Release 10.1A: OpenEdge Getting Started:
Installation and Configuration

Establishing a trusted SSL server identity

There are several steps required to establish a trusted identity for any OpenEdge SSL server using the pkiutil command-line utility.

Caution: While the default_server key store entry provided by the Progress Server Certificate Authority also uses a default password ("password"), you must password-protect any private key store entries that you create from a public-key certificate issued by a trusted external CA. The secrecy of your password is critical to using this key store entry for authenticating a server.
Steps for creating and managing a key store entry

To establish and maintain a trusted SSL server identity using the pkiutil utility:
  1. Use the -newreq operation to generate a proposed public and private-key pair together with a digital certificate request that is suitable for sending to any CA for authorization. You must provide a password to secure this certificate request. You must later provide this password to any OpenEdge server that you want to access this key store entry for securing SSL connections to it. See the "Supplying a key store entry password to an OpenEdge server" section.

  2. Use E-mail, or some other method required by the CA, to send a copy of the certificate request to the trusted CA you want to return a public-key certificate that can authenticate any server that you provide access to the private key.

  3. Use the -import operation to import the digital certificate returned by the CA for this request and store it together with the associated private key as an entry in the key store.

  4. Use the -display or -list operations to review an individual digital certificate file or any and all key store entries for important digital certificate information, such as expiration dates.

  5. Use the -remove operation to remove any unused or expired key store entries that you specify and retain them in a backup area of the key store.

For an overview of the pkiutil command-line utility, see the "Using pkiutil to manage an OpenEdge key store" section.

Supplying a key store entry password to an OpenEdge server

When you configure an OpenEdge server to access a key store entry, you must provide it with the same password that you used to create the key store entry. If you configure the server using the Progress Explorer, you can enter this password directly in the fields provided. However, if you configure the server by manually editing the ubroker.properties file for that server or specifying the password on a command line or in a startup script (as required when starting a database server for the OpenEdge RDBMS), you must provide an encrypted value for the password in order to protect the password itself from being easily discovered. OpenEdge provides the genpassword command-line utility for obtaining a password’s encrypted value. For more information, see the "Using genpassword to obtain a key store password-encrypted value" section.

Copyright © 2005 Progress Software Corporation
 www.progress.com
Voice: (781) 280-4000
Fax: (781) 280-4095