wlmcert(1M)wlmcert(1M)NAMEwlmcert - manage security certificates for HP-UX Workload Manager
SYNOPSIS
[cmd]
certificate
certificate
directory]
DESCRIPTION
allows you to manage your WLM security certificates.
OPTIONS-h [cmd]
Displays usage information and exits. This option overrides all
other options.
To get usage information for the command or specify the command
after For example:
# wlmcert-h reset
Displays version information and exits. This option overrides all
options other than
Creates the certificates for the system on which the command is
executed.
Only root can execute this operation.
This operation is performed automatically when you install WLM.
After running this operation:
· The system trusts itself
You can use the
command to make a copy of the system's certificate, which you
can then add to other systems' WLM certificate repositories
(truststores) to enable secure communications between the cur‐
rent system and those systems
The name of each newly created certificate is based on the name of
the host where it is generated. Thus, on host1, the certificate is
named host1.pem. This makes it easier for you to identify trusted
systems. If you have not yet assigned a host name to the system
where WLM is being installed, the certificate is given the default
name loopback.pem. When you assign a name to the host, security
will continue to work even if the host name differs from the cer‐
tificate name. To achieve a match between the host and certificate
names, you can use the command to remove the current certificate
and then to reset the certificates so that the host and certificate
names match.
Adds the named
certificate to the WLM truststore on the current system.
Only root can execute this operation.
The current system can communicate securely with any system for
which it has a certificate in its truststore. When using WLM's man‐
agement of virtual partitions or nPartitions, each partition must
have in its truststore the certificate for every other partition
with which it is being managed.
Removes the named
certificate from the WLM truststore on the current system.
Only root can execute this operation.
Lists the certificates in the WLM truststore on the current system.
The current system can communicate securely with any system for
which it has a certificate in its truststore. When using WLM's man‐
agement of virtual partitions or nPartitions, each partition must
have in its truststore the certificate for every other partition
with which it is being managed.
extract [-d directory]
Extracts the WLM certificate for the current system, placing it in
the named directory. If a directory is not specified, the certifi‐
cate is placed in the current directory.
The certificate is named host.pem, where host is the name of the
current system.
HOW TO SECURE COMMUNICATIONS
To secure WLM communications:
1. Log in as root on every system where you have installed WLM
and want to secure communications
2. Ensure a random number generator is available
Use either /dev/random or as the random number generator.
· Using /dev/random
For HP-UX 11i v1 (B.11.11), install /dev/random from
http://www.hp.com/go/softwaredepot (search for "KRNG11i"). For
HP-UX 11i v2 (B.11.23) and HP-UX 11i v3 (B.11.31), /dev/random
is included.
To use /dev/random on HP-UX 11i v2 or HP-UX 11i v3, run the
following command as root:
# /usr/sbin/kcmodule rng=loaded
No commands are needed to use /dev/random on HP-UX 11i v1.
· Using prngd
To start on either HP-UX 11i v1 or HP-UX 11i v2:
1. Set the variable PRNGD_START
In the file /etc/rc.config.d/prngd, set the variable
PRNGD_START to 1.
2. Run the following command as root:
# /sbin/init.d/prngd.rc start
For more information, see the prngd manpage.
When using the PRNG devices, you may want to place the daemon
in a workload group by itself--and limit its CPU allocation.
The path to use in an application record is
/opt/openssl/prngd/prngd.
3. Extract the certificates
When you install WLM on a system, WLM automatically creates a cer‐
tificate for that system. If a certificate was somehow not created
on a system, execute the following operation on the system to create
the certificate:
# /opt/wlm/bin/wlmcert reset
On each system where you are going to run WLM (either in the form of
or run to place a copy of that system's certificate in your current
directory:
system1# /opt/wlm/bin/wlmcert extract
system2# /opt/wlm/bin/wlmcert extract
system3# /opt/wlm/bin/wlmcert extract
Each certificate is named based on the system where it is generated.
Thus, on system1, the certificate is named system1.pem. If a host
name had not yet been assigned to the system where WLM is being
installed, then the certificate is given the default name of loop‐
back.pem. When you subsequently assign a name to the host, security
continues to work even though the host name differs from the cer‐
tificate name. If you want the host name and certificate name to
match (this facilitates identifying trusted systems), see the
instructions in the section that discusses the command.
