Cisco Enterprise Policy Manager Installation and Configuration Guide, Release 3.3.2.0 - SSL Configurations [Cisco Policy Administration Point]

Table Of Contents

SSL Configuration

Configuring SSL in Tomcat

Configuring SSL in WebLogic

Configuring SSL in WebSphere

Configuring SSL in CEPM

Configuring SSL in LDAP (Sun One Server)

SSL Configuration

Configuring SSL in Tomcat

To enable SSL, you must generate the keys first and then configure the server to use them. (Tomcat is considered an example in this chapter.)

To enable two-way SSL, follow these steps:

I. Generating keys for server and client:

Step 1 Generate keys for server. To do this:

a. Use the following from the command prompt:

keytool -genkey -alias tomcat -keyalg RSA -keystore server.keystore

b. Enter keystore password: changeit

c. Follow the prompts and give the inputs. When prompted for the password, provide it: changeit

This creates the server keys.

Step 2 Export the certificate. To do this:

a. Use the following from the command prompt:

keytool -selfcert -export -alias tomcat -storepass changeit -file server.cer -keystore server.keystore

This exports the server certificate to the server.cer file.

Step 3 Generate the keys for the client. To do this:

a. Use the following from the command prompt

keytool -genkey -alias client -keyalg RSA -keystore client.keystore

b. Enter keystore password: changeit

c. Follow the prompts and give the inputs. When prompted for the password, provide it: changeit

This creates the client keys.

Step 4 Export the client certificate. To do this:

a. Use the following from the command prompt

keytool -selfcert -export -alias client -storepass changeit -file client.cer -keystore client.keystore

This creates a file called client.cer with the client side certificate.

Step 5 Import the server certificate into the client trust store. To do this:

a. Use the following from the command prompt

keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore client.keystore -keypass changeit -storepass changeit

b. Import the client certificate into the JRE trust store. To do this:

c. Use the following from the command prompt:

keytool -keystore <JAVA_HOME>\jre\lib\security\cacerts -storepass changeit -file client.cer -import -alias client -trustcacerts

II. Tomcat configuration

Step 6 Edit server.xml and enable two-way SSL as follows:
<Connector 
      port="8443" minProcessors="5" maxProcessors="75"
      enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
      clientAuth="true" sslProtocol="TLS"
keystoreFile="server.keystore"
keystoreType="JKS" 
keystorePass="changeit" 
truststoreFile="client.keystore"
truststoreType="JKS"
truststorePass="changeit" 
<Connector/>
Note You must set clientAuth= "true", which enables two-way SSL, else it enables the one-way SSL.

Note If you want to use your own keystore with protected password, update the keystoreFile= parameter with the key store path and keystorePass= with the password.

This configuration looks for a file called .keystore with the password as changeit in the default user home directory. In Windows, it's C:\Documents and Settings\<login-name>.

Step 7 When this configuration is complete, start your Tomcat instance and you should be able to access it via SSL.

Step 8 To make the PEP communicate with the PDP with two-way SSL, use the following Java Virtual Machine (JVM) parameters:

-Djavax.net.ssl.trustStore=client.keystore

-Djavax.net.ssl.trustStoreType=JKS

-Djavax.net.ssl.trustStorePassword=changeit

-Djavax.net.ssl.keyStore=server.keystore

-Djavax.net.ssl.keyStoreType=JKS

-Djavax.net.ssl.keyStorePassword=changeit

Configuring SSL in WebLogic

This section provides you with the procedure for configuring SSL in Weblogic Application Server (V10.03), when the PAP and PDP communicate each other over SOAP. The below given information is applicable for WebLogic . Follow these steps to configure SSL in WebLogic:

Step 1 Generate the keystore and certificate through keytool UI. Refer to the following URL to create the same: http://m-button.blogspot.com/2008/11/how-to-configure-weblogic-to-use-ssl.htm

Step 2 Download ktl241sta.jar file from the following URL
http://yellowcat1.free.fr/index_ktl.html
Step 3 Unjar the jar file to a local directory.

