Chapter 5 Tutorial: Security Configuration

Installing certificates in Netscape

To install Jaguar's test CA and a personal certificate in your Netscape browser:

1. Start the Jaguar server, Jaguar Manager, and Security Manager
2. Export the test CA
3. Log in to the Netscape token and load the test CA
4. Obtain and install a personal certificate

Start the Jaguar server, Jaguar Manager, and Security Manager

Start the Jaguar server:

1. If the Jaguar server is not already running, follow the instructions under "Starting Jaguar" on page 6 to start the server.
   
   

Start Jaguar Manager and Security Manager:

1. If Jaguar Manager and Security Manager are not already running, start them as described in "Starting Jaguar Manager and Security Manager" on page 11.
   
   

Export the test CA

You need to export the test CA signing authority from Jaguar, and then load it in your browser and mark it as trusted. This prevents Netscape from displaying warnings about untrusted certificate authorities when you use server authentication with Jaguar listeners.

Export the test CA from Security Manager:

1. Select the CA Certificates folder.
   
   
2. From the right side of the window, highlight the Sybase Jaguar User Test CA.
   
   If the Sybase Jaguar User Test CA does not appear, you must first create it. Refer to "Creating a test CA" in the Jaguar CTS System Administration Guide for instructions.
   
   
3. Select File | Export Certificate. The Export Certificate dialog box appears.
   
   
4. Select the format type for the exported certificate. Select "Binary encoded X509 Certificate."
   
   
5. Select Save to File and enter the full path to a file that will contain the test CA's certificate.
   
   Do not add any extension to the file name. A .crt extension is automatically appended to the exported file by Security Manager. Netscape 4.05 recognizes this extension as a certificate and handles it accordingly.
   
   
6. Click Finish. The certificate is exported to the file you selected.
   
   

Refer to "Test CA management" in the Jaguar CTS System Administration Guide for more information about the test CA.

Log in to the Netscape token and load the test CA

The Netscape token manages the certificates and private keys in your browser. Before you can load the test CA in Netscape you must be logged in to the Netscape token.

Log in to the Netscape token

Log in to the Netscape token from your browser:

1. Click the Security icon from the tool bar.
   
   
2. Click Cryptographic Modules on the left side of the window.
   
   
3. Click Netscape Internal PKCS #11 Module in the Cryptographic Modules window.
   
   
4. Click the View/Edit button.
   
   
5. Click Communicator Certificate DB in the Edit Security Module window.
   
   
6. Click the Login button. You must provide the token's login password.
   
   To verify the state of the token, click the More Info button. The Token/Slot Information window displays information about the Netscape token. Verify that the State of the token is Ready .
   
   

      Note If you do not have the password or have forgotten it, close Netscape. Find the file key3.db in your user profile directory and rename the file. Restart Netscape and you should be prompted to establish a new password. You may need to perform steps one through five then select Initialize token to establish a new password.

7. Once logged in to the Netscape token, click OK on the open dialog boxes until you return to the main Netscape window.
   
   

Load the test CA

Load the test CA in your browser:

1. Enter the full path of the exported test CA file in Netscape's Netsite field. For example:

   c:test_ca.crt

   
   
   
2. Select "Open it" from the dialog box and click OK. Netscape recognizes the .crt extension as belonging to a CA and displays a series of dialog boxes asking if you want to accept the CA.
   
   
3. Accept the defaults on the dialog boxes.
   
   
4. If prompted, select Accept this Certificate Authority for Certifying Network Sites. This allows Netscape to connect to Jaguar ports that require authentication and accepts the certificates signed by the test CA without displaying warning dialog boxes.
   
   
5. You may be prompted to enter the nickname of the test CA. Enter a name, (for example, Sybase Test CA ) then click Finish. The nickname identifies the test CA within the Netscape token.
   
   

Verify that the test CA has been loaded:

1. Click the Security icon on the tool bar.
   
   
2. Click Signers on the left side of the window to display a list of the CAs that Netscape accepts.
   
   
3. Scroll down and select Sybase Test CA . You can edit information, verify that the test CA is valid, or delete the test CA from Netscape by using the corresponding buttons in the Certificate Signers' Certificate window.
   
