Replacing the Tomcat self-signed certificate
with a certificate authority signed (CA-signed) certificate
on your CMS and your managed nodes will increase your security. You
can purchase a CA-signed certificate from a third party
certificate authority, or you can act as your own certificate authority.
This will increase SCM security if you are accessing SCM from
a Web browser. It guarantees the authenticity of the Web pages,
and it virtually eliminates the possibility of unauthorized data
interceptions, unauthorized access to SCM, or unauthorized changes
to your transactions. It also prevents the possibility of spoofing.
This security enhancement uses the Java keytool from Sun Microsystems. For more information on the keytool, go to http://java.sun.com and search for summary of security tools.
Procedure 4-1 To
replace the self-signed certificates:
Log on to the CMS as root.
Identify the MxKeystorePassword:
mxpassword -l -x MxKeystorePassword
Generate a request for the Tomcat certificate that is
placed in the keystore:
keytool -certreq -alias tomcat -keystore /etc/opt/mx/config/security/certificates -keypass password
where password is the MxKeystorePassword.
Submit the output to a Certificate Authority to get
a CA-signed server certificate.
Create the new Tomcat keytool associated with the CA-signed
server certificate:
keytool -import -alias tomcat -file ca_certificate -keystore /etc/opt/mx/config/security/certificates -keypass password
where ca_certificate is the filename for the new certificate and password is the MxKeystorePassword.
Printable version
