Key and certificate management
As noted previously, before configuring SSL you must set up a key database
and obtain or create a certificate. Certificates are used to authenticate
server identities. Use the IBM Key Management utility (sometimes called iKeyman)
to set up your certification files. This utility is part of the GSKit software,
which is included with Application Server. GSKit also includes a Java-based graphical
interface for opening certificate files.
The following are the basic steps to set up your SSL keys and certificates.
- Ensure that GSKit is installed. On most platforms, it is installed automatically
with the Caching Proxy component. The name of the package is gsk7ikm (gsk7ikm_gcc295
on Linux systems for i386). The GSKit is usually installed in the ibm/gsk7/
directory (ibm/gskit/ on AIX systems). On Windows platforms, it can also be
accessed from the Start menu.
Note:
On Windows, if GSKit does not install when using InstallShield, check to make
sure the path to the install media directory does not contain a blank space.
- Use the key manager to create a key for secure network communications
and receive a certificate from a certificate authority. You might decide to
create a self-signed certificate while waiting to receive the certificate
from the authority.
- Create a key database and specify a key database password.
Note:
The key and keystash files are uninstalled whenever Caching Proxy is
uninstalled. To avoid having to request a new certificate from a certificate
authority, save backup copies of these two files in another directory before
uninstalling the proxy software.
On all operating systems except for Linux, if the certificate
has expired, Caching Proxy will not start properly, and an error message will
display indicating the key database has expired. On Linux, the proxy appears
to start but the process quickly disappears and no error message gets generated.
To prevent this problem on Red Hat Enterprise Linux 3.0 systems,
ensure that the GCC packages are at the following levels or higher:
- libstdc++-3.2.3-52
- libgcc-3.2.3-52