Hi,
I do not really know what I am trying to explain, but anyway.
Ibm has made a kind of minimal security approach to access an HMCusing https,
i.e. a self signed cert.
Ibm also documents how one can change this,i.e. generate a key pair,, a csr, get certified by "some"
CA, then upload the key and cert. Example uses openssl on windows :-) Who cares
You need to have the cert chain as trusted in your browser, so far, pure
technical.
which "PKI" to select? The global web pki, probably not, at least not necessary/, the HMCis in some
intranet, or so.
A company PKI (intranet). Yes, if it exists. The first thing iIMO is to find out if there is a
company PKI or at least policy etc.
Tom went for the "minimal" solution, create a minimal dedicated "PKI" :
Technically, take whatever vanilla pc, create a root, create a cert, take the server key end cert
and CA cet to an USB and the delete the content of the PC. Lifetime long enough so either the HMC or
you can retire :-) Well, I'm provoking.
On linux you could use "script" to have log.
Upload the server cert/key to the HMC, and delete them.
install the CA cert on any PC that needs access to the HMC.
This is what Tom has done, at least some parts.
Thus, there is only one certificate created by the CA.
All this documented but maybe not necessarily using the IETF text as template, it is very detailed,
and if you understand it at once, I'll kill myself :-) or not.
Anyway, validate the procedure with the company CISO.
If the company has a "company" PKI, and is able to make server certs, well, do
this.
One usual question? Who is generating the server private key? IBM could have made an HMC function to
generate it and create a CSR to download btw.
Have fun
Peter
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
