InfoCenter Home > 5.5.7.3: Example: Generating and using a test keyringThe following sequence of commands illustrates the steps used in creating a keyring for a test server and adding a certificate for an LDAP server so that the WebSphere-to-LDAP communication can occur over an SSL connection. Until the addition of the LDAP certificate to the vault, this example is structurally identical to the example for generating and using test certificates, with one exception: that example exports the vault to the DummyKeyring class, and this one creates an application-specific TestKeyring class. Setting the classpathTo use the certificate-management tools, you must put the files cfwk.zip and cfwk-tools.zip at the front of your classpath. These files are located in the AppServer/lib directory of the WebSphere installation. For example, on Windows NT, set the CLASSPATH variable as shown: set classpath=<WS-install>\AppServer\lib\cfwk.zip;<WS-install>\AppServer\lib\cfwk-tools.zip;%CLASSPATH% Creating the keys, certificates, and filesCreate pairs of keys for TestServer and TestCA. % java com.ibm.cfwk.tools.KeyGenTool --forge "RSA/512/F4" myTestServ.key % java com.ibm.cfwk.tools.KeyGenTool --forge "RSA/512/F4" myTestCA.key Create a self-signed certificate for the TestCA. % java com.ibm.cfwk.tools.MakeCertTool --serial 0 --for 2y --issuer "cn=myTestCA" --sign-alg "MD5 with RSA" --sign-key myTestCA.key --cert-file myTestCA.cert Create a certificate for the TestServer. % java com.ibm.cfwk.tools.MakeCertTool --serial 0 --for 2y --issuer "cn=myTestCA" --subject "cn=myTestServer" --sign-alg "MD5 with RSA" --sign-key myTestCA.key --subject-key myTestServ.key --cert-file myTestServ.cert Add TestServer's private key to the vault. % java com.ibm.cfwk.tools.VaultTool --password "vltpwd" myVault.vlt add private key myTestServer 00-hex myTestServ.key Add the chain of certificates for TestServer to the vault. % java com.ibm.cfwk.tools.VaultTool --password "vltpwd" myVault.vlt add public chain myTestServer 00-hex myTestServ.cert myTestCA.cert Add the TestCA's self-signed certificate to the vault. % java com.ibm.cfwk.tools.VaultTool --password "vltpwd" myVault.vlt add public cert myTestCA 00-hex myTestCA.cert Export the information for TestServer and TestCA to the TestKeying file. % java com.ibm.cfwk.tools.VaultTool --password "vltpwd" myVault.vlt container -p "ringpwd" com.ibm.websphere.TestKeyring myTestServer myTestCA After establishing the WebSphere-to-LDAP connection, you need to add the LDAP server's CA certificate to the keyring. With this in place, the WebSphere-to-LDAP communication can take place over SSL. To add this certificate to the keyring, you must add it to the vault and then regenerate the keyring file. First, add the LDAP CA's certificate to the vault. % java com.ibm.cfwk.tools.VaultTool --password "vltpwd" myVault.vlt add public cert LDAPCA 00-hex myLDAPCA.cert Second, generate a new version of the keyring class, including the LDAP CA's label in the set of information to export. % java com.ibm.cfwk.tools.VaultTool --password "vltpwd" myVault.vlt container -p "ringpwd" com.ibm.websphere.TestKeyring myTestServer myTestCA LDAPCA
|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|