Creating a Test Signing Certificate for Evaluating Security Proxy in OutsideViewWEB

Technical Note

To implement the security proxy in OutsideViewWEB, you need to register a digital signature and key pair with a certifying authority. It may take several weeks, however, to receive a registered signing certificate from a certifying authority. This technical note describes how to quickly generate a test signing certificate that can be used for evaluation purposes only.

Understanding Registered Digital Certificates

If you are evaluating security in OutsideViewWEB, you may want to use a registered digital certificate and key pair to sign the archive that you create in the Security Archive section of the Deployment Director. The digital certificate guarantees the identity of your company. When you deploy a signed certificate archive, you ensure a high level of security.

The digital signature and key pair that you generate should be registered with a certifying authority such as VeriSign or Thawte--a process that may take up to several weeks to complete. This time lag may be a hindrance if you are only evaluating (rather than implementing) OutsideViewWEB. With OutsideViewWEB , you can bypass the registration process and generate a test signing certificate by following the procedures below.

Warning: Signing certificates generated in this way should be used only for evaluating OutsideViewWEB; they should not be used for actual deployments of secure terminal sessions.

Installing OutsideViewWEB and the Proxy Server

This technical note assumes that you already have installed OutsideViewWEB  on an administrative PC, and the OutsideViewWEB security proxy server on a UNIX, NT, Compaq NonStop or AS/400 server. See the Installation_Guide.html file on the OutsideViewWEB CD-ROM for installation instructions.

Instructions

The following sections describe how to create a self-signed digital certificate that will allow you to test secure OutsideViewWEB sessions. Follow the instructions in the sections below that correspond to the browsers and operating systems at your site.

Internet Explorer Version 4.0 or Higher on Windows 95, 98, or NT 4.0

These instructions are presented in two parts: "Creating the Test Signing Certificate" and "Using the Deployment Director to Create a Security Archive."

Part 1: Creating the Test Signing Certificate

  1. Download the Microsoft SDK for Java from the Microsoft web site:
  1. Open a DOS command prompt. Temporarily set the Path variable to include the location of the Microsoft SDK\Bin subdirectory.
    For example, if you installed the Microsoft SDK files to C:\Program Files\Microsoft SDK for Java 4.0, you would enter the following command:
    Path=C:\Program Files\Microsoft SDK for Java 4.0\Bin
    Note: Leave the command window open during the rest of this procedure. If you close the command window, the Path variable will return to the default setting.
  1. In the command window, create a C:\RWtest directory.

  2. In the command window, navigate to the C:\RWtest directory and run the following command (on a single line):
    makecert -sv key.pvk -n "CN=<TestCertificateName>,
    OU=<OrganizationalUnit>,O=<Organization>,C=<CountryCode>"
    -r cert.crt
    When creating a test certificate, you can assign any attribute values you choose; however, <Country Code> must be a two-character value. For example:
    makecert -sv key.pvk -n "CN=TestCert,OU=myUnit,O=myOrg,
    C=US" -r cert.crt
    This command creates two files in the RWtest directory: key.pvk and cert.crt.
  1. When the Create Private Key Password dialog box appears, enter and confirm a password, and then click OK.
    Re-enter the password in the Enter Private Key Password dialog box. Note the password for use in Part 2 below.
  1. Convert the certificate into a Software Publisher Certificate (SPC) by entering the following command at the command prompt:
    cert2spc cert.crt cert.spc
  1. Close the command window.

Part 2: Using the Deployment Director to Create a Security Archive

  1. Open the Administrative WebStation on the administrative PC.

  2. On the left navigation bar, click Deployment Director, and then click Security Archive.

  3. In the Browser Selection window, select Internet Explorer for Windows, and then click Next.

  4. In the Third Party Tools window, specify the path to the Dubuild.exe file in the Microsoft SDK for Java directory. Typically, Dubuild.exe is found in the following location:
    C:\Program Files\Microsoft SDK for Java 4.0\Bin
    Click Next.
  1. In the Certificate Storage Files window, click Fetch Certificate from Server. Specify the IP address and port number for the OutsideViewWEB security proxy server and click OK. Once the certificate has been successfully added to the storage file, click Next.

  2. In the screen labeled "Security Archive for Internet Explorer for Windows," enter the Private key file (C:\ RWtest\key.pvk) and Software publishing certificate (C:\ RWtest\cert.spc) that you created in Part 1.
    If you are using OutsideViewWEB 1.x, clear the "Use time-stamp server to time-stamp archive" checkbox.

    Click Next.

  1. Double-check your selections in the Summary window, and then click Finish to create the security archive. When you are prompted for a Private Key Password, enter the password you specified in Part 1 above.
Note: For information on deploying sessions that utilize the test certificates you just set up, skip to the section at the bottom of this note, titled "Deploying Encrypted Sessions."

Netscape Navigator/Communicator Version 4.06 or Higher on Windows 95, 98, or NT 4.0

These instructions are presented in two parts: "Creating the Test Signing Certificate" and "Using the Deployment Director to Create a Security Archive."

