Making server certificates available to clients

The following is a summary of the steps required to make a certificate available to download clients that connect securely to the Redirector or any other telnet server.

1. If the clients connect to a server, obtain a copy of the server's certificate. The Redirector's certificate can be extracted directly when created or received in Certificate Management.
2. Add the certificate to the certificate container, CustomizedCAs.jks (if it exists), CustomizedCAs.p12 (if it exists), or CustomizedCAs.class.
3. Make CustomizedCAs.jks and/or CustomizedCAs.p12 or CustomizedCAs.class available to clients.

Take the following steps to do this using the Certificate Management utility:

1. Start the Certificate Management Utility.
   • On a Windows server, click Start > Programs > IBM WebSphere Host On-Demand > Administration > Certificate Management.
   • On an AIX or Linux server, start the Certificate Management Utility from the console (command line) (see Running the Certificate Management Utility on AIX or Linux).
2. If the CustomizedCAs.p12 file does not exist, follow these steps to create it:
   1. Click Key Database File > New
   .
   2. In the Key database type listbox, select PKCS12
   3. In the File Name field, type CustomizedCAs.p12.
   4. In the Location field, type the fully qualified path of the Host On-Demand publish directory.
   5. Click OK.
   6. When prompted, enter hod as the password for the new CustomizedCAs.p12 file.
   7. The Certificate Management Utility will automatically add root certificates for well-known certificate authorities to the file.
3. If the CustomizedCAs.p12 file exists, open it. The password must be hod.

   Starting with Host On-Demand Version 8, you can no longer create or update CustomizedCAs.class using the Certificate Management utility on Windows, AIX, or Linux platforms. The utility allows you only to create or update a newer version of this file called CustomizedCAs.p12. In order to update CustomizedCAs.class, you must run a reverse-migration tool. For more information, refer to Migrating from CustomizedCAs.class to CustomizedCAs.p12.

   For JSSE, the type of truststore and keystore must be in Java KeyStore(JKS) format. When using JSSE (Use JSSE option set to Yes) CustomizedCAs.jks file is used by Host On-Demand, to trust the certificate of the server certificate during TLS handshake.

   CustomizedCAs.jks file is different from the CustomizedCAs.p12 file that is used for SSLite when the Use JSSE setting is set to No.

   You can create CustomizedCAs.jks file similar to the p12 file as mentioned in step 2 and step 3. Password for CustomizedCAs.jks must be hodpwd.

   You can convert the existing CustomizedCAs.p12 file to CustomizedCAs.jks file using Certificate Management utility that is installed with Host On-Demand. For more information refer to Migrating from CustomizedCAs.class to CustomizedCAs.p12.

4. In the Certificate Management Utility, expand the listbox that is located above the white display area and select Signer Certificates.
5. Click Add.
6. In the Certificate file name field, type the name of the file containing the certificate, such as cert01.arm.
7. In the Location field, type the path of the subdirectory where the certificate file is located.
8. When prompted, enter a label for the certificate and click OK.
9. Verify that the label of the certificate now appears in the list of Signer Certificates.
10. Follow the instructions in the online help for making certificates available to clients.
11. Close the Certificate Management Utility.

When you have finished working with certificates, you must configure the Host On-Demand clients to use SSL.

Related topics

• How SSL works
• Server authentication