I can see that there are multiple keystores in ISAM. Not sure though how they are used.
In ivmgrd.conf (I don't know how to view this file in GUI), they reference a keystore named ivmgr.kdb. This keystore is used for what?
In pd.conf (I don't know how to view this file in GUI), they reference a keystore named pd.kdb. This keystore is used for what?

I also can find other keystores in Manage System Setting -> SSL Certificates.
Here I can find:

Fortunately they have a brief description of where they are used, but still not clear.

• If I want to create a connection the a Federated Registry, which .kdb does LDAP use?
• If I want to use an external LDAP server, with mutual certification, where should I add and configure the certificates?
• If I want to connect a reverse proxy to a policy server or (policy servers) where should I place the certificates? (where should I add the certificates in the policy server, and similarly where should I add the certificates on the WebSeal)?
• I understand the pdsrv is used for the WebSeal clients to connect to the embedded HTTP server, but I need to establish a secure connection between WebSeal and Policy Server too.

If I want to configure FELB for customers to connect to ISAM, where should I add the certificates? Do I need to have SSL also between the FELB and the clustered Reverse Proxies? Since the IP virtual address can move between ISAM, I guess the FELB certificates must be on both ISAM.
Similarly, if FELB connects to a clustered Reverse Proxy, the cetificates of the members of the Reverse Proxy should also be replicated, but this is managed automatically when we configure the Reverse Proxy cluster!
But if we want to use mutual authentication, where should I put the private an public keys of both FELB and Reverse Proxies?

If I have several reverse proxies, can I have a keystore per reverse proxy?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: 10/11/2020 7:45:00 AM
From: Joao Goncalves
Subject: ISAM Keystores and SSL

I can see that there are multiple keystores in ISAM. Not sure though how they are used.
In ivmgrd.conf (I don't know how to view this file in GUI), they reference a keystore named ivmgr.kdb. This keystore is used for what?
In pd.conf (I don't know how to view this file in GUI), they reference a keystore named pd.kdb. This keystore is used for what?

I also can find other keystores in Manage System Setting -> SSL Certificates.
Here I can find:

Fortunately they have a brief description of where they are used, but still not clear.

• If I want to create a connection the a Federated Registry, which .kdb does LDAP use?
• If I want to use an external LDAP server, with mutual certification, where should I add and configure the certificates?
• If I want to connect a reverse proxy to a policy server or (policy servers) where should I place the certificates? (where should I add the certificates in the policy server, and similarly where should I add the certificates on the WebSeal)?
• I understand the pdsrv is used for the WebSeal clients to connect to the embedded HTTP server, but I need to establish a secure connection between WebSeal and Policy Server too.

If I want to configure FELB for customers to connect to ISAM, where should I add the certificates? Do I need to have SSL also between the FELB and the clustered Reverse Proxies? Since the IP virtual address can move between ISAM, I guess the FELB certificates must be on both ISAM.
Similarly, if FELB connects to a clustered Reverse Proxy, the cetificates of the members of the Reverse Proxy should also be replicated, but this is managed automatically when we configure the Reverse Proxy cluster!
But if we want to use mutual authentication, where should I put the private an public keys of both FELB and Reverse Proxies?

If I have several reverse proxies, can I have a keystore per reverse proxy?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

In the ldap.conf and ivmgr.conf files, you can specify both the keystore and stash file.
But when I create a new SSL keystore, it does not prompt you for the password or the stash file!

Why do you need then the stash file, since you cannot enter the password?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Sun October 11, 2020 04:41 PM
From: Scott Exton
Subject: ISAM Keystores and SSL

Joao,

 

I've attempted to answer each of your questions in-line below (look for <SAE>....</SAE>):

 

I can see that there are multiple keystores in ISAM. Not sure though how they are used.
In ivmgrd.conf (I don't know how to view this file in GUI), they reference a keystore named ivmgr.kdb. This keystore is used for what?

<SAE>This is an internal key store which you can safely ignore.  It is used for storing certificates which are used internally by ISAM.</SAE>
In pd.conf (I don't know how to view this file in GUI), they reference a keystore named pd.kdb. This keystore is used for what?
<SAE>This is an internal key store which you can safely ignore.  It is used for storing certificates which are used internally by ISAM.</SAE>

I also can find other keystores in Manage System Setting -> SSL Certificates.
Here I can find:

Fortunately they have a brief description of where they are used, but still not clear.

