SGD Server Certificate Stores

Each SGD server has two certificate stores, a CA certificate truststore and a client certificate store.

The CA Certificate Truststore

Each SGD server has its own CA certificate truststore. This is the /opt/tarantella/bin/jre/lib/security/cacerts file.

The CA certificate truststore contains the CA certificates that the SGD server trusts.

The /opt/tarantella/etc/data/cacerts.txt file contains the X.500 Distinguished Names (DNs) and MD5 signatures of all the CA certificates that are in the CA certificates truststore when SGD is first installed. These are the CAs that SGD supports by default. To add support for additional CAs, you can import CA certificates to the truststore.

You might need to import CA certificates in the following circumstances:

• Active Directory authentication – If SSL connections to Active Directory are used, and the SSL certificate for an Active Directory server is signed by an unsupported CA, or by an Intermediate CA

  See SSL Connections to Active Directory.

• LDAP authentication – If SSL connections to LDAP directories are used, and the SSL certificate for an LDAP directory server is signed by an unsupported CA, or by an Intermediate CA

  See Network Requirements for LDAP Authentication.

The certificates that must be imported are as follows:

• Unsupported CA – Import the CA or root certificate

• Intermediate CA – Import the CA certificate chain

If the tarantella security customca command is used to install a CA certificate, or CA certificate chain, this command also imports the CA certificates into the CA certificate truststore. It only does this on the SGD server on which the command is run.

To manually import CA certificates, use the keytool application. See the JDK Tools and Utilities documentation for details on how to use the keytool application. The /opt/tarantella/var/tsp/ca.pem file on the SGD host contains the CA certificate or certificate chain.

If you need to import a CA certificate chain, import each certificate in the chain separately.

The password for the CA certificate truststore is changeit.

How to Import CA Certificates or Certificate Chains into the CA Certificate Truststore

Before You Begin

Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.

Repeat the following procedure on each SGD server in the array.

1. Log in as superuser (root) on the SGD host.

2. Import the CA certificate.

   To import a CA certificate chain, you must import each certificate in the chain separately.

   Use the following command:

   # /opt/tarantella/bin/jre/bin/keytool -importcert \
   -keystore /opt/tarantella/bin/jre/lib/security/cacerts \
   -storepass changeit -file CA-certificate-path \
   -alias alias

   Use the -alias option to uniquely identify the certificate.

3. Restart the SGD server.

   You must restart the SGD server for the CA certificate to become effective.

The Client Certificate Store

Each SGD server has its own client certificate store. This is the /opt/tarantella/var/info/certs/sslkeystore file.

The client certificate store contains the client certificates that an SGD server uses to identify itself when connecting to another server.

You create and install server client certificates with the keytool application. See the JDK Tools and Utilities documentation for details on how to use the keytool application.

You must provide a password when adding or removing certificates from the client certificate store. The password for the client certificate store is unique to each SGD server and can be found in the /opt/tarantella/var/info/key file. Use this password for both the -storepass and -keypass options.

How to Create a Client Certificate CSR for an SGD Server

1. Log in as superuser (root) on the SGD host.

2. Generate the key pair for the client certificate.

   # /opt/tarantella/bin/jre/bin/keytool -genkeypair \
   -keyalg rsa \
   -keystore /opt/tarantella/var/info/certs/sslkeystore \
   -storepass "$(cat /opt/tarantella/var/info/key)" \
   -alias alias \
   -keypass "$(cat /opt/tarantella/var/info/key)"

   Use the -alias option to uniquely identify the key pair.

3. Generate a Certificate Signing Request (CSR) for the client certificate.

   # /opt/tarantella/bin/jre/bin/keytool -certreq \
   -keystore /opt/tarantella/var/info/certs/sslkeystore \
   -storepass "$(cat /opt/tarantella/var/info/key)" \
   -alias alias \
   -keypass "$(cat /opt/tarantella/var/info/key)" \
   -file CSR-path

   The alias must be the same as the alias used when generating the key pair. Aliases are case-insensitive.

How to Install a Client Certificate for an SGD Server

Before You Begin

Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.

Repeat the following procedure on each SGD server in the array.

1. Log in as superuser (root) on the SGD host.

2. Install the client certificate.

   # /opt/tarantella/bin/jre/bin/keytool -importcert \
   -file certificate-path 
   -keystore /opt/tarantella/var/info/certs/sslkeystore \
   -storepass "$(cat /opt/tarantella/var/info/key)" \
   -alias alias \
   -keypass "$(cat /opt/tarantella/var/info/key)"

   The alias must be the same as the alias used when generating the CSR for the client certificate. Aliases are case-insensitive.

3. Restart the SGD server.

   You must restart the SGD server for the client certificate to become effective.