Step 4 Edit the run_ktl.bat or run_ktl.sh file by specifying the JAVA_HOME (Weblogic JAVA_HOME)

Step 5 Configure SSL in weblogic by following the instructions provided in the readme.txt available in the unjarred folder.

Step 6 Once the SSL COnfiguration is done, take the following actions:

•Import the certificate in to keystore called WEBLOGIC_HOME\JAVA_HOME\jre\lib\security\cacerts. To do this, run the following command:
WEBLOGIC_HOME\JAVA_HOME\bin\keytool -import -alias weblogic -trustcacerts -file 
C:\SSL\weblogic.cer -keystore WEBLOGIC_HOME\JAVA_HOME\jre\lib\security\cacerts
•Import the certificate into a keystore (specify whatever name you like to Ex: C:\WL-SSL\wl.keystore). To do this, run the following command:
WEBLOGIC_HOME\JAVA_HOME\bin\keytool -import -alias client -trustcacerts -file 
C:\SSL\weblogic.cer -keystore C:\SSL\wl.keystore
Step 7 Open config.xml located at WEBLOGIC_HOME\user_projects\domains\your domain\config folder and add <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> tag in <security-configuration> tag as shown below:
<security-configuration>
    <name>cepm</name>
    <realm>
      <sec:authentication-provider 
xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
      <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
        <sec:active-type>AuthenticatedUser</sec:active-type>
      </sec:authentication-provider>
      <sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" 
xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
      <sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" 
xsi:type="xac:xacml-authorizerType"></sec:authorizer>
      <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
      <sec:credential-mapper 
xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
      <sec:cert-path-provider 
xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
      <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
      <sec:name>myrealm</sec:name>
    </realm>
    <default-realm>myrealm</default-realm>
<credential-encrypted>{3DES}eowmt9vlrOE91iCnIOEzB5zWfmY0WHZJmgbsTaQw0kCXsgM7cFowMth005qMvQ
4SCV88SXf9XzAEkpptTh5uD/tA+MLmArbQ</credential-encrypted>
    <node-manager-username>admin</node-manager-username>
    
<node-manager-password-encrypted>{3DES}nipW/DYAEGFQAnDanvkVyQ==</node-manager-password-enc
rypted>
    <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
</security-configuration>
Step 8 Restart the Weblogic Server.

Step 9 To use this keystore in PAP-UI, establish the PAP-PDP communication through weblogic SSL. To do this:

•Create PDP with Https protocol and specify the truststorelocation as - C:\SSL\wl.keystore & truststorepassword: (specify the same password while importing the certificate into the keystore, for example: changeit)

•Check the PDP status. If you pass the right truststore location & password, you can see the status message `Alive' otherwise `Not Alive'.

When you check the status or send a request to PDP for the first time, all the SSL details (truststore & password) are cached in the session for that particular protocol, host IP address and port number. For example - https://localhost:7002/cepm. If you edit the PDP and give the wrong trustore location and password, these are not reflected until and unless you restart the server because the SSL details are picked up from the session.

Let's take an example. Create a PDP with host as localhost and provide the correct credentials i.e truststorelocation & password, say, https://localhost:7002/pdp/services/AuthorizationService

Create another PDP with host as localhost and provide the wrong credentials (such as replace host name with the IP address)., say, https://64.103.172.216:7002/pdp/services/AuthorizationService

When you check the status for the first PDP, it shows the status as Alive, since you are passing the right credentials. When you check the status of the second PDP, it also shows Alive even though you passed the wrong credentials. This is because both of these URLs represent the same machine. When you check the status for first PDP, all the details are cached in to the SSL session and thus when you check the status for second PDP, the SSL details are picked up from that session.

Note This behaviour is similar for LDAP/Tomcat/Websphere/Weblogic SSL. Whenever you do any changes in the truststore location or password, you must restart the server for changes to take effect.

Configuring SSL in WebSphere

Follow these steps to configure SSL in WebSphere:

Step 1 Create a self-signed certificate using iKeyman tool.

