Appendix: Installing Digital Certificates for REN SSL

Digital certificates are required to provide client and server authentication for REN SSL. A digital certificate is an electronic means of establishing your credentials for web or business transactions that are issued by a certification authority (CA). The CA is a trusted third party who signs and issues the certificates for users after verifying their authentication using secure means.

This appendix describes a sample way of installing digital certificates and configure REN SSL. PeopleSoft customers may have their own means of obtaining and installing digital certificates for REN SSL.

Click to jump to parent topicInstalling Digital Certificates

This section outlines the basic steps to install digital certificates. Before installing digital certificates, you must create the application server domain.

Note. The application server domain must have write permissions. All certificates are stored under <PS_HOME>/appserv/<domain name>. The cacerts file has write permissions under <PS_HOME>/JRE/lib/security.

The following overview lists the steps that are required to install digital certificates. The following sections describe each step in detail.

To install digital certificates and configure REN SSL:

  1. Install the CA server certificate.

    See Installing the CA Server Certificate.

  2. Installing REN server certificate.

    See Installing REN Server Certificate.

  3. Configure digital certificates.

    See Configuring Digital Certificates.

  4. Import certificates in Java keystore.

    See Importing Certificates in Java Key Store.

  5. Configure the REN server.

    See Configuring REN Server.

  6. Configure the REN clusters.

    See Configuring REN Clusters.

  7. Install certificates for local node.

    See Installing Certificates for Local Node.

  8. Generating client certificate

    See Generating Client Certificate.

  9. Install PSMCAPI certificates.

    See Installing PSMCAPI Certificates.

Click to jump to top of pageClick to jump to parent topicInstalling the CA Server Certificate

To install the CA server certificate:

  1. Generate the RSA private key for certificate authority.

  2. Generate the Certificate Signing Request (CSR) for certificate authority.

  3. Generate the PEM file.

    Note. If there is already an existing CA certificate in PEM format, these three steps can be omitted.

  4. Import CA Certificate in PEM format in PeopleTools, Security, Security Objects, Digital Certificates.

The above steps are explained in details in the section, Configuring Digital Certificates.

See Configuring Digital Certificates, Implementing Client Authentication.

Click to jump to top of pageClick to jump to parent topicInstalling REN Server Certificate

To install REN server certificate:

  1. Generate REN server Certificate Signing Request (CSR) using PeopleTools, Security, Security Objects, Digital Certificates.

  2. Get the CSR signed by CA.

    Note. The certificate must be in PEM format.

  3. Import the certificate in PeopleTools, Security, Security Objects, Digital Certificates.

The above steps are explained in details in the following section, Configuring Digital Certificates.

See Configuring Digital Certificates.

Click to jump to top of pageClick to jump to parent topicConfiguring Digital Certificates

Before configuring digital certificates, you must generate the private keys, CSR, and PEM file.

To configure digital certificates:

  1. Select PeopleTools, Security, Security Objects, Digital Certificates.

  2. Click +.

  3. Select ROOTCA from Type drop-down list.

  4. Enter an alias name for the CA in Alias, and click Add Root.

    The Add Root Certificate dialog box appears.

  5. Open the ca.pem file.

    The root CA certificate is generated.

  6. Copy the contents of ca.pem file, paste them in the Add Root Certificate dialog box, and click OK.

  7. Click +.

  8. Select Cert from the Type drop-down list.

  9. Enter an alias name in Alias, such as, PSFTCA. Click Add Root.

  10. Select CA certificate alias of step 4 from the Issuer Alias lookup button.

  11. Click Request.

    The Request New certificate dialog box appears.

  12. Enter Common Name, Org Unit, Organization, Locality, State/Province, Country, Algorithm, Key Size, Email Address, and Challenge Pswd.

    Note. Common name must be the machine name of REN server's machine, for example PTA112.peoplesoft.com where PTA112 is the machine name and .peoplesoft.com is the domain name

  13. Click OK.

    The Certificates Signing Request dialog box appears.

  14. Copy and paste the text from the Certificates Signing Request dialog box, and save the text in a file named ren.csr in <PS_HOME>\appserv\<domain name>\.

  15. Click OK.

    The Import link appears.

  16. Submit ren.csr to the CA that issued the selected root certificate.

    The CA may send you the signed public key certificate by email or require you to download it from a specified web page.

  17. Open the saved certificate file in a text editor, and then highlight and copy its entire contents.

  18. Select PeopleTools, Security, Security Objects, Digital Certificates.

  19. Click Import.

    The Import Certificate page appears.

  20. Paste the copied certificate content into the long edit box, and click OK.

See Implementing Node Authentication.

See Also

Implementing Nonrepudiation

Click to jump to top of pageClick to jump to parent topicImporting Certificates in Java Key Store

To import certificates in Java Key Store:

  1. Open a command prompt.

  2. Issue the following command:

    <PS_HOME>\jre\bin\keytool -import -trustcacerts -alias <alias-name> -file <CA Certificate Pem file> -keystore <PS_HOME>\jre\lib\security\cacerts
-storepass changeit

    Example:

    <PS_HOME>\jre\bin\keytool -import -trustcacerts -alias PSFTCA -file ca.pem -keystore <PS_HOME>\jre\lib\security\cacerts -storepass
changeit

Note. You will get an error, sslv3 alert certificate unknown, if the certificate is not imported correctly.

See Understanding Client Authentication.

