CORBA 2.6.1 Administration Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series

The signreq script takes a CSR file as input and creates a new certificate. To run the script, type:

signreq name.csr

where name.csr is the CSR you created previously.

Example 6.3. Sample signreq Run

Create a certificate from a CSR.

Using configuration from toyCA.cnf

Enter PEM pass phrase:

Check that the request matches the signature

Signature OK

The Subjects Distinguished Name is as follows:

countryName :PRINTABLE:’US’

stateOrProvinceName :PRINTABLE:’California’

localityName :PRINTABLE:’Cupertino’

organizationName :PRINTABLE:’Hewlett-Packard’

organizationalUnitName :PRINTABLE:’NonStop’

commonName :PRINTABLE:’Toy CA’

emailAddress :IA5STRING:’john.doe@hp.com’

Certificate is to be certified until Jan 16 01:37:44 2004 GMT (365 days)

Sign this certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]:y

Write out database with 1 new entries

Data base updated

The script creates the following directories and files:

Pathname/Filename Purpose

name.cert.pem

The new certificate

toyCA/certindex.txt

A new entry added for the newly created certificate

toyCA/certs/01.pem

A copy of the new certificate stored under its serial number

toyCA/serial

The updated new next serial number.

pkcs12 Script

The pkcs12 script takes a certificate file as input and bundles it with the certificate’s associated private key and the CA’s certificate. The output

bundle is in the PKCS#12 format which is a DER coded file. To run the script, type:

pkcs12 name.cert.pem

where name.cert.pem is the new certificate you created previously.

Example 6.4. Sample pkcs12 Run

Create a PKCS#12 file.

Enter PEM pass phrase:

Enter Export Password:

Verifying password - Enter Export Password:

Now creating a PEM version of the pkcs12 file.

Enter import Password:

MAC verified OK

Enter PEM pass phrase:

Verifying password – Enter PEM pass phrase

The script creates the following files:

File Purpose

name.p12

The output PKCS#12 file, 3DES encrypted using the export password as the key

name.pem

The PKCS#12 file in PEM format

After running the pkcs12, the output name.pem file is suitable to use for both the ssl_cert_file and ssl_pkey_file. The “PEM pass phrase” is to

be placed in a file as the

ssl_pkey_pswd.

Configuring and Managing Security Unaware Applications

To take an existing NonStop CORBA application and secure the IIOP traffic with SSL, without modifying the application, you need to

Install the NonStop CORBA application as usual on your system.

Install the appropriate certificates on the system. See Configuring and Managing Private Keys and Certificates for examples of how to

install the certificates.

Modify the NonStop CORBA configuration to enable IIOP/SSL.

Log messages to assure correct configuration including an indication of what cipher suites are in play

Modifying the NonStop CORBA Configuration

Use the Console or the cfgmgt tool to set the IIOP/SSL configuration. The following example shows typical attributes:

Example of IIOP Configuration