profiles” for a description of the various encryption methods and terms.
Viewing certificate, trust, and export information
You can view the information about the certificates that you have installed and your own certificates, including identifying, trust, and usage information. To view certificate information:
Select the folder for the type of certificate you want to view:
User
CA
Trusted
Other
Select the certificate you want to view.
Select File | Certificate Info.
The Certificate Information dialog appears. Use the scroll bar to view all of the information.
The Certificate dialog includes a Trusted Certificate check box. Based on the policies of your organization, trustworthiness of the certificate signer, and other considerations, specify whether or not to mark a certificate as trusted. Only CA certificates can be marked as trusted or untrusted.
Certificates that are marked as trusted display when you select the Trusted folder.
For user certificates, an Exportable Private Key check box is provided. If this box is checked, you can export the certificate, along with its private key. To prevent future exports, you can uncheck the box. Once unchecked, the private key can never be exported. See “Installing and exporting certificates” for more information.
Verifying a certificate
EAServer Manager | Certificates folder verifies the signature, expiration date, and validity of a certificate. If the certificate is part of a chain of certificates, it verifies each certificate in the chain.
A chain involves more than one certificate. Each certificate in the chain is signed by the preceding certificate. For the certificate to be verified, the entire chain must be verified. If a peer offers a certificate for authentication that belongs to a chain, at least one CA within the chain must be trusted for the certificate to be accepted.
To verify a certificate:
Select the folder for the type of certificate you want to verify.
Highlight the certificate you want to verify.
Select File | Verify.
A dialog appears that either verifies the certificate or informs you that verification was unsuccessful. Do not use certificates that fail verification.
Renaming a certificate
Only the label of the certificate is changed. The content of the certificate remains the same.
Select the folder type for the certificate you want to rename.
Highlight the certificate to rename.
Select File | Rename Certificate.
Enter the new name of the certificate. Click Done.
Deleting a certificate and its associated private key
EAServer Manager | Certificates folder allows you to delete your own certificates and associated private keys, the test CA, and certificates that you have obtained from others.
Select the folder for the type of certificate you want to delete.
Highlight the certificate you want to delete.
Select File | Delete Certificate.
If
you delete the test CA, certificates that were signed by the test
CA are no longer useful. In this case, you need to generate a new
test CA and new certificates signed by the new test CA to test your
security scenarios.
| Copyright © 2005. Sybase Inc. All rights reserved. |
|
|