Previous  |  Next  >  
Product: Cluster Server Guides   
Manual: Cluster Server 4.1 User's Guide   

Managing VRTSweb SSL Certificates

When serving content over the secure port, VRTSweb presents a self-signed SSL certificate (issued by VERITAS) to the browser. This section describes how you can manage the certificate.


Note   Note    Certificate management commands are available only via the command line interface. Commands that modify the certificate require a server restart. You can use the webgui restart command to restart the Web server.

Viewing SSL Certificate Information

To view information about the configured SSL certificate, run the following command on the system where VRTSweb is installed:


$VRTSWEB_HOME/bin/webgui cert display

Creating a Self-Signed SSL Certificate

To create a custom self-signed SSL certificate for VRTSweb, run the following interactive command on the system where VRTSweb is installed:


$VRTSWEB_HOME/bin/webgui cert create

The command guides you through the process of creating a new certificate.


Please answer the following questions to create a self-signed SSL certificate. This is required to enable the HTTPS protocol for the web server.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
With what hostname/IP will you access this web server? [thor106]:thor106
What is the name of your organizational unit? [Unknown]:Engineering
What is the name of your organization? [Unknown]:Your Company
What is the name of your City or Locality? [Unknown]: Mountain View
What is the name of your State or Province? [Unknown]:California
What is the two-letter country code for this unit? [Unknown]:US
Is CN=thor106, OU=Engineering, O=Your Company, L=Mountain View, ST=California, C=US correct? [no]:yes
Certificate created successfully
Note   Note    You must restart the server for the new certificate to take effect.

Exporting SSL Certificate to a File

You can export the public key associated with an SSL certificate to a file. This key can then be imported into other applications that will trust the VRTSweb instance.

Run the following command on the system where VRTSweb is installed:


$VRTSWEB_HOME/bin/webgui cert export cert_file [rfc]

If the VRTSweb SSL certificate does not exist, the command prompts you to create one. If you specify the RFC option, the key output is encoded in a printable format, defined by the Internet RFC 1421 standard.

For example:


/opt/VRTSweb/bin/webgui cert export /myapp/vrtsweb.cer rfc

Configuring a CA-Signed SSL Certificate

By default, VRTSweb presents a self-signed SSL certificate every time you access VRTSweb over the SSL port. You can install a certificate signed by a Certificate Authority (CA) like Verisign.com or Thawte.com.

  1. If you do not have a self-signed certificate with information that can be verified by the CA, create one.
    $VRTSWEB_HOME/bin/webgui cert create

    See Creating a Self-Signed SSL Certificate for more information.

  2. Generate a Certificate Signing Request (CSR) for the certificate. Run the following command on the system where VRTSweb is installed:
    $VRTSWEB_HOME/bin/webgui cert certreq certreq_file

    The variable certreq_file specifies the file to which the CSR will be written. The file is written using the Public-Key Cryptography Standard PKCS#10.

    For example:


    /opt/VRTSweb/bin/webgui cert certreq /myapp/vrtsweb.csr
  3. Submit the CSR to a certification authority, who will issue a CA-signed certificate.
  4. Import the CA-issued certificate to VRTSweb. Run the following command on the system where VRTSweb is installed:
    $VRTSWEB_HOME/bin/webgui import ca_cert_file

    The variable cert_file represents the certificate issued to you by the certification authority.

    For example:


    /opt/VRTSweb/bin/webgui cert import /myapp/vrtsweb.cer

    Note that the import command fails if the CA root certificate is not a part of the trust store associated with VRTSweb. If the command fails, add the CA root certificate to the VRTSweb trust store:


    $VRTSWEB_HOME/bin/webgui cert trust ca_root_cert_file

    For example:


    /opt/VRTSweb/bin/webgui cert trust /myapp/caroot.cer

    Once the certificate used to sign the CSR is added to VRTSweb trust store, you can import the CA-assigned certificate into VRTSweb.

  5. Restart VRTSweb:
    $VRTSWEB_HOME/bin/webgui restart

Cloning the VRTSweb SSL Certificate

You can clone the VRTSweb SSL keypair into a keystore and use the cloned VRTSweb certificate for another application or Web server. Visit http://java.sun.com for more information about keystores.


$VRTSWEB_HOME/bin/webgui cert clone keystore storepass alias   
  keypass
If a clone keystore exists, the command renames it to keystore.old. If the VRTSweb SSL certificate does not exist, the command prompts you to create one.
For example:

  # /opt/VRTSweb/bin/webgui webgui cert clone 
   /myapp/myserv.keystore  mystorepass myalias mykeypass
 ^ Return to Top Previous  |  Next  >  
Product: Cluster Server Guides  
Manual: Cluster Server 4.1 User's Guide  
VERITAS Software Corporation
www.veritas.com