Management & Control Services Help Globe Icon

Obtaining and Installing Certificates

Following are instructions for obtaining and installing the certificates required by Management & Control Services (MCS) and its client applications.
To obtain and install a server site certificate
  1. Create a certificate request for a certificate with a 1024-bit public key.

  2. Submit the certificate request to a well-known CA. (See Related Topics links, below, for links to several well-know CAs.)

  3. After receiving the site certificate from the CA, install the certificate on MCS.

    Copy your private key and the certificate you received from the CA into the following directory (based on platform):

    Application ServerDefault Install Location
    Apache Tomcat The location will be under the Tomcat install directory, as follows if Tomcat is installed with an Attachmate product.
    Windows: c:\Program Files\Attachmate\Tomcat\webapps\mcs\WEB-INF\data\securitygateway\certs
    UNIX: /opt/Tomcat/webapps/mcs/WEB-INF/data/securitygateway/certs
    WebLogic or
    WebSphere
    Windows: c:\Program Files\Attachmate\mcs\WEB-INF\data\securitygateway\certs
    UNIX: /opt/Attachmate/mcs/WEB-INF/data/securitygateway/certs
    OS/390 USS: /opt/Attachmate/mcs/WEB-INF/data/securitygateway/certs

    MCS can use certificates in either .der or .pem format. The format of the certificate files is indicated by their extensions. A .der format file contains binary data. A .pem format file (privacy-enhanced mail) is in ASCII, beginning with this line:

    -----BEGIN CERTIFICATE-----

    and ending with this line:

    -----END CERTIFICATE-----

    MCS requires that the file extension match the contents of the certificate file, so do not change the file extensions.

  4. Open the text file SecurityGateway.properties, located in the following directory (based on platform):
    Application ServerDefault Install Location
    Apache Tomcat The location will be under the Tomcat install directory, as follows if Tomcat is installed with an Attachmate product.
    Windows: c:\Program Files\Attachmate\Tomcat\webapps\mcs\WEB-INF\data\securitygateway\settings
    UNIX: /opt/Tomcat/webapps/mcs/WEB-INF/data/securitygateway/settings
    WebLogic or
    WebSphere
    Windows: c:\Program Files\Attachmate\mcs\WEB-INF\data\securitygateway\settings
    UNIX: /opt/Attachmate/mcs/WEB-INF/data/securitygateway/settings
    OS/390 USS: /opt/Attachmate/mcs/WEB-INF/data/securitygateway/settings

  5. Set the following properties:

    • security.sslServer.certFile—Set to the name of the certificate file you received from the CA.

    • security.sslServer.CAFile—Set to the name of the file containing the CA's root certificate.

    • security.sslServer.keyFile—Set to the name of your private key file.

  6. If necessary, construct a certificate chain.

    If the CA who issues your certificate is not well known, and, therefore, untrusted by clients, construct a chain that leads to a CA that clients trust.

    Using a text editor, append any additional certificate files to the end of the file referenced by the security.sslServer.CAFile property described above. The order of the chain is significant. Each certificate must be followed by its immediate issuer certificate.

    The chain of CA certificates is valid for both the export- and domestic-grade certificates.

Back to top

To obtain and install a personal certificate
  1. On each client PC, create and submit a certificate request from a CA's Web site.

    When you are notified by the CA that the request has been fulfilled, use the browser to install the certificate on the client PC.

  2. Obtain the MCS client certificate configuration tools (certtools.jar, soap.jar, and xerces.jar) from the following location (based on platform):
    Application ServerDefault Install Location
    Apache Tomcat The location will be under the Tomcat install directory, as follows if Tomcat is installed with an Attachmate product.
    Windows: c:\Program Files\Attachmate\Tomcat\webapps\mcs\WEB-INF\lib
    UNIX: /opt/Tomcat/webapps/mcs/WEB-INF/lib
    WebLogic or
    WebSphere
    Windows: c:\Program Files\Attachmate\mcs\WEB-INF\lib
    UNIX or OS/390 USS: /opt/Attachmate/mcs/WEB-INF/lib

    The certtools.jar file contains the CertMapConfig and CertList client certificate configuration tools. These tools allow you to configure the personal certificates used for client authentication.

