CORBA 2.6 Administration Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series

111

112

113

114

115

116

117

118

119

120

Enter PEM pass phrase:

Verifying password  Enter PEM pass phrase

The script creates the following files:

File Purpose

name.p12

The output PKCS#12 file, 3DES encrypted using the export password as the key

name.pem

The PKCS#12 file in PEM format

After running the pkcs12, the output name.pem file is suitable to use for both the ssl_cert_file and ssl_pkey_file. The

PEM pass phrase is to be placed in a file as the ssl_pkey_pswd.

Configuring and Managing Security Unaware Applications

To take an existing NonStop CORBA application and secure the IIOP traffic with SSL, without modifying the application, you need to

Install the NonStop CORBA application as usual on your system.●

Install the appropriate certificates on the system. See Configuring and Managing Private Keys and Certificates for examples of

how to install the certificates.

●

Modify the NonStop CORBA configuration to enable IIOP/SSL.●

Log messages to assure correct configuration including an indication of what cipher suites are in play●

Modifying the NonStop CORBA Configuration

Use the Console or the cfgmgt tool to set the IIOP/SSL configuration. The following example shows typical attributes:

Example of IIOP Configuration

catch {entitydelete sample_stack@ORB}

entity sample_stack@ORB {

tcp_server true

ssl_only true

ssl_port 0

host_name 127.0.0.1

ssl_cert_file $NSD_ROOT/testCA/GServer.pem

ssl_pkey_file $NSD_ROOT/testCA/GServer.pem

ssl_pkey_pswd $NSD_ROOT/testCA/yo.txt

ssl_ciphers ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH

}

catch {entitydelete sample_stack_client@ORB}

entity sample_stack_client@ORB {

ssl_client true

}

Configuring and Managing Security Aware Applications

To configure and manage applications that have been written to use IIOP/SSL programmatically, you only need to install the

application as described in the NonStop CORBA 2.6 Programmer's Guide for C++ and the NonStop CORBA 2.6 Programmer's Guide

for Java. You may want to monitor log files to assure correct configuration including an indication of what cipher suites are in play.

Operation with Comm Server, LSD, and Naming Service

Comm Servers, the Location Service Daemon (LSD) and the Naming Service can be configured to use IIOP/SSL. The configuration

procedure is the same as for any other server. See Configuration and Management Using the Console or Configuration and

Management Using Commands for information about how to configure servers.