Note Please refer to the following URL to create the same: http://www.adobe.com/devnet/livecycle/articles/config_ssl_websphere.html

Step 2 Configure WAS to use the certificate created in Step1 for SSL communication in the following:

•Login to WebSphere administration console.

•Navigate to Security -> SSL certificate and key management -> key stores and certificates -> New. Enter the following keystore details:

–Path - Absolute path for the key store.

–Password - key store password, if any.

–Type - JKS (since jks is selected in iKeyman tool).

•Go to Security > SSL certificate and key management > SSL configurations

–Click on NodeDefaultSSLSettings to edit.

–Select the trust store name created in the above step from drop down

–Click on get certificate aliases

•Restart WAS.

Note For IBM jdk, set the following properties in WAS_HOME\WebSphere\AppServer\java\jre\lib\security\java.security file.
# Default JSSE socket factories
 ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
 ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
 # WebSphere socket factories (in cryptosf.jar)
 #ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory
 #ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory
Initially the following tags are commented which you need to uncomment.
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl 
Similarly, you must comment the following tags, which are commented by default:
#ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory
#ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory
Step 3 Deploy CEPM and verify whether the UI is working fine over SSL connection.

Configuring SSL in CEPM

The following scenarios are considered from the SSL point of view:

Configuring SSL for PEP - PDP communication:

If both of these components are running in one server, only one-way SSL is possible. So you must configure SSL in the PEP server.

If these components are running in two different servers, then you can configure one-way SSL in the PEP side by mentioning the keystore details (for example, password and location). In the PDP side, you must enable two-way SSL by providing the keystore details as well as trust store details.

Configuring SSL for PAP - PDP communication:

If both of these components are running in one server, only one-way SSL is possible. So you must configure SSL in the PAP server.

If these components are running in two different servers, then you can configure one-way SSL in the PAP side by mentioning the keystore details (for example, password and location). In the PDP side, you must enable two-way SSL by providing the keystore details as well as trust store details.

Note If you are using FireFox 3.x and enabled SSL on your application server, you may get a warning page. Bypass the warning in the following way:

a. On the warning page, click Or you can add an exception....

b. Click Add Exception.... The Add Security Exception dialog appears.

c. Click Get Certificate.

d. Read the text describing the problems with this site.

e. Click Confirm Security Exception if you want to trust the site

Configuring SSL in LDAP (Sun One Server)

To enable SSL, you must generate the keys first and then configure the server to use them (Currently this feature supports only Sun One Server). Following are the step-by-step procedures on how to enable 2-way SSL:

I. Generate the SSL certificate:

Step 1 Login to Sun one server console. Double click on `Directory server' and click on `Manage Certificates'

Step 2 If you are trying for the first time, it asks for the password. This password is the token that is used when you restart the Directory Server after enabling SSL.

Step 3 From the `Server Certs' tab click on `Request button' > `Certificate Request Wizard' dialog box. Select `Request Certificate Manually'.

Step 4 In the Request information specify the details. (All the fields are optional).

Step 5 After entering the details, click Next.

Step 6 Enter the Token password. (This is the password specified initially when click on Manage Certificates) and click Next.

Step 7 In the Request Submission, you need to save the Request to a file. (You get the SSL certificate by using this request).

II. Sun One Config:

Step 8 After getting the SSL certificate, login to Sun one server console.

Step 9 Open the Directory Server.

Step 10 Click on Manage Certificates > Server Certs. Install the SSL certificate.

Step 11 Similarly go to CA Certs in the same screen and install the same SSL certificate there.

Step 12 From the Directory Server, go to Configuration tab > Encryption tab. Check `Enable SSL for this server' & check `Use this cipher family RSA'

Step 13 Select `Allow Client Authentication' radio button.

Step 14 In the DSML Authentication select `Only use Client certificate'.

Step 15 Go to `Network' tab and select `Both secure and non-secure ports' radio button.

Step 16 Click `Save' to save the configuration.

Step 17 Restart the Directory Server. When you restart, it asks for the token password. Once the Directory Server is started, you can see the port number as 636 if SSL is enabled successfully.

