There are two features of TED that deal with security:
Certificates: Certificates (required) are issued by each Distributor to all Subscribers receiving Distributions from that Distributor. In order for a Subscriber to accept Distributions from a Distributor, it must have a certificate in its security directory from that Distributor.
Digests: Digests (optional) can be created for each Distribution at the time it is built. The digest is used by the Subscriber to determine whether a Distribution has been tampered with after it left the Distributor.
Important points about certificates:
Security: Certificate key pairs are created by the Distributor.
The public key is written to the Distributor server's file system, which self-assigns a certificate and stores it in eDirectory.
A certificate can be passed from a Distributor to a Subscriber under two circumstances:
A Subscriber subscribes to a Channel
A Distribution is listed in a Channel
In both cases, a message will be displayed asking whether to resolve certificates.
Subscribers do not need to be running to have certificates copied to their servers.
If a Distributor object is deleted and re-created to point to the same server, all certificates on the subordinate Subscribers become invalid. Certificates must be deleted form the Subscriber's security subdirectory. Then the Distributor must send the new certificates to those Subscribers.
Important points about digests:
The Digest option is for all Distribution types. The Digest check box is displayed on the General tab of the Distribution object.
A digest is created at the time a Distribution is built. It is used by a Subscriber to determine whether a Distribution has been tampered with after it left the Distributor.
A digest will add about 30% to the build time. Factors that can affect build time using digests are CPU and hard drive speeds, amount of RAM, server workload, and so on.
To create a certificate on a Distributor and copy it to its associated Subscribers:
On the server where a Distributor is installed, make sure its Distributor Agent is running (use TED.NCF on a NetWare server, restart the Novell ZfS Distribution service on a Windows server, or enter /etc/init.d/zfs start on a UNIX server).
This Java process will create the certificate and write it into eDirectory.
Copy the certificate to each Subscriber using one of the following methods:
If your Channels and Distributions are set up, in ConsoleOne, right-click the Distributor object > click Resolve Certificates > click OK. Make sure the Copy Certificates Automatically to Subscribers radio button is checked before clicking OK. This will copy the new certificate to each Subscriber so that it can receive Distributions from this Distributor.
If necessary, associate Subscribers with a Channel > create a Distribution for the Distributor > associate the Distribution with a Channel. When you click OK you will be prompted to resolve the certificate. Respond to the query with Yes to resolve certificates for all Subscribers. The certificates are copied to all of the associated Subscribers. The Subscriber Java process does not need to be running on the Subscriber server; the server only needs to be up.
Manually copy the Distributor's certificate to each Subscriber server's installation_path\ZENWORKS\PDS\TED\SECURITY directory (on UNIX, usr/ZENworks/PDS/TED/Security).
Right-click a Subscriber object > click Resolve Certificates (repeat for each Subscriber object). This option might only be available if you answered No when prompted to copy security certificates.
Note that the first two options are the easiest when there are many Subscribers receiving Distributions from one Distributor.
Because each Distributor creates its own security certificate, repeat Step 1 and Step 2 for each Distributor object in the tree.