• If I want to create a connection the a Federated Registry, which .kdb does LDAP use?
  <SAE>You use the keyfile which you specify when enabling the 'SSL Settings' for Federated registries, i.e. on the Federated Directories screen select the 'SSL Settings' button and then choose a key file.</SAE>
• If I want to use an external LDAP server, with mutual certification, where should I add and configure the certificates?
  <SAE>If this is the 'main' user registry you specify this when you configure the runtime. </SAE>
• If I want to connect a reverse proxy to a policy server or (policy servers) where should I place the certificates? (where should I add the certificates in the policy server, and similarly where should I add the certificates on the WebSeal)?
  <SAE>You don't need to do anything here.  All communication between the policy server and WebSEAL will be protected.</SAE>
• I understand the pdsrv is used for the WebSeal clients to connect to the embedded HTTP server, but I need to establish a secure connection between WebSeal and Policy Server too.
  <SAE>This is automatically done for you.  You don't need to do anything here.</SAE>

If I want to configure FELB for customers to connect to ISAM, where should I add the certificates?

<SAE>You add the certificate to the keyfile which you specified when configuring the FELB capability.</SAE>

Do I need to have SSL also between the FELB and the clustered Reverse Proxies?

<SAE>No.  It is entirely up to how you configure the system.</SAE>

Since the IP virtual address can move between ISAM, I guess the FELB certificates must be on both ISAM.
Similarly, if FELB connects to a clustered Reverse Proxy, the cetificates of the members of the Reverse Proxy should also be replicated, but this is managed automatically when we configure the Reverse Proxy cluster!
But if we want to use mutual authentication, where should I put the private an public keys of both FELB and Reverse Proxies?

<SAE>If you want mutual authentication from the FELB to the Reverse Proxy you put the public and private key in the keyfile which is used by the FELB and then ensure that the signing certificate is put into the keyfile of the WRP.</SAE>

If I have several reverse proxies, can I have a keystore per reverse proxy?

<SAE>Yes.</SAE>

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 10/11/2020 7:45:00 AM
From: Joao Goncalves
Subject: ISAM Keystores and SSL

I can see that there are multiple keystores in ISAM. Not sure though how they are used.
In ivmgrd.conf (I don't know how to view this file in GUI), they reference a keystore named ivmgr.kdb. This keystore is used for what?
In pd.conf (I don't know how to view this file in GUI), they reference a keystore named pd.kdb. This keystore is used for what?

I also can find other keystores in Manage System Setting -> SSL Certificates.
Here I can find:

Fortunately they have a brief description of where they are used, but still not clear.

• If I want to create a connection the a Federated Registry, which .kdb does LDAP use?
• If I want to use an external LDAP server, with mutual certification, where should I add and configure the certificates?
• If I want to connect a reverse proxy to a policy server or (policy servers) where should I place the certificates? (where should I add the certificates in the policy server, and similarly where should I add the certificates on the WebSeal)?
• I understand the pdsrv is used for the WebSeal clients to connect to the embedded HTTP server, but I need to establish a secure connection between WebSeal and Policy Server too.

If I want to configure FELB for customers to connect to ISAM, where should I add the certificates? Do I need to have SSL also between the FELB and the clustered Reverse Proxies? Since the IP virtual address can move between ISAM, I guess the FELB certificates must be on both ISAM.
Similarly, if FELB connects to a clustered Reverse Proxy, the cetificates of the members of the Reverse Proxy should also be replicated, but this is managed automatically when we configure the Reverse Proxy cluster!
But if we want to use mutual authentication, where should I put the private an public keys of both FELB and Reverse Proxies?

If I have several reverse proxies, can I have a keystore per reverse proxy?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: 10/12/2020 11:41:00 AM
From: Joao Goncalves
Subject: RE: ISAM Keystores and SSL

In the ldap.conf and ivmgr.conf files, you can specify both the keystore and stash file.
But when I create a new SSL keystore, it does not prompt you for the password or the stash file!

Why do you need then the stash file, since you cannot enter the password?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Sun October 11, 2020 04:41 PM
From: Scott Exton
Subject: ISAM Keystores and SSL

Joao,

 

I've attempted to answer each of your questions in-line below (look for <SAE>....</SAE>):

 

I can see that there are multiple keystores in ISAM. Not sure though how they are used.
In ivmgrd.conf (I don't know how to view this file in GUI), they reference a keystore named ivmgr.kdb. This keystore is used for what?

