Depending on your system configuration, you might need to configure one or more of the following for XMLRPC security to fully function:
Do the following to configure the Zen Web Server to use SSL:
There are two methods for creating the .KEYSTORE file. The tool for both methods is KEYTOOL, located in the BIN directory of any Java JRE* or JDK* 1.2.2 or later.
KEYTOOL is not a NetWare utility. Therefore, if you have installed the Zen Web Server on a NetWare server that needs to use SSL, generate the .KEYSTORE file on a Windows*, Linux*, or Solaris* machine and copy the file to the NetWare server. For example, copy the .KEYSTORE file to:
ZENWORKS\ZWS\SECURITY
You will need to identify this NetWare location during installation of inter-server communications security.
Use one of the following methods to create the .KEYSTORE file on a Windows, Linux, or Solaris machine:
To create a self-signed certificate:
On a Windows, Linux, or Solaris command line, enter the following command:
keytool -genkey -v -keylalg RSA -keystore Keystore_Path_Filename
where Keystore_Path_Filename is the path and filename of the .KEYSTORE file to be created.
The path can be absolute, relative, or just the filename.
IMPORTANT: We recommend that you specify the ZfS installation directory's LIB\SECURITY directory, because this directory should already have restricted file system rights that secure the .KEYSTORE file's access to the machine's administrator.
WARNING: Do not use .KEYSTORE as the filename if you place it in the LIB\SECURITY directory. This will overwrite the .KEYSTORE file there that holds the CS and signed XMLRPC certificates.
If you want to use a user-defined alias for the new certificate, include the following switch in the KEYTOOL command line:
-alias Alias_Name
where Alias_Name is your user-defined name. "myKey" is the default alias. Thereafter, any reference to the certificate will use the alias name you provided, instead of myKey.
Example of the command for Windows machines:
keytool -genkey -v -keyalg RSA -keystore C:\ZENworks\pds\lib\security\zwsKeystore
Example of the command for Solaris/Linux machines:
keytool -genkey -v -keyalg RSA -keystore usr/ZENworks/pds/lib/security/zwsKeystore
Enter a password for this .KEYSTORE file when prompted.
Make a note of this password. You will be required to enter it when editing the ZWS.PROPERTIES file and during installation of inter-server communications security.
For NetWare servers, copy the .KEYSTORE file that is generated to the location that you determined for the NetWare server.
The imported certificate can be one that was signed by a root CA, such as VeriSign, or it can be a certificate signed by an internal CA. However, the ZENworks CS servlet cannot act as the CA server. It does not use the X.509 certificates, and therefore cannot generate a properly signed X.509 certificate.
If an internal CA signed the certificate, the CA's certificate must be stored in a client's trust store. For more information, see Configuring a Client to Work With a Self-Signed Certificate.
To create and import a certificate:
On a Windows, Linux, or Solaris machine, enter the following command:
keytool -genkey -v -keyalg RSA -keystore Keystore_File
keytool -certreq -v -alias myKey -file CSR_File -keystore Keystore_File
where Keystore_File is the path and filename of the .KEYSTORE file and CSR_File is the path and filename of the CSR file.
The resulting CSR file is signed by the CS and returned.
Save the returned signed certificate to disk and enter:
keytool -import -v -trustacerts -alias mySignedKey -file CSR_File -keystore Keystore_File
where Keystore_File is the path and filename of the .KEYSTORE file and CSR_File is the path and filename of the CSR file.
Examples of the Commands for Windows Machines:
keytool -genkey -v -keyalg RSA -keystore c:\zenworks\pds\lib\security\zwsKeystore
keytool -certreq -v -alias myKey -file myfile.csr -keystore c:\zenworks\pds\lib\security\zwsKeystore
keytool -import -v -trustacerts -alias mySignedKey -file myfile.csr -keystore c:\pds\lib\security\zwsKeystore
Examples of the Commands for Linux and Solaris Machines:
keytool -genkey -v -keyalg RSA -keystore usr/ZENworks/pds/lib/security/zwsKeystore
keytool -certreq -v -alias myKey -file myfile.csr -keystore usr/ZENworks/pds/lib/security/zwsKeystore
keytool -import -v -trustacerts -alias mySignedKey -file myfile.csr -keystore usr/ZENworks/pds/lib/security/zwsKeystore
You need to edit the ZWS.PROPERTIES file in order for the Zen Web Server to use SSL.
To edit the ZWS.PROPERTIES file,
Open the ZWS.PROPERTIES file in a text editor.
This file is located in the ZENWORKS\ZWS directory, unless you used a different installation path for ZfS.
Locate the ZWS Port section > add the following lines:
port1=8089
ssl1=false
port2=80
ssl2=false
port3=443
ssl3=true
or add:
port1=8089
port2=80
port3=443
ssl3=true
Port1 is always the XMLRPC port number (8089). SSL should never be enabled on this port. Therefore, in the first set of entries above, SSL is set explicitly to false. If SSL was not present, it would be interpreted as being false.
The second set of alternate entries listed above is the same as the first, except that the SSL state of false is implied by leaving out the false commands for SSL1 and SSL2. Therefore, the ports will not use SSL.