4. Exchange the certificates among all the systems
Distribute each system's certificate to every other system--where
you will run or the secure command,
system1# scp system1.pem system2:
system1# scp system1.pem system3:
system2# scp system2.pem system1:
system2# scp system2.pem system3:
system3# scp system3.pem system1:
system3# scp system3.pem system2:
5. Install all the certificates on your WLM systems
On each system where you will run or install the certificates from
every other system:
system1# /opt/wlm/bin/wlmcert install -c system2.pem
system1# /opt/wlm/bin/wlmcert install -c system3.pem
system2# /opt/wlm/bin/wlmcert install -c system1.pem
system2# /opt/wlm/bin/wlmcert install -c system3.pem
system3# /opt/wlm/bin/wlmcert install -c system1.pem
system3# /opt/wlm/bin/wlmcert install -c system2.pem
If you use Serviceguard on the system running be sure to install the
certificates from the systems managed by that on any systems to
which may fail over. Also, install the certificates from all
failover systems to the systems being managed by that
6. Install all the certificates on systems controlling WLM
Using the WLM GUI, you can control WLM from systems that do not have
the full WLM product installed. These systems need the WLM GUI prod‐
uct and the proper JRE version. For more information, see the
wlmgui(1M) manpage.
The WLM GUI must have all the certificates from all the systems it
is controlling, even if the WLM GUI is running on the same host that
it is controlling. (However, if you are using the WLM GUI to con‐
trol remote systems, the remote systems do not need a certificate
from your local system.)
For HP-UX systems or Microsoft Windows systems where you want to
securely control WLM operations, use the Java command to create a
local truststore and to add a certificate to that truststore, as
explained in the steps that follow.
The WLM GUI only uses the truststore in the user's default trust‐
store (keystore) location.
To create a truststore and secure communications between and on the
local host, follow these steps (the communications daemon services
requests from allowing local and remote access to the system):
1. Kill any running instance of
# /opt/wlm/bin/wlmcomd -k
2. Generate a truststore (keystore) for the user root
# keytool -genkey
3. Extract the WLM certificate
# wlmcert extract
4. Import the WLM certificate to the local truststore of
root (file $HOME/.keystore)
# keytool -import -alias wlm -file /host-name.pem
where host-name is your local host's name.
For more information on the command and its options, and on the
default truststore (keystore) location, refer to the following
web site:
http://java.sun.com/j2se/1.5/docs/tooldocs/windows/keytool.html
7. Start or restart the WLM daemons using the option
Start the WLM daemons with the option . If a daemon is already run‐
ning, you can start it again with the option without stopping it
first:
system1# /opt/wlm/bin/wlmd -s
Alternatively, all daemons will start in secure mode if you use
the sbin/init.d/wlm script to start WLM. However, ensure that
the following variables are enabled in /etc/rc.config.d/wlm. You
can change the default by editing the values for these vari‐
ables.
If you are using WLM's partition management or its Instant Capacity
management:
system1# /opt/wlm/bin/wlmpard -s
If you are using WLM's command, you must complete the following two
steps.
1. Start with its option:
system1# /opt/wlm/bin/wlmcomd -s
2. Select the "Use secure connections" checkbox in the GUI
Select:
Settings
-> Preferences item
-> Connections tab
-> "Use secure connections" checkbox
Then select either the [OK] button or the [Apply] button
followed by the [OK] button.
Start the WLM daemons with on system2 and system3.
You can have these daemons run automatically in secure mode by
starting WLM using the /sbin/init.d/wlm script. However, ensure that
the secure mode variables are enabled in /etc/rc.config.d/wlm.
AUTHOR
was developed by HP.
FEEDBACK
If you would like to comment on the current HP-UX WLM functionality or
make suggestions for future releases, please send email to:
wlmfeedback@rsn.hp.com
FILES
Directory containing various files related to certificates
SEE ALSOwlmd(1M), wlmgui(1M), wlm(5)
HP-UX Workload Manager User's Guide (/opt/wlm/share/doc/WLMug.pdf)
HP-UX Workload Manager homepage (http://www.hp.com/go/wlm)
wlmcert(1M)
