To establish an HTTPS connection between your Web redirector and EAServer, you must export the CA certificate (the signing authority’s certificate) that signs the user certificate for the HTTPS listener to which you want to connect. For example, if Verisign Class 1 Primary CA is the signer of the web_redirector_certificate that is assigned to an EAServer listener at port 8085, then you must install the Verisign Class 1 Primary CA certificate on your Web server host and mark it trusted for your redirector to connect to that EAServer listener.
There are several ways, depending on how you obtain and manage certificates, to export and install certificates. This procedure describes how to export a CA certificate from EAServer, install it on your Web server host, and mark it trusted using Security Manager:
Exporting and installing CA certificates
Use Security Manager on the EAServer host to export the root certificate of the certificate associated with the HTTP protocol listener:
Select the CA Certificates folder.
Locate the CA certificate of the EAServer certificate associated with the HTTP listener.
Highlight the certificate to export. This example uses Verisign Class 1 Primary CA.
Select File | Export Certificate.
From the Export Certificate wizard, select the format type for the exported certificate. Select Binary Encode X509 Certificate. Click Next.
Select Save to File and enter the full path name to a file that will contain the CA certificate.
Do not add any extension to the file name. A .crt extension is automatically added to the exported certificate by Security Manager.
Click Finish to export the certificate to the file you specified.
Copy this file to the Web server host.
Manage the certificates (including trust information) on the Web server host using the standalone Security Manager. To start the standalone Security Manager and connect to the Sybase PKCS#11 module:
Change to the $JAGUAR_CLIENT_ROOT/bin directory.
Run the sasecmgr.sh command to start the standalone Security Manager.
The standalone Security Manager manages keys and certificates on a client installation without the overhead on an entire EAServer installation. The PKCS#11 token installed as part of the standalone Security Manager contains the same information (keys and certificates) as a typical EAServer installation.
From Security Manager, enter Tools | Connect.
Enter the PKCS#11 PIN to connect to the PKCS#11 token. The default value is sybase.
Any changes that you make modify the contents of the $JAGUAR_CLIENT_ROOT/db directory.
Use the standalone Security Manager to install certificates in the security database (PKCS#11 module):
Select the CA Certificates folder.
Select File | Install Certificate.
Click the Import from File box. Use the browse feature to locate the certificate you exported from EAServer and copied to the Web server host.
Click Install. The certificate is installed in the CA folder.
Select the CA folder to see the certificate.
Mark the certificate trusted:
Select the CA folder
Select the certificate you just installed.
Select File | Certificate Info.
The Certificate Information dialog appears. Use the scroll bar to view all of the information.
The Certificate dialog includes a Trusted Certificate check box. Mark the certificate as trusted.
The certificate now appears in the Trusted folder.
Restart the Web server if it was running.
Follow the steps described in “Enable HTTPS connections” to establish an HTTPS connection using the installed signer’s certificate (on the Web server host) to connect to the EAServer HTTPS listener (that uses the users certificate signed by the signer’s certificate).