	Cisco Enterprise Policy Manager Installation and Configuration Guide, Release 3.3.2.0
	SSL Configurations
Cisco Enterprise Policy Manager Installation and Configuration Guide, Release 3.3.2.0 Preface CEPM Overview Installing CEPM Common Installation Steps Installing PAP and PDP in Windows Installing PAP and PDP in Linux/Solaris Installing PAP in Windows Installing PAP in Linux/Solaris Installing PDP in Windows Installing PDP in Linux/Solaris CEPM Migration Info JMS Configuration Utilizing CEPM Resource Bundles Verifying PAP-PDP Installation Updating CEPM License Troubleshooting CEPM Installation Using Connectionpools Installing CEPM as Windows Service SSL Configurations Deployment of .war and .ear files Executing createtables.sql Creating Tablespace and User in CEPM DB Updating OCnfig Files for Migration	Download this chapter SSL Configurations Download the complete book CEPM Install and Config Guide V 3.3.2.0GA (PDF - 1 MB) Feedback Table Of Contents SSL Configuration Configuring SSL in Tomcat Configuring SSL in WebLogic Configuring SSL in WebSphere Configuring SSL in CEPM Configuring SSL in LDAP (Sun One Server) SSL Configuration Configuring SSL in Tomcat To enable SSL, you must generate the keys first and then configure the server to use them. (Tomcat is considered an example in this chapter.) To enable two-way SSL, follow these steps: I. Generating keys for server and client: Step 1 Generate keys for server. To do this: a. Use the following from the command prompt: keytool -genkey -alias tomcat -keyalg RSA -keystore server.keystore b. Enter keystore password: changeit c. Follow the prompts and give the inputs. When prompted for the password, provide it: changeit This creates the server keys. Step 2 Export the certificate. To do this: a. Use the following from the command prompt: keytool -selfcert -export -alias tomcat -storepass changeit -file server.cer -keystore server.keystore This exports the server certificate to the server.cer file. Step 3 Generate the keys for the client. To do this: a. Use the following from the command prompt keytool -genkey -alias client -keyalg RSA -keystore client.keystore b. Enter keystore password: changeit c. Follow the prompts and give the inputs. When prompted for the password, provide it: changeit This creates the client keys. Step 4 Export the client certificate. To do this: a. Use the following from the command prompt keytool -selfcert -export -alias client -storepass changeit -file client.cer -keystore client.keystore This creates a file called client.cer with the client side certificate. Step 5 Import the server certificate into the client trust store. To do this: a. Use the following from the command prompt keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore client.keystore -keypass changeit -storepass changeit b. Import the client certificate into the JRE trust store. To do this: c. Use the following from the command prompt: keytool -keystore <JAVA_HOME>\jre\lib\security\cacerts -storepass changeit -file client.cer -import -alias client -trustcacerts II. Tomcat configuration Step 6 Edit server.xml and enable two-way SSL as follows: <Connector port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"; clientAuth="true" sslProtocol="TLS" keystoreFile="server.keystore" keystoreType="JKS" keystorePass="changeit" truststoreFile="client.keystore" truststoreType="JKS" truststorePass="changeit" <Connector/> Note You must set clientAuth= "true", which enables two-way SSL, else it enables the one-way SSL. Note If you want to use your own keystore with protected password, update the keystoreFile= parameter with the key store path and keystorePass= with the password. This configuration looks for a file called .keystore with the password as changeit in the default user home directory. In Windows, it's C:\Documents and Settings\<login-name>. Step 7 When this configuration is complete, start your Tomcat instance and you should be able to access it via SSL. Step 8 To make the PEP communicate with the PDP with two-way SSL, use the following Java Virtual Machine (JVM) parameters: -Djavax.net.ssl.trustStore=client.keystore -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStoreType=JKS -Djavax.net.ssl.keyStorePassword=changeit Configuring SSL in WebLogic This section provides you with the procedure for configuring SSL in Weblogic Application Server (V10.03), when the PAP and PDP communicate each other over SOAP. The below given information is applicable for WebLogic . Follow these steps to configure SSL in WebLogic: Step 1 Generate the keystore and certificate through keytool UI. Refer to the following URL to create the same: http://m-button.blogspot.com/2008/11/how-to-configure-weblogic-to-use-ssl.htm Step 2 Download