iTP Secure WebServer System Administrator's Guide (iTPWebSvr 5.1+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

111

112

113

114

115

116

117

118

119

120

Integrating the WebSafe2 Internet Security

Processor (WISP)

iTP Secure WebServer System Administrator’s Guide—522659-001

5-9

Generating the Public/Private Key Pair and

Obtaining the Certificate

The install.WS script uses a sample httpd.websafe.config file. The

contents of the sample file are listed in Section 7, Configuring the iTP Secure

WebServer. You can edit the file to modify the WebSafe2 configuration.

Be sure to complete the remaining tasks before attempting to restart the WISP.

Generating the Public/Private Key Pair and Obtaining the Certificate

The WISP generates a public/private key pair and sends it to the Compaq system, where

it is stored in the file named by the keyfile statement in wid.config. A certificate is

obtained by sending a certificate request to a recognized Certificate Authority (CA). To

generate the public/private key pair and obtain a certificate, complete the following

steps:

1. Obtain a KEK pair using variant 0. This KEK pair will be used to encrypt the

public/private key pair for transmission to the Compaq system. You use the SCT to

generate the KEK pair. See Step 1. Obtaining a Key Exchange Key (KEK) Using

Variant 0 below for further details.

2. Generate a public/private key pair and a certificate request. You use the keyadmin

command to do this. See Step 2. Generating a Public/Private Key Pair and a

Certificate Request on page 5-10 for further details.

3. Request a certificate from a CA. See Step 3. Requesting a Certificate From a

Certificate Authority (CA) on page 5-12 for further details.

4. Obtain a KEK using variant 31. You use the SCT to perform this task. See Step 4.

Obtaining a KEK Pair Using Variant 31 on page 5-12 for further details.

5. Install the certificate received from the CA by using the keyadmin command. See

Step 5. Installing the Certificate

on page 5-13 for further details.

Step 1. Obtaining a Key Exchange Key (KEK) Using Variant 0

You use the SCT Calculate Crypto function to obtain a KEK. Following the steps

outlined below will generate two forms of double-length (16-byte) KEK: the in-the-clear

form and the form encrypted using the MFK.

For detailed information about the SCT and the Calculate Crypto function, refer to the

WebSafe Internet Security Processor Installation and Operations Manual. That manual

gives a detailed procedure for obtaining a KEK using variant 0. As you follow that

procedure, keep in mind that the double-length KEK is too long to display on the SCT

screen. Therefore you create the left part first, recording first the clear (unencrypted) text

followed by the cryptogram, then you create the right part, recording first the clear text

followed by the cryptogram:

a. Select Encryption Key MFK1.

b. Define Key Under MFK1.

c. Select double length (F2).

d. Enter 1 as the number of key parts.