InfoCenter

Creating a self-signed certificate

You may find it helpful to create a self-signed client certificate when testing Host On-Demand client authentication. This type of certificate should not be used for a production environment but can be helpful for initial product evaluation.

These instructions explain how to create a client self-signed certificate, export it to a password-protected PKCS12 file for use by the client, add the public portion of the certificate to the server's trusted list, and configure the Host On-Demand session to access the self-signed certificate when requested by the server.

Step 1. Create a client self-signed certificate using Certificate Management

  1. From the Windows desktop, choose Start > Programs > IBM Host On-Demand > Administration > Certificate Management.
  2. After the IBM Key Management application appears, select the first icon, Create a new key database file, on the icon bar.
  3. In the New dialog box, type the file name you want. When you are finished typing, click OK.
  4. In the Password Prompt dialog box, type the password twice to confirm it, and click OK.
  5. In the confirmation message box, click OK.
  6. In the Signer Certificates list box, go to the down arrow and click Personal Certificates.
  7. In the lower corner, click the New Self-Signed button to generate a self-signed certificate.
  8. In the Create New Self-Signed Certificate dialog box, fill in Key Label, Common Name, Organization, and any other optional fields. The common name should be the name of the client. When you are finished, click OK.

    A new Self-Signed Certificate named as the Key Label will be appear in the list under Personal Certificates.
  9. Select the certificate that has just been created, and click Export/Import.
  10. In the Export/Import Key dialog box, type the file name and location. Then click OK.
  11. In the Password Prompt dialog box, type the password, confirm the password, and click OK.
  12. A Select Encryption Type dialog box will appear. Strong Encryption should be selected by default. Select Weak Encryption only if the certificate needs to be accessed by an old browser (that is, Netscape 4.0 or MSIE 4.0). Click OK. This will create a password-protected PKCS12 file in the name and path you entered in the Export/Import Key dialog box. When the Host On-Demand client requests a certificate, the user should enter this file and type the password it was protected with.

Step 2. Add the public portion of the certificate into a telnet server's trusted list

  1. From the Certificate Management screen, in the Personal Certificates list, select the certificate created above and click Extract Certificate.
  2. In the Extract Certificate to a File dialog box, fill in the file name and click OK.
  3. Take this ARM file to the telnet server machine.
  4. Refer to the telnet server's documentation for instructions for importing ARM file.

Step 3. Configure a Host On-Demand session to the telnet server port

  1. Go to hodadmin.html to set up the user and sessions.
  2. Connect to the Host On-Demand server by running Microsoft Internet Explorer or Netscape browser with the hod.html page.
  3. Log on as the user defined in Host On-Demand.
  4. Click Add Sessions.
  5. Double click the session to get into the Session Properties dialog box.
  6. Type the telnet server destination address and destination port on the Connection tab.

    The destination address should be the address of the telnet server; the port should be the port that is enabled for security and client authentication. You may need to add the telnet server's server certificate to the CustomizedCAs.p12 file (if it exists) and CustomizedCAs.class key database file for the Host On-Demand clients.
    CustomizedCAs.p12 is for Host On-Demand Version 8 clients, and CustomizedCAs.class is for Host On-Demand Version 7 and earlier clients.
    See the help documentation in Host On-Demand Certificate Management for additional instructions for this step.
  7. Select the Security tab, and set Enable Security (SSL) to Yes and Send a Certificate to Yes.

    For Host On-Demand Version 4 through 5.02, you may fill in the URL or path and file name. For Host On-Demand Version 5.0.3 and later, set Certificate Source to Certificate in URL or local file, and then enter the URL or path and filename. When you are finished, click OK.

    Now the session has been configured to connect to the telnet server on the port that is listening for a client-authenticated SSL session.
  8. Double-click the session icon you just created.
  9. When the Server Requesting Certificate panel appears, type the password, and click OK.

    Wait for the connection to be established.