You should initially use HTTP to connect the driver to the ZIS. After the connection is shown to be working, switch to using HTTPS. When passing real student information, we recommend that you use secure HTTP (HTTPS) between the driver and the Zone Integration Server (ZIS). Secure HTTP connections use server authentication. The server is the ZIS. In server authentication, the client (the driver) authenticates that it is communicating with the expected ZIS server. The ZIS server might also require client authentication. Client authentication occurs after the server authentication is complete. The ZIS server authenticates that it is communicating with a known client (the driver).
For secure HTTP to work, you must import the Certification Authority (CA) certificate used by the ZIS into the jssesacerts keystore file to show you trust the CA. To prove that a server belongs to the organization that it claims to represent, the server presents its public key certificate to the driver. This certificate is validated against the CA certificate so the client can be sure of the identity of the server.
The CA certificate must be added to the java-home/lib/security/jssecacerts keystore file. For NetWare® systems, java-home is typically sys:/java. For Windows systems, java-home is typically Novell\Nds\jre. The CA certificate is added to the keystore by using the keytool utility (http:// java.sun.com/j2se/1.3/docs/tooldocs/solaris/keytool.html). For example,
java-home/jre/bin/keytool -import -alias zisca -file zisca.cer -keystore java-home/jre/lib/security/jssecacerts -storepass changeit
This sets the initial password of the jssecacerts keystore file to “changeit.” The system administrator should change that password and the default access permission of that file.
When client authentication (in other words, mutual authentication) is also desired, the client public key and certificate must be stored in a separate keystore file, for example java-home/lib/security/sifagentcerts . This keystore file should only hold the one client key. The name of this file is also entered in the driver configuration. You must import the client’s CA certificate into the client’s trusted-certificate store and the ZIS trusted-certificate store. You first need a client key pair, then a CA must sign the key pair.
One way to get the key pair signed is to use the Novell CA:
In ConsoleOne®, open the Security container > select the Organizational CA >
> > > click to export the Novell® CA trusted root certificate.Select
, then click .Save the certificate in Base64 format as NOVELLCASELFSIGNEDCERT.B64.
Import this certificate into the client’s trusted-certificate keystore.
java-home/jre/bin/keytool -import -alias novellca -file NOVELLCASELFSIGNEDCERT.B64 -keypass novell1 -keystore java-home/jre/lib/security/cacerts -storepass novell2
This certificate must also be imported into the ZIS trusted-certificate keystore. Consult the ZIS documentation on how this is done.
Generate a public and private key pair for the agent in a new keystore file. The -dname parameter must contain the IP address of the client system or SIF Level 3 Authentication will not work. The -keyalg parameter must be RSA.
java-home/jre/bin/keytool -genkey -alias sifagent -keyalg RSA -dname "CN=137.65.146.24, OU=DirXML, O=Novell, L=Provo, S=Utah, C=US" -keypass novell1 -keystore java-home/jre/lib/security/sifagentcert -storepass novell2
To guarantee the identity of the client, a certificate is needed to authenticate the key pair ownership. To do this, generate a Certificate Signing Request (CSR) in the novellagent.csr file.
java-home/jre/bin/keytool -certreq -alias sifagent -file novellagent.csr -keypass novell1 -keystore java-home/jre/lib/security/sifagentcert -storepass novell2
Now use the Novell CA to generate a certificate for the client’s key pair. In ConsoleOne, select
> .In the novellagent.csr file, then click .
field, browse to and select theSelect Organizational Certificate Authority, then click
.Specify SSL or TSL as the Type, then click
.Review the certificate parameters, click
, then click .Save the certificate in Base64 format as ISSUEDCERTIFICATE.B64.
The certificate now needs to be stored in the sifagentcert keystore with the key pair.
java-home/jre/bin/keytool -import -trustcacerts -alias sifagent -file ISSUEDCERTIFICATE.B64 -keypass novell1 -keystore java-home/jre/lib/security/sifagentcert -storepass novell2
At this point, your sifagentcert keystore consists of the client’s CA self-signed certificate and your key and a Certificate Authority has signed it.
View the sifagent keystore. There should be two entries. Your key entry should show “Certificate chain length: 2.” The first certificate is your key; the second certificate is the CA that signed it. When the server (ZIS) asks for a certificate, the signed certificate is returned to the server for authentication.
java-home/jre/bin/keytool -list -v -keystore java-home/jre/lib/security/sifagentcerts -storepass novell2