For NetWare servers, add the following lines in the ZWS.PROPERTIES file:
keystore=sys:\zenworks\pds\lib\security\zwsKeystore
keystorePassword=ZWS_Keystore_Password
where ZWS_Keystore_Password is the password you created in Step 2 under Creating a Self-Signed Certificate.
For Windows servers, add the following lines in the ZWS.PROPERTIES file:
keystore=c:\zenworks\pds\lib\security\zwsKeystore
keystorePassword=ZWS_Keystore_Password
where ZWS_Keystore_Password is the password you created in Step 2 under Creating a Self-Signed Certificate.
For Linux/Solaris servers, add the following lines in the ZWS.PROPERTIES file:
keystore=usr/ZENworks/pds/lib/security/zwsKeystore
keystorePassword=ZWS_Keystore_Password
where ZWS_Keystore_Password is the password you created in Step 2 under Creating a Self-Signed Certificate.
You must set up a client to automatically trust an SSL server using a self-signed certificate.
To configure the client to work with self-signed certificates:
To export the self-signed certificate, enter the following command on the Windows or Linux/Solaris machine where the .KEYSTORE file resides:
keytool -export -v -alias myKey -file CSR_File -keystore Keystore_File
where Keystore_File is the path and filename of the .KEYSTORE file and CSR_File is the path and filename of the CSR file.
Copy this exported certificate to the client > execute the following command at this client's command line:
keytool -export -v -alias myKey -file CSR_File -keystore Path_and_Filename_to_CACERTS_File
where Keystore_File is the path and filename of the .KEYSTORE file and Path_and_Filename_to_CACERTS_File is the path and filename for the CACERTS file.
If you want to change the default password of CHANGEIT for the CACERTS file, enter following command:
keytool -storepasswd My_New_Password -keystore Path_and_Filename_to_CACERTS_File
where My_New_Password is your new password, and Path_and_Filename_to_CACERTS_File is the path and filename for the CACERTS file created in Step 2.
You need to edit the ZWS.PROPERTIES file in order for the ZenCSServlet to work with the Zen Web Server. The following sections provide steps and examples for editing the ZWS.PROPERTIES file:
To edit the ZWS.PROPERTIES file:
Open the ZWS.PROPERTIES file in a text editor.
This file is located in the ZENWORKS\ZWS directory, unless you used a different installation path for ZfS.
Enter the following lines:
#ZenCSServlet entry
Servlet.Number.path=CS_Servlet_JAR_File_Path/ZenCSServlet.jar
Servlet.Number.file=com.novell.application.zenworks.services.servlets.ZenCSServlet.class
Servlet.Number.url=/ZenCSServlet/servlet/ZenCSServlet
Servlet.Number.type=jar
where Number is the next available number for a servlet entry section, and CS_Servlet_JAR_File_Path/ is the path to the JAR file for the servlet.
Servlet.1 is usually the XMLRPCServlet, so you will be using 2 or higher.
The path to the JAR file must be set correctly for the servlet to load.
Enter the following lines:
#Authentication password file
passwordFile=Password_File_Path_and_Filename
where # is the next available number in a servlet entry section, and Password_File_Path_and_Filename is the path and name for the password file.
Usernames and passwords are both case sensitive.
This password section requires a valid path to a text file that will serve as the password list. You should restrict access to this text file to only those users you place in the file. The correct username/password combination must be used to log into the ZenCSServlet and use its signing functionality.
The following are ZWS.PROPERTIES file entry examples by platform:
#ZenCSServlet entry
Servlet.2.path=sys:\zenworks\pds\lib\ZenCSServlet.jar
Servlet.2.file=com.novell.application.zenworks.services.servlets.ZenCSServlet.class
Servlet.2.url=/ZenCSServlet/servlet/ZenCSServlet
Servlet.2.type=jar
#Authentication password file
passwordFile=sys:\zenworks\pds\lib\security\XmlRPCpassword.txt
#ZenCSServlet entry
Servlet.2.path=c:\zenworks\pds\lib\ZenCSServlet.jar
Servlet.2.file=com.novell.application.zenworks.services.servlets.ZenCSServlet.class
Servlet.2.url=/ZenCSServlet/servlet/ZenCSServlet
Servlet.2.type=jar
#Authentication password file
passwordFile=c:\zenworks\pds\lib\security\XmlRPCpassword.txt
#ZenCSServlet entry
Servlet.2.path=usr/ZENworks/pds/lib/ZenCSServlet.jar
Servlet.2.file=com.novell.application.zenworks.services.servlets.ZenCSServlet.class
Servlet.2.url=/ZenCSServlet/servlet/ZenCSServlet
Servlet.2.type=jar
#Authentication password file
passwordFile=usr/ZENworks/pds/lib/security/XmlRPCpassword.txt
You need to edit the ZWS.PROPERTIES file in order for the XMLProxyServlet to work with Zen Web Server. The following sections provide steps and examples for editing the ZWS.PROPERTIES file:
To edit the ZWS.PROPERTIES file,
Open the ZWS.PROPERTIES file in a text editor.