Click to jump to top of pageClick to jump to parent topicConfiguring REN Server

To configure REN server for SSL:

  1. Select PeopleTools, REN Server Configuration, REN Server Definition.

    The REN Server Definition page appears.

  2. Select the SSL Only check box.

  3. Select RENSERVER from the Certificate Alias drop-down list.

  4. Click Save.

See Also

Defining REN Servers

Click to jump to top of pageClick to jump to parent topicConfiguring REN Clusters

To configure REN clusters:

  1. Select PeopleTools, REN Server Configuration, REN Server Cluster.

    The REN Server Cluster page appears.

  2. Update REN Server Cluster URL using https and the SSL port.

  3. Update REN Server Browser URL using https and the SSL port.

  4. Click Save.

See Also

Clustering REN Servers and SSL-Enabled REN Servers

Click to jump to top of pageClick to jump to parent topicInstalling Certificates for Local Node

Apart from CA and REN server certificate, client authentication requires local node certificates, client certificate for the browser, and PSMCAPI certificate.

To install certificates for local node:

  1. Select PeopleTools, Security, Security Objects, Digital Certificates.

  2. Click +.

  3. Select Local Node from the Type drop-down list.

  4. Enter local node name in Alias. Click Add Root.

  5. Select alias of CA certificate from the Issuer Alias lookup button.

  6. Click Request.

  7. Enter Common Name, Org Unit, Organization, Locality, State/Province, Country, Algorithm, Key Size, Email Address, and Challenge Pswd.

    Note. Common name must be the machine name of REN server's machine, for example PTA112.peoplesoft.com where PTA112 is the machine name and .peoplesoft.com is the domain name

  8. Click OK.

    The Certificates Signing Request dialog box appears.

  9. Copy and paste the text from the Certificates Signing Request dialog box, and save the text in a file named qelocal.csr in <PS_HOME>\appserv\<domain name>\.

    Note. The file name, qelocal.csr is used as an example only.

  10. Click OK.

    The Import link appears.

  11. To obtain your local node certificate, submit the qelocal.csr to the CA that issued the selected root certificate.

    The process of obtaining digital certificates varies, depending on the CA. Typically, a CA requires you to paste the content of the PEM-formatted CSR into a form that you submit online. The CA may send you the signed public key certificate by email or require you to download it from a specified web page.

  12. Open the saved certificate file in a text editor, and then highlight and copy its entire contents.

  13. Select PeopleTools, Security, Security Objects, Digital Certificates.

  14. Click the Import link.

    The Import Certificate page appears.

  15. Paste the copied certificate content into the long edit box, and click OK.

See Implementing Node Authentication.

See Also

Implementing Nonrepudiation

Click to jump to top of pageClick to jump to parent topicGenerating Client Certificate

Client certificate can be generated by openssl or keytool in P12 format and imported in the browser. Importing the certificates is dependent on the browser.

The following steps are an example to generate a client certificate using openssl. Clients can use keytool or Microsoft CA to generate client certificate.

To generate client certificate using openssl:

  1. Generate RSA private key.

    openssl genrsa -des3 -out <Private key file>

    Example:

    openssl genrsa des3 out renclient.key passout pass:pass 1024

  2. Generate Certificate Signing Request file.

    openssl req -config <ps_home>\src\openssl\openssl- 0.9.7b\apps\
openssl.cnf -new -M;key <Private key file> -out <CSR file>

    Example:

    openssl req config ..\apps\openssl.cnf -new -key renclient.key out 
renclient.csr passout pass:pass

  3. Generate PEM format file.

    openssl x509 -req -days 365 in <CSR file> -CA <CA PEM File> -CAkey<CA 
Key File> -M;CAcreateserial -out <RenServer PEM file> -outform PEM

    Note. <CA key file> and <CA PEM file> are Certificate Authority Key file and Certificate Authority in PEM format respectively.

    Example:

    openssl x509 req days 365 in RENCLIENT.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out renclient1.pem -outform PEM -passout
pass:pass

  4. Generate .p12 certificate for browser.

    openssl pkcs12 -export -in <RenServer PEM file>  -out <.p12 file> -inkey 
<Private key file> -name <alias name>

    Example:

    openssl pkcs12 -export -in renclient.pem -out renclient.p12 -inkey 
renclient.key -M;name renclient

Click to jump to top of pageClick to jump to parent topicInstalling PSMCAPI Certificates

To install PSMCAPI certificates:

  1. Generate a private key in the keystore using the following command:

    <PS_HOME>\jre\bin\keytool genkey dname CN=Company Name, 
OU=Organization Unit, O=M;Organization, L=Locality, S=State/Provenance, 
C=Country alias <alias Name>  -M;keyalg RSA validity 365 keystore 
<PS_HOME>\jre\lib\cacerts storepass changeit keypass password

  2. Generate the CSR using the following command:

    PS_HOME>\jre\bin\keytool certreq alias <alias name> -file <certificate 
file name> -keystore <PS_HOME>\jre\lib\security\cacerts storepass 
changeit keypass password

  3. To obtain your certificate, submit the CSR to the CA that issued the selected root certificate.

  4. Import the signed certificates into Java keystore using the following command:

    <PS_HOME>\jre\bin\keytool import alias <alias name> -file <certificate 
file .pem> -keystore <PS_HOME>\jre\lib\security\cacerts storepass changeit 
keypass password

    Note. The clients must import the CA certificate in Java Keystore of JRE of PSMCAPI for SSL communication with REN server using KeyTool command.

See Implementing Client Authentication.