<SAE>This is an internal key store which you can safely ignore.  It is used for storing certificates which are used internally by ISAM.</SAE>
In pd.conf (I don't know how to view this file in GUI), they reference a keystore named pd.kdb. This keystore is used for what?
<SAE>This is an internal key store which you can safely ignore.  It is used for storing certificates which are used internally by ISAM.</SAE>

I also can find other keystores in Manage System Setting -> SSL Certificates.
Here I can find:

Fortunately they have a brief description of where they are used, but still not clear.

• If I want to create a connection the a Federated Registry, which .kdb does LDAP use?
  <SAE>You use the keyfile which you specify when enabling the 'SSL Settings' for Federated registries, i.e. on the Federated Directories screen select the 'SSL Settings' button and then choose a key file.</SAE>
• If I want to use an external LDAP server, with mutual certification, where should I add and configure the certificates?
  <SAE>If this is the 'main' user registry you specify this when you configure the runtime. </SAE>
• If I want to connect a reverse proxy to a policy server or (policy servers) where should I place the certificates? (where should I add the certificates in the policy server, and similarly where should I add the certificates on the WebSeal)?
  <SAE>You don't need to do anything here.  All communication between the policy server and WebSEAL will be protected.</SAE>
• I understand the pdsrv is used for the WebSeal clients to connect to the embedded HTTP server, but I need to establish a secure connection between WebSeal and Policy Server too.
  <SAE>This is automatically done for you.  You don't need to do anything here.</SAE>

If I want to configure FELB for customers to connect to ISAM, where should I add the certificates?

<SAE>You add the certificate to the keyfile which you specified when configuring the FELB capability.</SAE>

Do I need to have SSL also between the FELB and the clustered Reverse Proxies?

<SAE>No.  It is entirely up to how you configure the system.</SAE>

Since the IP virtual address can move between ISAM, I guess the FELB certificates must be on both ISAM.
Similarly, if FELB connects to a clustered Reverse Proxy, the cetificates of the members of the Reverse Proxy should also be replicated, but this is managed automatically when we configure the Reverse Proxy cluster!
But if we want to use mutual authentication, where should I put the private an public keys of both FELB and Reverse Proxies?

<SAE>If you want mutual authentication from the FELB to the Reverse Proxy you put the public and private key in the keyfile which is used by the FELB and then ensure that the signing certificate is put into the keyfile of the WRP.</SAE>

If I have several reverse proxies, can I have a keystore per reverse proxy?

<SAE>Yes.</SAE>

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 10/11/2020 7:45:00 AM
From: Joao Goncalves
Subject: ISAM Keystores and SSL

I can see that there are multiple keystores in ISAM. Not sure though how they are used.
In ivmgrd.conf (I don't know how to view this file in GUI), they reference a keystore named ivmgr.kdb. This keystore is used for what?
In pd.conf (I don't know how to view this file in GUI), they reference a keystore named pd.kdb. This keystore is used for what?

I also can find other keystores in Manage System Setting -> SSL Certificates.
Here I can find:

Fortunately they have a brief description of where they are used, but still not clear.

• If I want to create a connection the a Federated Registry, which .kdb does LDAP use?
• If I want to use an external LDAP server, with mutual certification, where should I add and configure the certificates?
• If I want to connect a reverse proxy to a policy server or (policy servers) where should I place the certificates? (where should I add the certificates in the policy server, and similarly where should I add the certificates on the WebSeal)?
• I understand the pdsrv is used for the WebSeal clients to connect to the embedded HTTP server, but I need to establish a secure connection between WebSeal and Policy Server too.

If I want to configure FELB for customers to connect to ISAM, where should I add the certificates? Do I need to have SSL also between the FELB and the clustered Reverse Proxies? Since the IP virtual address can move between ISAM, I guess the FELB certificates must be on both ISAM.
Similarly, if FELB connects to a clustered Reverse Proxy, the cetificates of the members of the Reverse Proxy should also be replicated, but this is managed automatically when we configure the Reverse Proxy cluster!
But if we want to use mutual authentication, where should I put the private an public keys of both FELB and Reverse Proxies?

If I have several reverse proxies, can I have a keystore per reverse proxy?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------