This file is located in the ZENWORKS\ZWS directory, unless you used a different installation path for ZfS.
Enter the following lines:
#XMLProxyServlet entry
Servlet.Number.path=CS_Servlet_JAR_File_Path/XMLProxyServlet.jar
Servlet.Number.file=com.novell.application.zenworks.services.servlets.XMLProxyServlet.class
Servlet.Number.url=/XMLProxyServlet/servlet/XMLProxyServlet
Servlet.Number.type=jar
where Number is the next available number for a servlet entry section, and CS_Servlet_JAR_File_Path/ is the path to the JAR file for the servlet.
Servlet.1 is usually the XMLRPCServlet, so you will be using 2 or higher.
The path to the JAR file must be set correctly for the servlet to load.
Enter the following lines:
#Authentication password file
passwordFile=Password_File_Path_and_Filename
where # is the next available number in a servlet entry section, and Password_File_Path_and_Filename is the path and name for the password file.
Usernames and passwords are both case sensitive.
This password section requires a valid path to a text file that will serve as the password list. You should restrict access to this text file to only those users you place in the file. The correct username/password combination must be used to log into the XMLProxyServlet and use its proxy functionality.
The following are ZWS.PROPERTIES file entry examples by platform:
#XMLProxyServlet entry
Servlet.2.path=sys:\zenworks\pds\lib\XMLProxyServlet.jar
Servlet.2.file=com.novell.application.zenworks.services.servlets.XMLProxyServlet.class
Servlet.2.url=/XMLProxyServlet/servlet/XMLProxyServlet
Servlet.2.type=jar
#Authentication password file
passwordFile=sys:\zenworks\pds\lib\security\XmlRPCpassword.txt
#XMLProxyServlet entry
Servlet.2.path=c:\zenworks\pds\lib\XMLProxyServlet.jar
Servlet.2.file=com.novell.application.zenworks.services.servlets.XMLProxyServlet.class
Servlet.2.url=/XMLProxyServlet/servlet/XMLProxyServlet
Servlet.2.type=jar
#Authentication password file
passwordFile=c:\zenworks\pds\lib\security\XmlRPCpassword.txt
#XMLProxyServlet entry
Servlet.2.path=usr/ZENworks/pds/lib/XMLProxyServlet.jar
Servlet.2.file=com.novell.application.zenworks.services.servlets.XMLProxyServlet.class
Servlet.2.url=/XMLProxyServlet/servlet/XMLProxyServlet
Servlet.2.type=jar
#Authentication password file
passwordFile=usr/ZENworks/pds/lib/security/XmlRPCpassword.txt
You need to edit the ZWS.PROPERTIES file in order for the ZenCSServlet to work with Tomcat.
The following sections provide steps and examples for editing the .PROPERTIES file:
To edit the ZWS.PROPERTIES file:
Open the ZWS.PROPERTIES file in a text editor.
This file is located in the ZENWORKS\ZWS directory, unless you used a different installation path for ZfS.
Enter the following lines:
#Authentication password file
passwordFile=Password_File_Path_and_Filename
where # is the next available number in the servlet entry sections, and Password_File_Path_and_Filename is the path and name for the password file.
Usernames and passwords are both case sensitive.
This password section requires a valid path to a text file that will serve as the password list. You should restrict access to this text file to only those users you place in the file. The correct username/password combination must be used to log into the ZenCSServlet and use its signing functionality.
The following are ZWS.PROPERTIES file entry examples by platform:
For the ZWS.PROPERTIES file:
#Authentication password file
passwordFile=sys:\zenworks\pds\lib\security\XmlRPCpassword.txt
For the ZWS.PROPERTIES file:
#Authentication password file
passwordFile=c:\zenworks\pds\lib\security\XmlRPCpassword.txt
For the ZWS.PROPERTIES file:
#Authentication password file
passwordFile=usr/ZENworks/pds/lib/security/XmlRPCpassword.txt
You need to edit the ZWS.PROPERTIES file in order for the XMLProxyServlet to work with Tomcat.
The following sections provide steps and examples for editing the .PROPERTIES file:
To edit the ZWS.PROPERTIES file:
Open the ZWS.PROPERTIES file in a text editor.
This file is located in the ZENWORKS\ZWS directory, unless you used a different installation path for ZfS.
Enter the following lines:
#Authentication password file
passwordFile=Password_File_Path_and_Filename
where Password_File_Path_and_Filename is the path and name for the password file.
Usernames and passwords are both case sensitive.
This password section requires a valid path to a text file that will serve as the password list. You should restrict access to this text file to only those users you place in the file. The correct username/password combination must be used to log into the XMLProxyServlet and use its signing functionality.
The following are ZWS.PROPERTIES file entry examples by platform:
For the ZWS.PROPERTIES file:
#Authentication password file
passwordFile=sys:\zenworks\pds\lib\security\XmlRPCpassword.txt
For the ZWS.PROPERTIES file:
#Authentication password file
passwordFile=c:\zenworks\pds\lib\security\XmlRPCpassword.txt
For the ZWS.PROPERTIES file:
#Authentication password file
passwordFile=usr/ZENworks/pds/lib/security/XmlRPCpassword.txt