  3. Also obtain the servlet classes file, which varies depending on your platform:
    Application ServerDefault Install Location
    Apache Tomcat The location will be under the Tomcat install directory, as follows if Tomcat is installed with an Attachmate product.
    Windows: C:\Program Files\Attachmate\Tomcat\common\lib\servlet.jar
    UNIX: /opt/Tomcat/common/lib/servlet.jar
    WebLogic Windows: C\bea\weblogic700\server\lib\weblogic.jar
    UNIX or OS/390 USS: /[BEA.Home]/weblogic700/server/lib/weblogic.jar
    WebSphere Windows: c:\WebSphere\AppServer\lib\j2ee.jar
    UNIX or OS/390 USS: /opt/WebSphere/AppServer/lib/j2ee.jar

  4. Use CertMapConfig to create or update a configuration file on the MCS server. The configuration file is used in the mapping of client certificates to user names. The file contains entries for each CA that is trusted indicating how to map a client certificate issued by that CA to a user name.

    To use CertMapConfig, run the following on a command line:

    java -classpath certtools.jar;soap.jar;xerces.jar;servletclasses.jar com.attachmate.security.tools.CertMapConfig [command line options]

    where servletclasses.jar is the file in the preceding step
    -and-
    command line options include the following:

    OptionDescription
    -updateOpens a file containing trusted CAs, reads a current configuration file from the MCS server (if one exists) and creates a local configuration file with entries in it for each CA in the trusted CAs file. Command line options for -update are:

    -update product_id servername[:port] username password ca_certs_file config_file

    where:

    product_id is the product that will use the certificate mapping. Different products can have different ways of mapping certificates to user names. When configuring certificate mapping for Security Services, use "securitygateway" as the product ID.

    servername[:port] is the host name and, optionally, the port number of the MCS server being used for authentication.

    username is a user name in the configured MCS directory service with a sufficient level of access to read and write files.

    password is the password associated with the above user name.

    ca_certs_file is the path and file name of the trusted CA's certificates. The certificates must be in either DER-encoded binary or Base64-encoded x.509 format.

    config_file is the name of the local configuration file to create with entries for each trusted CA.

    -uploadUploads a local configuration file back to the MCS server after it has been created in the update step and manually edited. Command line options for -upload are:

    -upload product_id servername[:port] username password config_file

    where:

    product_id is the product that will use the certificate mapping. Different products can have different ways of mapping certificates to user names.

    servername[:port] is the host name and, optionally, the port number of the MCS server being used for authentication.

    username is a user name in the configured MCS directory service with a sufficient level of access to read and write files.

    password is the password associated with the above user name.

    config_file is the name of the local configuration file to upload.

    The configuration file created by CertMapConfig contains the following entries:

    • [CA subject distinguished name].field—The field within the client certificate that is used to obtain the user name. CertList can be used to list the fields contained within a client certificate as well as the exact name of the fields. This is the only required entry.

    • [CA subject distinguished name].mapFrom—Text that, when found, will be replaced with the text in the mapTo entry.

    • [CA subject distinguished name].mapTo—Text that replaces any text listed in the mapFrom entry.

      The mapFrom/MapTo fields specify text substitutions and truncation. The field specified by the .field entry may have special characters that are not allowed in the online directory. The mapFrom and mapTo fields can perform text substitutions.

      For example, mapFrom="." and mapTo="-" will change all periods to dashes in the text before performing the directory lookup. Multiple substitutions are also supported, as in mapFrom="./ " and mapTo="-_+".

      In addition, certain characters can be specified as truncation characters. For instance, the domain name of an e-mail address can be truncated by mapFrom="@" and mapTo="". In general, when the mapFrom character does not have a corresponding mapTo character, the mapFrom character is treated as a truncator. The two operations can be combined, for example, mapFrom=".@" and mapTo="-".

      Note The character strings must be enclosed in double quotes.

    • [CA subject distinguished name].prefix—Text that is added to the beginning of the user name after the mapFrom/mapTo replacement has been done.

    • [CA subject distinguished name].suffix—Text that is added to the end of the username after the mapFrom/mapTo replacement has been done.

      The username looked up in the directory service will be the result of applying all of the above. "mapFrom," "mapTo," "prefix," and "suffix" are optional entries.

  5. Use CertList to obtain the distinguished name (DN) of a certificate. This tool has one command line option—the name of a file containing one or more certificates. The certificates must be in either DER-encoded binary or Base64-encoded x.509 format.

    This will determine the field name to use in the ".field" entry of the configuration file.

Back to top

Related Topics
Bullet Overview of Security Services
Bullet Overview of Certificates
Bullet Configuring Security Services
Bullet Configuring a Client SSL Connection
Bullet Modifying the SecurityGateway.properties File
Bullet Obtaining a Certificate from thawte.com
Bullet Obtaining a Certificate from verisign.com
  Attachmate