- On each client PC, create and submit a certificate request from a CA's Web site.
When you are notified by the CA that the request has been fulfilled, use the browser to install the certificate on the client PC.
- Obtain the MCS client certificate configuration tools (certtools.jar, soap.jar, and xerces.jar) from the following location (based on platform):
Application Server | Default Install Location |
Apache Tomcat |
The location will be under the Tomcat install directory, as follows if Tomcat is installed with an Attachmate product.
Windows: c:\Program Files\Attachmate\Tomcat\webapps\mcs\WEB-INF\lib
UNIX: /opt/Tomcat/webapps/mcs/WEB-INF/lib
|
WebLogic or WebSphere |
Windows: c:\Program Files\Attachmate\mcs\WEB-INF\lib
UNIX or OS/390 USS: /opt/Attachmate/mcs/WEB-INF/lib
|
The certtools.jar file contains the CertMapConfig and CertList client certificate configuration tools. These tools allow you to configure the personal certificates used for client authentication.
- Also obtain the servlet classes file, which varies depending on your platform:
Application Server | Default Install Location |
Apache Tomcat |
The location will be under the Tomcat install directory, as follows if Tomcat is installed with an Attachmate product.
Windows: C:\Program Files\Attachmate\Tomcat\common\lib\servlet.jar
UNIX: /opt/Tomcat/common/lib/servlet.jar
|
WebLogic |
Windows: C\bea\weblogic700\server\lib\weblogic.jar
UNIX or OS/390 USS: /[BEA.Home]/weblogic700/server/lib/weblogic.jar
|
WebSphere |
Windows: c:\WebSphere\AppServer\lib\j2ee.jar
UNIX or OS/390 USS: /opt/WebSphere/AppServer/lib/j2ee.jar
|
- Use CertMapConfig to create or update a configuration file on the MCS server. The configuration file is used in the mapping of client certificates to user names. The file contains entries for each CA that is trusted indicating how to map a client certificate issued by that CA to a user name.
To use CertMapConfig, run the following on a command line:
java -classpath certtools.jar;soap.jar;xerces.jar;servletclasses.jar com.attachmate.security.tools.CertMapConfig [command line options]
where servletclasses.jar is the file in the preceding step
-and-
command line options include the following:
Option | Description |
-update | Opens a file containing trusted CAs, reads a current configuration file from the MCS server (if one exists) and creates a local configuration file with entries in it for each CA in the trusted CAs file. Command line options for -update are:
-update product_id servername[:port] username password ca_certs_file config_file
where:
product_id is the product that will use the certificate mapping. Different products can have different ways of mapping certificates to user names. When configuring certificate mapping for Security Services, use "securitygateway" as the product ID.
servername[:port] is the host name and, optionally, the port number of the MCS server being used for authentication.
username is a user name in the configured MCS directory service with a sufficient level of access to read and write files.
password is the password associated with the above user name.
ca_certs_file is the path and file name of the trusted CA's certificates. The certificates must be in either DER-encoded binary or Base64-encoded x.509 format.
config_file is the name of the local configuration file to create with entries for each trusted CA.
|
-upload | Uploads a local configuration file back to the MCS server after it has been created in the update step and manually edited. Command line options for -upload are:
-upload product_id servername[:port] username password config_file
where:
product_id is the product that will use the certificate mapping. Different products can have different ways of mapping certificates to user names.
servername[:port] is the host name and, optionally, the port number of the MCS server being used for authentication.
username is a user name in the configured MCS directory service with a sufficient level of access to read and write files.
password is the password associated with the above user name.
config_file is the name of the local configuration file to upload.
|
The configuration file created by CertMapConfig contains the following entries:
- [CA subject distinguished name].fieldThe field within the client certificate that is used to obtain the user name. CertList can be used to list the fields contained within a client certificate as well as the exact name of the fields. This is the only required entry.
- [CA subject distinguished name].mapFromText that, when found, will be replaced with the text in the mapTo entry.
- [CA subject distinguished name].mapToText that replaces any text listed in the mapFrom entry.
The mapFrom/MapTo fields specify text substitutions and truncation. The field specified by the .field entry may have special characters that are not allowed in the online directory. The mapFrom and mapTo fields can perform text substitutions.
For example, mapFrom="." and mapTo="-" will change all periods to dashes in the text before performing the directory lookup. Multiple substitutions are also supported, as in mapFrom="./ " and mapTo="-_+".
In addition, certain characters can be specified as truncation characters. For instance, the domain name of an e-mail address can be truncated by mapFrom="@" and mapTo="". In general, when the mapFrom character does not have a corresponding mapTo character, the mapFrom character is treated as a truncator. The two operations can be combined, for example, mapFrom=".@" and mapTo="-".
|
The character strings must be enclosed in double quotes. |
- [CA subject distinguished name].prefixText that is added to the beginning of the user name after the mapFrom/mapTo replacement has been done.
- [CA subject distinguished name].suffixText that is added to the end of the username after the mapFrom/mapTo replacement has been done.
The username looked up in the directory service will be the result of applying all of the above. "mapFrom," "mapTo," "prefix," and "suffix" are optional entries.
- Use CertList to obtain the distinguished name (DN) of a certificate. This tool has one command line optionthe name of a file containing one or more certificates. The certificates must be in either DER-encoded binary or Base64-encoded x.509 format.
This will determine the field name to use in the ".field" entry of the configuration file.
|