   

Obtain and install a personal certificate

You need a personal certificate installed in your browser before the sample applets can attach to Jaguar listener ports that require client authentication.

Before you begin

There are a variety of ways to get a personal certificate:

• Use the sample certificates Jaguar comes with two sample certificates signed by the test CA that you can use to authenticate yourself when connecting to secure Jaguar listeners. To use the sample certificates, you must install and log in to the Sybase PKCS #11 module, instead of the Netscape PKCS #11 module.
  Refer to "Installing Sybase PKCS #11 into Netscape 4.0x" in the Jaguar CTS System Administration Guide for more information about installing and logging in to the Sybase PKCS #11 module.
  
• Attach to an in-house CA Supply the required information to request a personal certificate.
  For the purpose of this tutorial, an in-house Netscape CA was used to obtain a personal certificate. Refer to "Obtaining a certificate from a Netscape certificate server" on page 77 for detailed instructions.
  
• Use a public CA You can obtain your certificate from any public CA. A number of public CAs are available through your Netscape browser. To request a certificate:
  1. Click the Security icon on the tool bar.
  2. Click Yours on the left side of the window. This displays a list of your certificates.
  3. If no certificates are displayed, you need to get one. Click Get a Certificate. You see a Web page of public CAs.
     You need to obtain a certificate from a CA that Jaguar recognizes, or use Security Manager to install the CA's certificate and mark it trusted. In Security Manager, click the Trusted CAs folder to display a list of the trusted certificate signers that Jaguar recognizes.
     
  4. Select a CA and follow the instructions to obtain your certificate.

Obtain a certificate from a Netscape certificate server

Obtain a certificate from a Netscape certificate server:

1. Connect to the certificate server URL.
   
   
2. Click Request a Personal Certificate from the Public Menu.
   
   
3. Supply the information in the Request a Personal Certificate form.
   
   
4. Select 1024 (High Grade) encryption from the drop-down list.
   
   
5. Click Submit Request. Netscape generates the public and private key pair and forwards your request to the CA. Once approved, the CA will send e-mail instructions to you on how to pick up the certificate.
   
   
6. Connect to the URL indicated in the e-mail message. Follow the instructions to install the certificate. You must install the certificate on the same machine that generated the request, since this is where the corresponding private key resides.
   
   

View your certificate:

1. Click the Security icon on the tool bar.
   
   
2. Click Yours on the left side of the window. This displays a list of your certificates that are loaded in Netscape. You should see your newly imported certificate in this list.
   
   

Install the CA's certificate in Jaguar

You need to install the certificate of the signer (CA) of your personal certificate in Jaguar. Otherwise, when you offer your personal certificate to Jaguar for client authentication, Jaguar does not recognize it as being signed by a trusted CA.

Install the CA's certificate in Jaguar and mark it as trusted:

1. In Netscape, go to the URL of the CA that issued your certificate.
   
   
2. Locate and copy the signer's certificate. For the Netscape certificate server:
   
   
   1. Click List Certificates.
      
      
   2. Click Run Query.
      
      
   3. Highlight the certificate, including the BEGIN through the END lines.
      
      
   4. Click Details in the Issuers certificate field.
      
      
   5. Select Edit | Copy.
      
      
   
   
3. In Security Manager, double-click the Security Manager icon.
   
   
4. Highlight the CA Certificates folder.
   
   
5. Select File | Install Certificate.
   
   
6. Paste the signer's certificate into the window provided.
   
   If you have copied the certificate to a file, click Import from File and enter the name of the file.
   
   
7. Click Install.
   
   

The CA's certificate is displayed when you highlight the CA certificates folder.

Mark the certificate trusted:

1. Highlight the certificate.
   
   
2. Select File | Certificate Info.
   
   
3. Click the Trusted Certificate box.
   
   
4. Click Done.
   
   

The CA's certificate is displayed when you highlight the Trusted CAs folder.

Restart the Jaguar server. Certificates signed by the installed CA are now accepted for client authentication by Jaguar.

Copyright © 2000 Sybase, Inc. All rights reserved.