The Secure Sockets Layer (SSL) protocol uses encryption by way of certificates to provide security for data or information sent over HTTP.
Certificates are digitally signed statements that verify the authenticity of a server for security purposes. They use two keys; one public key to encrypt information and one private key to decipher that information.
keytool is a key and certificate management utility that allows you to create your own public and private keys when you use self-authentication. These keys and certificates are stored in a keystore file.
NOTE:All of the steps in these sections (“Creating a New Self-signed Certificate,” and “Using an SSL Certificate from a known Certificate Authority (CA)” in the users guide) should be performed on the MS and each ES.
In order to avoid SSL certificate warnings in the browser when connecting to the Novell ZENworks Network Access Control server (either as a Novell ZENworks Network Access Control user interface user, or from a redirected endpoint) you will need to install SSL certificates that have been signed by a Certificate Authority (CA) recognized by the browser, such as Thawte, Verisign, or your organization's own local SSL CA. To install certificates, follow the steps below for the MS and each ES. (Once is sufficient for single-server installations.) Start by removing your existing keystore and generating a new self-signed certificate as described in Section 16.16.1, Creating a New Self-signed Certificate, using compliance as the alias wherever a key alias is needed. Once you've generated a self-signed certificate with the fully-qualified Domain Name of your server, continue with the instructions for Section 16.16.2, Using an SSL Certificate from a known Certificate Authority (CA).
Log in as root to the Novell ZENworks Network Access Control server via SSH or directly using a keyboard.
Remove the existing keystore by entering the following at the command line:
rm -f /usr/local/nac/keystore/compliance.keystore
Enter the following at the command line:
keytool -genkey -keyalg RSA -alias <key_alias> -keystore /usr/local/nac/keystore/compliance.keystore
Where:
<key_alias> is the name for the key within the keystore file
The keytool utility prompts you for the following information:
Keystore password — Enter a password. You may want to use changeit to be consistent with the default password of the J2SE SDK keystore.
First and Last Name — Enter the fully-qualified name of your server. This fully-qualified name includes the host name and the domain name. For testing purposes on a single machine, this will be localhost.
Organizational unit — Enter the appropriate value.
Organization — Enter the name of your organization.
City or locality — Enter the city or location.
State or province — Enter the unabbreviated state or province.
Two-letter country code — Enter a two-letter country code. The two-letter country code for the United States is US.
Review the information you've entered so far, enter Yes if it is correct.
The keytool utility prompts you for the following information:
Key password for key_alias — Do not enter a password; press [Return] to use the same password that was given for the keystore password.
Import the CA’s root certificates into the java cacerts file by entering the following command on the command line of the Novell ZENworks Network Access Control server:
keytool -import -alias <CA_alias> -file <ca_root_cert_file> -keystore /usr/local/nac/keystore/cacerts
Where:
<CA_alias> is an alias unique to your cacerts file and preferably identifies the CA to which it pertains
<ca_root_cert_file> is the file containing the CA's root certificate
keytool prompts for the password for the cacerts file, which should be the default: changeit.
If you are prompted, enter yes to trust the certificate.
Log in as root to the Novell ZENworks Network Access Control server via SSH or directly using a keyboard.
Enter the following at the command line:
keytool -certreq -alias <key_alias> -keyalg RSA -file <csr_filename> -keystore /usr/local/nac/keystore/compliance.keystore
Where:
<key_alias> is the name for the key within the keystore file
<csr_filename> is the name of the file to store the certificate request
keytool prompted for the password for the <keystore_filename> file, which is the password used when the keystore was created.
Submit the CSR (see Section 1.9, Copying Files) to your chosen CA (such as Thawte or Verisign) along with anything else they might require:
If you are using a non-traditional CA (such as your own private Certificate Authority/Public Key Infrastructure (CA/PKI), or if you are using a less well-known CA, you will need to import the CA’s root certificates into the java cacerts file by entering the following command on the command line of the Novell ZENworks Network Access Control server:
keytool -import -alias <CA_alias> -file <ca_root_cert_file> -keystore /usr/local/nac/keystore/cacerts
Where:
<CA_alias> is an alias unique to your cacerts file and preferably identifies the CA to which it pertains
<ca_root_cert_file> is the file containing the CA's root certificate
keytool prompts for the password for the cacerts file, which should be the default: changeit.
If you are prompted, enter yes to trust the certificate.
Once you get your signed certificate back from the CA, import it into your keystore (see Section 1.9, Copying Files), replacing the previously self-signed public certificate for your key by entering the following command on the command line of the Novell ZENworks Network Access Control server:
keytool -import -alias <key_alias> -trustcacerts -file <signed_cert_file> -keystore /usr/local/nac/keystore/compliance.keystore
Where:
<key_alias> is the name for the key within the keystore file
<signed_cert_file> is the name of the file containing your CA-signed certificate
keytool prompts for the password for the keystore_filename file, which is the password used when the keystore was created.
Save and exit the file.