ktl241sta.jar file from the following URL http://yellowcat1.free.fr/index_ktl.html Step 3 Unjar the jar file to a local directory. Step 4 Edit the run_ktl.bat or run_ktl.sh file by specifying the JAVA_HOME (Weblogic JAVA_HOME) Step 5 Configure SSL in weblogic by following the instructions provided in the readme.txt available in the unjarred folder. Step 6 Once the SSL COnfiguration is done, take the following actions: •Import the certificate in to keystore called WEBLOGIC_HOME\JAVA_HOME\jre\lib\security\cacerts. To do this, run the following command: WEBLOGIC_HOME\JAVA_HOME\bin\keytool -import -alias weblogic -trustcacerts -file C:\SSL\weblogic.cer -keystore WEBLOGIC_HOME\JAVA_HOME\jre\lib\security\cacerts •Import the certificate into a keystore (specify whatever name you like to Ex: C:\WL-SSL\wl.keystore). To do this, run the following command: WEBLOGIC_HOME\JAVA_HOME\bin\keytool -import -alias client -trustcacerts -file C:\SSL\weblogic.cer -keystore C:\SSL\wl.keystore Step 7 Open config.xml located at WEBLOGIC_HOME\user_projects\domains\your domain\config folder and add <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> tag in <security-configuration> tag as shown below: <security-configuration> <name>cepm</name> <realm> <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider> <sec:authentication-provider xsi:type="wls:default-identity-asserterType"> <sec:active-type>AuthenticatedUser</sec:active-type> </sec:authentication-provider> <sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper> <sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer> <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator> <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper> <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider> <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder> <sec:name>myrealm</sec:name> </realm> <default-realm>myrealm</default-realm> <credential-encrypted>{3DES}eowmt9vlrOE91iCnIOEzB5zWfmY0WHZJmgbsTaQw0kCXsgM7cFowMth005qMvQ 4SCV88SXf9XzAEkpptTh5uD/tA+MLmArbQ</credential-encrypted> <node-manager-username>admin</node-manager-username> <node-manager-password-encrypted>{3DES}nipW/DYAEGFQAnDanvkVyQ==</node-manager-password-enc rypted> <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> </security-configuration> Step 8 Restart the Weblogic Server. Step 9 To use this keystore in PAP-UI, establish the PAP-PDP communication through weblogic SSL. To do this: •Create PDP with Https protocol and specify the truststorelocation as - C:\SSL\wl.keystore & truststorepassword: (specify the same password while importing the certificate into the keystore, for example: changeit) •Check the PDP status. If you pass the right truststore location & password, you can see the status message `Alive' otherwise `Not Alive'. When you check the status or send a request to PDP for the first time, all the SSL details (truststore & password) are cached in the session for that particular protocol, host IP address and port number. For example - https://localhost:7002/cepm. If you edit the PDP and give the wrong trustore location and password, these are not reflected until and unless you restart the server because the SSL details are picked up from the session. Let's take an example. Create a PDP with host as localhost and provide the correct credentials i.e truststorelocation & password, say, https://localhost:7002/pdp/services/AuthorizationService Create another PDP with host as localhost and provide the wrong credentials (such as replace host name with the IP address)., say, https://64.103.172.216:7002/pdp/services/AuthorizationService When you check the status for the first PDP, it shows the status as Alive, since you are passing the right credentials. When you check the status of the second PDP, it also shows Alive even though you passed the wrong credentials. This is because both of these URLs represent the same machine. When you check the status for first PDP, all the details are cached in to the SSL session and thus when you check the status for second PDP, the SSL details are picked up from that session. Note This behaviour is similar for LDAP/Tomcat/Websphere/Weblogic SSL. Whenever you do any changes in the truststore location or password, you must restart the server for changes to take effect. Configuring SSL in WebSphere Follow these steps to configure SSL in WebSphere: Step 1 Create a self-signed certificate using iKeyman tool. Note Please refer to the following URL to create the same: http://www.adobe.com/devnet/livecycle/articles/config_ssl_websphere.html Step 2 Configure WAS to use the certificate created in Step1 for SSL communication in the following: •Login to WebSphere administration console. •Navigate to Security -> SSL certificate and key