Changes between Version 1 and Version 2 of APACHE_sharing_iplanet_cert

Timestamp:

12/03/14 15:13:50 (10 years ago)

Author:

lttoth@…

Comment:

--

APACHE_sharing_iplanet_cert

@@ -3 +3 @@
 
 == Overview ==
-Handling of certificates is managed different on the legacy systems, E boxes, than that of the IDMP-''x'' cluster.  The discussion is divided into two groups, 
+Handling of certificates is managed differently on the legacy systems, E boxes, than that of the IDMP-''x'' cluster.  This document focuses only on certificate management for the legacy E Box system.
+
 Apache and iPlanet share the certificate file requested by, and installed under, iPlanet.
 The crt and key file names/locations are indicated in the httpd.conf file:
@@ -10 +11 @@
          * SSLCertificateKeyFile:  /usr/local/Apache/ssl-certs/<''E Box''>_private.key
 
-== Extracting CRT and Key Components from the iPlanet Certificate ==
+== Extracting CRT and Key Components from the E Box iPlanet Certificate ==
 What follows is an example of the process for extracting the crt and key components from the
 iPlanet certificate.  The appropriate response to all password prompts is the token value
@@ -17 +18 @@
          <''E Box''>:~iplanet/.ssl.pass  
 
-The entire listing of passwords used by the user, iplanet on the E Box servers is:IDMP-'xx' servers 
-The IDMP-x cluster servers have set up access based on functionality in a different way.  On those machines
-''Note:''  the output file name (./junk) in the commands below is arbitrary.
-Note:  the 'pk12util' command below is wrapped with <backslash-newline> on first line.
+In the example below, the output file name (./junk) in the commands is arbitrary.  Also be aware that the ''pk12util'' command below is wrapped with <backslash-newline> on first line. The following options are used:
 
+        * '-d /e01/iplanet/servers/alias/' references the location of cert/key database files.
+        * '-P slapd-<E box>-' references the prefix associated with a particular directory.
+        * '-n server-cert' references the nickname of a particular certificate in the cert/key database.
+
+{{{
 iplanet@eklutna> /e01/iplanet/servers/shared/bin/pk12util -o ./junk \
-                 -d /e01/iplanet/servers/alias/ -n server-cert -P slapd-eklutna-
+                 -d /e01/iplanet/servers/alias/ -n server-cert -P slapd-<E box>-
 
 Enter Password or Pin for "NSS Certificate DB":  *XXYYZZ*
@@ -29 +32 @@
 Re-enter password:  *XXYYZZ*
 pk12util: PKCS12 EXPORT SUCCESSFUL
+}}}
 
-++++++++++++++++++++++++++++++=
-In the above example: (see also: pkcs12 --help)
+In additional option may be used:
+      * '[-w p12filepwfile | -W p12filepw]' allows a direct reference to the password file rather than entering it via prompts.
 
-        '-d /e01/iplanet/servers/alias/' references the location of cert/key database files.
-        '-P slapd-eklutna-' references the prefix associated with a particular directory.
-        '-n server-cert' references the nickname of a particular certificate in the cert/key database.
+In the above example: (see also: [[https://www.openssl.org/docs/apps/pkcs12.html|pkcs12 - PKCS#12 file utility - OpenSSL]])
 
-Each nickname corresponds to a particular cert.  The nickname server-cert is the default nickname
-proposed by iPlanet.  That nickname is what we associated with the server name based certs (e.g. 
-the eklutna, elias, egegik and edgar certs are all associated with the server-cert nickname).
-More recently, certs requested under iPlanet are given more explicit nicknames like 'edirtest'.
+== Certificate Nicknames ==
+Each nickname referenced by the ''-n'' option corresponds to a particular cert.  The nickname, server-cert, is the default nickname proposed by iPlanet.  That nickname is what we associated with the server name based certs.  In other words, the eklutna, elias, egegik and edgar certs are all associated with the server-cert nickname.  More recently, certs requested under iPlanet are given more explicit nicknames like ''dirtiest''.
 
 To obtain a list of nicknames from a specific key database:
-
+{{{
 iplanet@eklutna> /e01/iplanet/servers/shared/bin/certutil -K -d /e01/iplanet/servers/alias -P slapd-eklutna-    
 Enter Password or Pin for "NSS Certificate DB":
 <0> 
 <1> server-cert
-++++++++++++++++++++++++++++++=
 
 iplanet@eklutna> ls -al ./junk
 -rw-------   1 iplanet  iplanet     2772 Oct 27 16:01 ./junk
-
 iplanet@eklutna> /usr/local/bin/openssl pkcs12 -clcerts -nokeys -in ./junk -out ./eklutna.crt
 Enter Import Password:  *XXYYZZ*
@@ -59 +57 @@
 iplanet@eklutna> ls -lrt ./eklutna.crt
 -rw-r--r--   1 iplanet  iplanet     1245 Oct 27 16:02 ./eklutna.crt
-
 iplanet@eklutna> /usr/local/bin/openssl pkcs12 -nocerts -in ./junk -out ./eklutna_private.pem
 Enter Import Password:  *XXYYZZ*
@@ -68 +65 @@
 iplanet@eklutna> ls -lrt ./eklutna_private.pem
 -rw-r--r--   1 iplanet  iplanet     1105 Oct 27 16:05 ./eklutna_private.pem
+}}}
 
-
-Create key without a pass phrase.
-
+To create key without a pass phrase.
+{{
 iplanet@eklutna> /usr/local/bin/openssl rsa -in ./eklutna_private.pem -out ./eklutna_private.key
 Enter pass phrase for eklutna_private.key: <CR>  (null response)
@@ -78 +75 @@
 iplanet@eklutna> ls -lrt ./eklutna_private.key
 -rw-r--r--   1 iplanet  iplanet      887 Oct 27 16:06 ./eklutna_private.key
-
+}}}
 
 Now tell 'root' user to move files from "~iplanet" to "/usr/local/Apache/ssl-certs/".
 
-Sample httpd.conf file usage:
+== HTTPD Configuration ==
+Originally the httpd.conf located at /usr/local/Apache/httpd.conf, included references shown below that corresponded to the certificate file locations listed above:
+
+/usr/local/Apache/httpd.conf:
 
 SSLCertificateFile /usr/local/Apache/ssl-certs/eklutna.crt
 SSLCertificateKeyFile /usr/local/Apache/ssl-certs/eklutna_private.key
 
+The file no longer contains these references.  The excerpts contains the current httpd.conf directives.  Only those options used (i.e., not all included in the original template) are copied here.
+
+
+}}}
 ########################################################[[br]]
 LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki[[br]]