Using Certificate Management for the Host On-Demand client

Opening the Host On-Demand database file
Trusted CA's
Adding server certificates to the key database

Opening the Host On-Demand database file

Certificate Management allows you to enable Secure Sockets Layer (SSL) communications between a server and Host On-Demand clients.

Use Certificate Management if you must securely communicate with a server that has a self-signed certificate or a certificate issued by a CA that is not on the trusted list.

To open the Host On-Demand key database file:

Click Key Database File > Open.
Change to the Host On-Demand lib directory (for example, C:\Program Files\IBM\HostOnDemand\lib, or /usr/local/hostondemand/lib).
Type, or locate, CustomizedCAs.class as the key database file name and click Open.

Note: Whenever you change the CustomizedCAs.class file, you must restart the browser Host On-Demand is running in.

After you have opened the key database file, you can Add a server's self-signed certificate or the root certificate from an unknown CA.

Trusted CAs

The following CA signer certificates are trusted by Host On-Demand clients. A client needs no additional configuration to securely communicate with a server that is using a certificate issued by any of these CA's.

Thawte Personal Premium CA
Thawte Personal Freemail CA
Thawte Personal Basic CA
Thawte Premium Server CA
Thawte Server CA
RSA secure server CA (also obtained from VeriSign)
VeriSign class 4 public primary CA
VeriSign class 3 public primary CA
VeriSign class 2 public primary CA

Adding server certificates to the key database file

Follow these steps if you must securely communicate with a a server that has a self-signed certificate or a certificate issued by a CA that is not on the trusted list.

Before adding the certificate, you must first obtain it from your server administrator. It also will help to know what format the certificate is in. If the administrator sends you the certificate via e-mail, it probably will be in what is known as "Armored 64" format. In this format, the certificate is made up completely of printable characters, beginning with the string "-----BEGIN CERTIFICATE-----" and ending with the string "-----END CERTIFICATE-----". If the administrator hands you a floppy disk with the file on it, or tells you to copy the file off of a server on the network, it probably will be in what is known as "DER" format.

If the certificate is needed by the Host On-Demand client, it should be added to the SSLight key database class named CustomizedCAs.class in the lib directory (for example, C:\Program Files\IBM\HostOnDemand\lib, or /usr/local/hostondemand/lib). If this file, CustomizedCAs.class, does not already exist, create a new version of the file and then add the certificate.

After you have opened the key database that you wish to add the certificate to:

Select Signer Certificates from the drop-down list then click Add. The Add CA's Certificate from a File dialog appears.
The data type must be either BASE64 encoded ASCII data, or Binary DER data.
Enter the certificate file name.
Enter the location (path name) of the certificate.
Click OK.

Note: Whenever you change the CustomizedCAs.class file, you must stop and re-start the browser Host On-Demand is running in.