rssl

Information Center

Setting up Redirector with TLS or SSL

To set up Host On-Demand Redirector with TLS or SSL using a Self-Signed Certificate, do the following:

  1. Use Certificate Management to create a new CMS key database file, for example, HODServerKeyDb.kdb, by selecting Key Database File > New.
  2. Type a password for the key database file, and make sure you select Stash the password to a file.
  3. Select Personal Certificates from the drop-down menu.
  4. Click New Self-Signed in the lower right corner of the Certificate Management window.
  5. Extract the certificate as a Base64 .arm file to the bin directory (for example, C:\Program Files\IBM\HostOnDemand\bin or /usr/local/hostondemand/bin).
  6. Select Key Database File > New. Create a PKCS12 file, for example CustomizedCAs.p12, and give it the default password hod. Save it to the publish directory. The default publish directory is the HOD directory (for example, C:\Program Files\IBM\HostOnDemand\HOD or /usr/local/hostondemand/hod).
    Note: When creating CustomizedCAs.p12, you are suggested using the default password hod. Avoid changing this password.

    If Host On-Demand client is configured to use JSSE, create a Java KeyStore (JKS) file by name CustomizedCAs.jks and password hodpwd in the publish directory.

  7. Select Signer Certificates from the drop-down menu and add the .arm certificate file to the CustomizedCAs.p12 file in the publish directory. The default publish directory is the HOD directory (for example, C:\Program Files\IBM\HostOnDemand\HOD or /usr/local/hostondemand/hod). Label the certificate appropriately.
  8. Restart the Host On-Demand Service Manager.
  9. Modify or add a Redirector Service with client-side security.
  10. Modify or add a session to connect with the TLS or SSL-enabled Redirector Service.

Configuring Redirector to use Java Secure Socket Extension (JSSE) on Windows

To configure Redirector to use Jave Secure Socket Extension (JSSE) on Windows, follow these steps:

  1. In HostOnDemand\lib directory open redir.properties and add the property useJSSE=true.
  2. Use the Certificate Management to create a new JKS file by name HODServerKeyStore.jks in HostOnDemand\bin directory.
  3. Password for the HODServerKeyStore.jks must be hodpwd.
  4. Under Personal Certificates section, create a Self-Signed certificate in HODServerKeyStore.jks.
  5. Extract the Self-Signed certificate as Base64 .arm file and add it to CustomizedCAs.p12 or CustomizedCAs.jks (if HOD client is configured to use JSSE) present in the HOD publish directory.
  6. If one or more redirector ports are configured for Client Authentication, add the certificates received from the clients under Signer Certificates section of HODServerKeyStore.jks.
  7. Restart Host On-Demand Service Manager.

Enabling TLS or SSL tracing in the Redirector code

To enable TLS or SSL tracing in the Redirector code, follow these steps on the system running Redirector:

  1. Stop the Service Manager if it is currently started.
  2. Set an environment variable: 
    SVR_START_TRACE =Yes

    To set this variable:

    • For Windows NT, Windows 2000, and Windows XP use the GUI.
    • For Windows 98, use set command on a command line.
    • For AIX, use the export command.
    • For Linux, export the variable according to the shell being used.

    Note: The variable value is case sensitive.

  3. Start the Service Manager. Under the ..\hostondemand\private directory, look for the file named NativeSSLTrace.trc. This file has the trace data from the Redirector.
  4. To stop the trace, stop the Service Manager and set the value of the environment variable to No. Delete the NativeSSLTrace.trc file if necessary.

    Note: Each time the Service Manager is started, the trace file is newly created. All existing contents of the file are overwritten.