Cisco Cisco Configuration Engine 3.5 Entwickleranleitung
5-19
Cisco Configuration Engine Software Development Kit API Reference and Programmer Guide 3.5
OL-17661-02
Chapter 5 Web Services: Admin, Config, Image, Exec, NSM
Web Services Model
Configuration Requirements (JSSE Sample Code)
When running the sample programs that create a secure socket connection between a client and a server,
you will need to make the appropriate certificates file (truststore) available. For both the client and the
server programs, you should use the certificates file samplecacerts from the samples directory. Using
this certificates file will allow the client to authenticate the server. The file contains all the common
Certification Authority certificates shipped with the J2SDK (in the cacerts file), plus a certificate for
duke needed by the client to authenticate duke when communicating with the sample server
ClassFileServer. (ClassFileServer uses a keystore containing the private key for duke which corresponds
to the public key in samplecacerts.)
you will need to make the appropriate certificates file (truststore) available. For both the client and the
server programs, you should use the certificates file samplecacerts from the samples directory. Using
this certificates file will allow the client to authenticate the server. The file contains all the common
Certification Authority certificates shipped with the J2SDK (in the cacerts file), plus a certificate for
duke needed by the client to authenticate duke when communicating with the sample server
ClassFileServer. (ClassFileServer uses a keystore containing the private key for duke which corresponds
to the public key in samplecacerts.)
To make the samplecacerts file available to both the client and the server, you can either copy it to the
file <java-home>/lib/security/jssecacerts, rename it cacerts and use it to replace the
<java-home>/lib/security/cacerts file, or add the following option to the command line when running
the java command for both the client and the server:
file <java-home>/lib/security/jssecacerts, rename it cacerts and use it to replace the
<java-home>/lib/security/cacerts file, or add the following option to the command line when running
the java command for both the client and the server:
-Djavax.net.ssl.trustStore=path_to_samplecacerts_file
If you use a browser, such as Netscape Navigator or Microsoft's Internet Explorer, to access the sample
SSL server provided in the ClassFileServer example, a dialog box might pop up with the message that it
does not recognize the certificate. This is normal because the certificate used with the sample programs
is self-signed and is for testing only. You can accept the certificate for the current session. After testing
the SSL server, you should exit the browser, which deletes the test certificate from the browser's
namespace.
SSL server provided in the ClassFileServer example, a dialog box might pop up with the message that it
does not recognize the certificate. This is normal because the certificate used with the sample programs
is self-signed and is for testing only. You can accept the certificate for the current session. After testing
the SSL server, you should exit the browser, which deletes the test certificate from the browser's
namespace.
Creating Simple Keystore and Truststore (Unix)
http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#CreateKeystore
Create a simple JKS keystore suitable for use with JSSE with a trusted certificate entry. All keystore
entries are accessed by means of unique, case-insensitive aliases.
entries are accessed by means of unique, case-insensitive aliases.
Keystore: ~/.keystore [this is the default]
Alias: config_engine
Password: *****
Certificate imported: ~/wd/auth/ce.base64.cer
Java Utility keytool
http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html#importCmd
Usage:
•
IMPORT a certificate (creates new alias w/ name given & keystore ~/.keystore):
keytool -import -alias config_engine -file ~/wd/auth/ce.base64.cer
(you will be prompted for a password: remember if creating a new keystore).
•
LIST certificates in keystore (identified by alias):
keytool -list [-alias config_engine]
•
CREATE a new keystore and self-signed certificate with corresponding public/private keys:
keytool -genkey -alias config_engine1 -keyalg RSA -validity 3650 -dname “CN=boniface,
OU=nmtg, O=cisco, L=san jose, S=ca, C=us”
OU=nmtg, O=cisco, L=san jose, S=ca, C=us”
•
EXPORT certificate in keystore (identified by alias) [rfc means base64 format]
keytool -export -alias config_engine1 -rfc -v -file config_engine1.base64.cer
•
DELETE alias