management -> key stores and certificates -> New. Enter the following keystore details: –Path - Absolute path for the key store. –Password - key store password, if any. –Type - JKS (since jks is selected in iKeyman tool). •Go to Security > SSL certificate and key management > SSL configurations –Click on NodeDefaultSSLSettings to edit. –Select the trust store name created in the above step from drop down –Click on get certificate aliases •Restart WAS. Note For IBM jdk, set the following properties in WAS_HOME\WebSphere\AppServer\java\jre\lib\security\java.security file. # Default JSSE socket factories ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl # WebSphere socket factories (in cryptosf.jar) #ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory #ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory Initially the following tags are commented which you need to uncomment. ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl Similarly, you must comment the following tags, which are commented by default: #ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory #ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory Step 3 Deploy CEPM and verify whether the UI is working fine over SSL connection. Configuring SSL in CEPM The following scenarios are considered from the SSL point of view: Configuring SSL for PEP - PDP communication: If both of these components are running in one server, only one-way SSL is possible. So you must configure SSL in the PEP server. If these components are running in two different servers, then you can configure one-way SSL in the PEP side by mentioning the keystore details (for example, password and location). In the PDP side, you must enable two-way SSL by providing the keystore details as well as trust store details. Configuring SSL for PAP - PDP communication: If both of these components are running in one server, only one-way SSL is possible. So you must configure SSL in the PAP server. If these components are running in two different servers, then you can configure one-way SSL in the PAP side by mentioning the keystore details (for example, password and location). In the PDP side, you must enable two-way SSL by providing the keystore details as well as trust store details. Note If you are using FireFox 3.x and enabled SSL on your application server, you may get a warning page. Bypass the warning in the following way: a. On the warning page, click Or you can add an exception.... b. Click Add Exception.... The Add Security Exception dialog appears. c. Click Get Certificate. d. Read the text describing the problems with this site. e. Click Confirm Security Exception if you want to trust the site Configuring SSL in LDAP (Sun One Server) To enable SSL, you must generate the keys first and then configure the server to use them (Currently this feature supports only Sun One Server). Following are the step-by-step procedures on how to enable 2-way SSL: I. Generate the SSL certificate: Step 1 Login to Sun one server console. Double click on `Directory server' and click on `Manage Certificates' Step 2 If you are trying for the first time, it asks for the password. This password is the token that is used when you restart the Directory Server after enabling SSL. Step 3 From the `Server Certs' tab click on `Request button' > `Certificate Request Wizard' dialog box. Select `Request Certificate Manually'. Step 4 In the Request information specify the details. (All the fields are optional). Step 5 After entering the details, click Next. Step 6 Enter the Token password. (This is the password specified initially when click on Manage Certificates) and click Next. Step 7 In the Request Submission, you need to save the Request to a file. (You get the SSL certificate by using this request). II. Sun One Config: Step 8 After getting the SSL certificate, login to Sun one server console. Step 9 Open the Directory Server. Step 10 Click on Manage Certificates > Server Certs. Install the SSL certificate. Step 11 Similarly go to CA Certs in the same screen and install the same SSL certificate there. Step 12 From the Directory Server, go to Configuration tab > Encryption tab. Check `Enable SSL for this server' & check `Use this cipher family RSA' Step 13 Select `Allow Client Authentication' radio button. Step 14 In the DSML Authentication select `Only use Client certificate'. Step 15 Go to `Network' tab and select `Both secure and non-secure ports' radio button. Step 16 Click `Save' to save the configuration. Step 17 Restart the Directory Server. When you restart, it asks for the token password. Once the Directory Server is started, you can see the port number as 636 if SSL is enabled successfully.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks