To conduct commercial business on the Internet, we recommend that you purchase a secure server certificate from an external certificate authority (CA) such as VeriSign. For a list of supported CAs, see Certificate authorities.
If you act as your own CA, you can sign your own or anyone else's certificate requests. This is a good choice if you only need the certificates within your private Web network and not for outside Internet commerce. Clients must have browsers, such as Netscape Navigator or Microsoft Internet Explorer, that can receive your CA certificate and designate you as a trusted CA.
To act as your own CA, you can use your server key management utilities (IKEYMAN and HTTP Server CA), or you can purchase certificate authority software from a CA provider.
Note: | If you expect to administer over 250 certificates, you may want to consider purchasing software from a CA provider. This limit is based on the number of certificate requests that can be stored in the CA key database. After storing 250 certificate requests, performance of the utility is very slow. |
Before using HTTP Server CA, you must install the WebSphere Application Server as your servlet engine.
For installation instructions, see WebSphere Application Server Getting Started V2. You can access this book and other Application Server documentation from the WebSphere Application Server Web site.
For client certificates to downloaded correctly, the following AddType directives and MIME types must be included in the server configuration file:
AddType .cer application/x-x509-user-cert 7bit 0.5 #User certificate AddType .der application/x-x509-ca-cert binary 1.0 #Browser CA certificate
These MIME types are included in the default server configuration file.
Before using the CA utility, create your server and CA key databases, server certificate, and self-signed CA certificate using IKEYMAN. For directions, see Creating a self-signed certificate.
Note: | As the Administrator, you can choose to have CA certificate requests processed automatically after they are submitted. Automatic processing eliminates the need for you to manually process each certificate request. If you want automatic processing, create a stash file for the CA key database password when you set up your CA key database using IKEYMAN. |
After you create your CA key database and self-signed CA certificate, copy the cakey.kdb file into the CA utility directory.
You can optionally choose to store your encrypted CA key database password in a stash file. If the stash file is in the same directory as the CA key database file (cakey.kdb), then all certificates that are sent to be signed by the CA utility will be approved automatically. If you create a stash file (cakey.sth), copy that file into the same directory as the cakey.kdb file.
Your cakey.kdb file on the server must be exported into the CA utility in a format that can be used by clients and servers. For detailed instructions, see Exporting the CA key database.
To access the HTTP Server CA utility, go to URL:
http://your.server.name/CAServlet/Welcome.html
Your job as CA is to verify that a certificate should be issued for a client or server. You need to make sure that the person making the request has a legitimate claim to request the certificate. After you have verified a person's claim, you can create signed certificates using HTTP Server CA.
The input to this process is a client or server certificate request. The output will be a certificate signed with your private key.
After you have processed the client or server certificate:
After completing these steps, the client or server can use their CA-signed certificate to communicate securely with other HTTP Servers and Web browsers in your private Web network.
Use these steps to export the CA key database (cakey.kdb) on the server in a format that can be used by browsers and servers. You do not need to repeat these steps after the initial setup of your certificate authority.
Note: | You must create the cakey.kdb file using IKEYMAN before you can use the CA utility. For directions, see Creating a self-signed certificate. |
To export your CA key database file for browsers and servers:
http://your.server.name/CAServlet/Welcome.html
Notes:
To process certificate requests from browers and servers:
http://your.server.name/CAServlet/Welcome.html
If there are waiting requests:
You can take action on one or multiple requests.
For more detailed instructions, click Help.
Before you can accept a browser certificate signed by HTTP Server CA, you must first download the CA certificate that identifies HTTP Server CA as a trusted certificate authority to your browser.
To download a CA certificate:
http://your.server.name/CAServlet/Welcome.html
After downloading the CA certificate, designate the certificate as trusted by your browser and mark the certificate as the default in your operational key database. Once the CA certificate is designated as a trusted CA by your browser, you do not need to perform this procedure again.
Use the following steps to request a browser certificate from the CA of your private network:
http://your.server.name/CAServlet/Welcome.html
Depending on your Administrator's setup, your request will either be approved automatically or after the Administrator has reviewed it. If automatic approval occurs, you will not get any messages confirming that the request has been approved. You can go directly to Receiving an approved browser certificate and complete that procedure.
If your Administrator has set up manual approval, you will receive a message confirming that the certificate request has been accepted. Check with your Administrator to determine when the approval will be processed. Approved certificates are sent to the HTTP Server CA database directory.
Before you can receive an approved browser certificate, you must download the CA's certificate (cakey.der). For instructions, see Downloading a CA certificate to a Web browser.
Use the following steps to receive an approved CA-signed browser certificate:
http://your.server.name/CAServlet/Welcome.html
Note: | If you get a message that no record is found, you may have entered your common name incorrectly. If you have forgotten the Common Name you entered, check with your Administrator. |
Note: | If you get a message that no record is found, you may have entered your password incorrectly. If you have forgotten your password, check with your Administrator. |
If not found, check with the CA Administrator to find out when the certificate will be processed.
Before you can process any signed HTTP Server CA certificates on another Web server, you must first store your HTTP Server CA certificate in your target Web server's operational key database.
To download a CA certificate for another server:
http://your.server.name/CAServlet/Welcome.html
Use the following steps to request a server certificate from the CA of your private network:
http://your.server.name/CAServlet/Welcome.html
Use this form to send a server certificate request to the CA of your private network so that this HTTP Server will be trusted by the browsers and other HTTP Servers in the network. If there are other Web servers in your network, you can perform this task on behalf of the remote Web servers.
QUESTION: HOW DO YOU BROWSE THIS FILE ON THE WORKSTATION?When the *.arm file is displayed on your screen, copy the contents of this file to your clipboard. Then go to your Web browser and paste this file into the section of the form that says: Please copy your certificate requests into the following area. You must paste your operational certificate request file (*.arm) into this space. This is the file that is sent to the HTTP Server CA to be signed.
If your CA administrator has set up manual approval, you should receive a message on your browser confirming that the certificate request has been accepted.
Before you can receive an approved server certificate, you must download the CA's certificate (cakey.txt). For instructions, see Downloading a CA certificate for another server.
Use the following steps to receive an approved CA-signed server certificate:
http://your.server.name/CAServlet/Welcome.html
Note: | If you get a message that no record is found, you may have entered your server name incorrectly. If you have forgotten the Server Name you entered, check with your Administrator. |
Note: | If you get a message that no record is found, you may have entered your password incorrectly. If you have forgotten your password, check with your Administrator. |
If not found, check with the CA Administrator to find out when the certificate will be processed.
Notes:
When designated as a financial or banking Web server, the North American edition of the HTTP Server can exploit the strong encryption capabilities in the domestic and international versions of Netscape Navigator 4.x and Microsoft Internet Explorer 4.x. To use this function, you must purchase a special digital certificate from VeriSign called a Global Server ID.
For regular Web transactions, the Netscape and Microsoft export browsers can use 40-bit encryption only for Secure Sockets Layer (SSL) transactions. However, when the server uses a VeriSign Global Server ID for its SSL certificate, the export browsers can use stronger levels of encryption of 128-bits or greater. This enables a server with a Global Server ID to communicate at the highest SSL encryption level with both domestic and international versions of the Netscape and Microsoft browsers.
International financial and banking customers of the HTTP Server who want to use this function must contact IBM for an export license to obtain and use the North American edition of the HTTP Server.
For an export browser to establish an SSL connection using 128-bit encryption:
Table 2. Global server ID browser requirements
Browser | Domestic | Export |
---|---|---|
Netscape Navigator | All versions work when the requirements listed in Certificate and URL requirements are met. | Version 4.04 is the only version that supports 128-bit encryption. |
Internet Explorer | All versions work when the requirements listed in Certificate and URL requirements are met. | Version 4.0, upgrade 4.72.3110.8, is the only version that supports 128-bit encryption. To verify the upgrade number, click Help, then About Internet Explorer. |
For the most current information on encryption support and browser requirements, see the HTTP Server Web site.