How to Introduce Your Own X.509 Certificates into the Install Image
Contents
cla140
Contents
CA Client Automation
uses X.509 certificates for authentication between its client processes and any service that requires authentication. For example, X.509 is used when the software delivery component connects to its parent Scalability ServerA
CA Client Automation
installation comes with a set of default standard certificates signed by a CA root certificate. The public root certificate is installed on every node within the enterprise.We strongly recommend that each enterprise create and deploy its own root certificate, Basic Host Identity (BHI) certificates, and application-specific certificates.
For details on creating end user-specific certificates see
CA Client Automation
Security Features.To create new certificates using the cacertutil tool, you must install at least one component (Explorer, Asset Management agent, and so on). The cacertutil tool is in the bin folder under the DSM installation directory.
After having created your own specific certificates, replace the default standard certificates inside the install image with your new certificates before starting any installation or deployment of DSM components.
After replacing the certificates within the install image, installation or deployment can start as usual.
Default Certificates for Windows
The default certificates for Windows are in the following folders. Each of these folders has a sub-folder structure, Program Files\CA\DSM\bin that contains the relevant certificates.
- AgentBHW
- AgentAM
- AgentRC
- AgentSD
- AllAgents
- Server
- Manager
- Explorer
Default Certificates for Linux and UNIX
The default certificates for Linux and UNIX are in sub-directories called certificates under the following package directories:
- agent
- am_agent
- basichwinv
- rc_agent (Linux only)
- sd_agent
- server (Linux only)
Customize X.509 Certificates Using cfcert.ini
The cfcert.ini file controls the certificates installed by
CA Client Automation
. The cfcert.ini file contains several sections that correspond to each application group in the installation. The default cfcert.ini file is as follows:[CAF] files=itrm_dsm_r11_root.der,basic_id.p12 [Configuration] files=ccsm.p12 [Manager] files=itrm_dsm_r11_cmdir_eng.p12 [Registration] files=registration.p12 [USD.Agent] files=itrm_dsm_r11_sd_catalog.p12 [USD.Manager] files=itrm_dsm_r11_agent_mover.p12,itrm_dsm_r11_sd_catalog.p12 [Files] itrm_dsm_r11_root.der=cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3 basic_id.p12=cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon ccsm.p12=cacertutil import -i:ccsm.p12 -t:csm -ip:enc:IWhun2x3ys7y1FM8Byk2LMs56Rr8KmXQ itrm_dsm_r11_cmdir_eng.p12=cacertutil import -i:itrm_dsm_r11_cmdir_eng.p12 -ip:enc:gYuzGzNcIYzWjHA6w542pW68E8FobJhv -t:dsm_cmdir_eng itrm_dsm_r11_sd_catalog.p12=cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat itrm_dsm_r11_agent_mover.p12=cacertutil import -i:itrm_dsm_r11_agent_mover.p12 -ip:enc:sytOQtZteLopAt1CX0jIJUJcpqBWrb7G7VegY7F7udogc1c5kLIylw -t:dsmagtmv registration.p12=cacertutil import -i:registration.p12 -ip:enc:z5jLhmvfkaAF4DLMDp3TWuC7nG8yh3dfvmN668thfrU -t:dsm_csvr_reg babld.p12=cacertutil import -i:babld.p12 -ip:enc:TrdWglmuNCdeOAfj2j3vMwywVbGnlIvX -t:babld_server dsmpwchgent.p12=cacertutil import -i:dsmpwchgent.p12 -ip:enc:QWF8vknD5aZsU1j5RLzgt1NQgF5DcXj4v1vS4ewDzOA -t:ent_access dsmpwchgdom.p12=cacertutil import -i:dsmpwchgdom.p12 -ip:enc:sqb9qO2SGjbYqzIvwM7HEbx0M6UJk8Dc82EvUoDeJmE -t:dom_access dsmpwchgrep.p12=cacertutil import -i:dsmpwchgrep.p12 -ip:enc:x901eho57IZ19zg6g97rQetHjA1461na7nhBmJl7mcc -t:rep_access [Tags] dsmcommon=x509cert://DSM r11/CN=Generic Host Identity,O=Computer Associates,C=US csm=x509cert://dsm r11/CN=Configuration and State Management,O=Computer Associates,C=US dsm_cmdir_eng=x509cert://dsm r11/cn=dsm directory synchronisation,o=computer associates,c=us dsmsdcat=x509cert://dsm r11/CN=DSM r11 Software Delivery Catalog,O=Computer Associates,C=US dsmagtmv=x509cert://dsm r11/CN=DSM r11 Agent Mover,O=Computer Associates,C=US dsm_csvr_reg=x509cert://dsm r11/CN=DSM Common Server Registration,O=Computer Associates,C=US babld_server=x509cert://dsm r11/cn=babld server,o=computer associates,c=us ent_access=x509cert://dsm r11/CN=Enterprise Access,O=Computer Associates,C=US dom_access=x509cert://dsm r11/CN=Domain Access,O=Computer Associates,C=US rep_access=x509cert://dsm r11/CN=Reporter Access,O=Computer Associates,C=US
Each section of the cfcert.ini file declares the certificates that are required to be installed by the associated installer. The installer reads the “files=” entry from its associated section in cfcert.ini and installs each certificate listed in turn by using the command located in the [Files] section of the cfcert.ini file.
For example, the Common Application Framework (CAF) installer finds that it needs to install the certificates itrm_r11_dsm_root.der and basic_id.p12. In the [Files] section, the CAF installer finds the cacertutil commands associated to these certificates in the first two lines, and executes these commands.
The [Tags] section allows you to create new certificates that do not use the standard certificate URIs. When installing a DSM manager node the installation components will read this section and set up security profiles for the named URIs. The tags and URIs listed previously are the
CA Client Automation
defaults and will be used if not present in the cfcert.ini file.By convention, the file names listed in the “files=” entry in each section of cfcert.ini are the same as the names of the underlying certificate file. This allows for easier maintenance of the cfcert.ini initialization file.
To replace the default certificates with your own, change each individual section and the [Files] section to reflect the new certificate names and passwords.
Ensure that the new certificates are imported using the correct tag names. The tags are specified by the -t: switch. For more information and a list of available certificates, see Installation of Application-Specific Certificates and Current Certificates.