Part 1: Creating the Test Signing Certificate

  1. Download and install the Netscape signing tool (SignTool.exe) from the following web site:
  1. Start Netscape Navigator/Communicator. Click the Security button on the toolbar and select Passwords.
    • If the button on the right is labeled "Set Password," then click the button and specify a password. Note the password for use later.
    • If the button is labeled "Change Password," then click Cancel. Note, however, that you will need to know your Netscape password for Part 2 below.
    Exit Netscape Navigator/Communicator.
  1. On the Start menu, point to Find, and then click Files or Folders. Find the Cert7.db and Key3.db files and note their location for use in Part 2 below. (These files are used by Netscape Navigator/Communicator to store your certificates and keys.)

  2. Open a command prompt and navigate to the directory where you installed the Signtool.exe file.

  3. At the command prompt, enter the following command (on a single line):
    signtool -d "<path to directory containing cert7.db and
    key3.db files>" -G "TestCert"
    For example:
    signtool -d "C:\Program Files\Netscape\Users\Default" -G
    "TestCert"
    The signing tool will prompt you for a common name, organization name, and other attributes. When creating a test certificate, you can specify any attribute values you choose; however, the country code must be a two-character value.

    When prompted for the password for the Communicator Certificate DB, enter the Communicator/Navigator password from step 2 above.

  1. The signing tool will create two certificate files (x509.raw and x509.cacert) in the directory containing Signtool.exe.
    When the signing tool has finished generating the certificate files, close the command window.

    Note: The x509.cacert certificate will be stored in the database of the Netscape Communicator/Navigator program on your test PC only. If you want to install the certificate on other machines so that other users can test secure OutsideViewWEB connections, you must perform two additional steps:

    A. Configure your web server to export the file as MIME-type application/x-x509-ca-cert. An administrator can use a configuration file or an administration tool to associate this MIME-type with the file extension .cacert. This is the default configuration for Netscape Enterprise Server 3.0. Consult your web server documentation for more details.

    B. Create a link to the x509.cacert file in a web page. For example, you can copy the certificate file to your web server, and then put the following link in a web page that is accessible to all users:

    <a href="x509.cacert">Click here to import the test certificate.</a>
    Users need to download the certificate only once to update their Netscape database.

Part 2: Using the Deployment Director to Create a Security Archive

  1. Open the Administrative WebStation on the administrative PC.

  2. On the left-hand navigation bar, click Deployment Director, and then click Security Archive.

  3. In the Browser Selection window, select Navigator/Communicator for Windows or UNIX, and then click Next.

  4. In the Third Party Tools window, specify the path to the Netscape Signing Tool (Signtool.exe). For example:
    C:\Netscape Signing Tool\
    Click Next.
  1. In the Certificate Storage Files window, click Fetch Certificate from Server. Specify the IP address and port number for the OutsideViewWEB security proxy server and click OK. Once the certificate has been successfully added to the storage file, click Next.

  2. In the Security Archive window, specify the path to the Netscape Key3.db and Cert7.db files. For example:
    C:\Program Files\Netscape\Users\Default
    Click the Select Nickname button and select TestCert from the drop-down list.

    Click Next.

  1. Double-check your selections in the Summary window, and then click Finish to create the security archive. When you are prompted for your Communicator password, enter the password you specified in Part 1 above.
Note: For information on deploying sessions that utilize the test certificates you just set up, skip to the section at the bottom of this note, titled "Deploying Encrypted Sessions."

Internet Explorer Version 4.0 or Higher for Macintosh

The Apple Macintosh Runtime for Java (MRJ) does not use certified digital certificates. Therefore, simply follow the steps below to create a security archive.

Note: To perform the following steps, you will need to have the Sun Java Development Kit (JDK) installed. You can download the Sun JDK from the following web site:

  1. In the Browser Selection window, select "Internet Explorer for the MacOS or HotJava browser 1.1 or any browser using the Java plug-in 1.1," and then click Next.

  2. In the Certificate Storage Files window, click Fetch Certificate from Server. Specify the IP address and port number for the OutsideViewWEB security proxy server and click OK. Once the certificate has been successfully added to the storage file, click Next.

  3. In the Security Archive window, select Create new signer. You will be prompted for an identity, common name, organization unit, and other attributes. When creating a test certificate, you can specify any attribute values you choose; however, the country code must be a two-character value.
    Click Next to continue.
  1. Double-check your selections in the Summary window, and then click Finish to create the security archive.

Deploying Encrypted Sessions

Once you have created the security archives, you can upload them to a web server and use them while evaluating OutsideViewWEB security.

Use the File Upload tool in the Deployment Director to copy the archives to the same location on the web server where you installed the terminal emulation component. For information about where to upload files on the server, click the Help button, and then click the link to Upload Destinations for OutsideViewWEB Files.

Note: The File Upload Tool uses FTP to upload the files. If your web server does not support FTP, you may alternately be able to copy the files to your web server.

Once the security archives are uploaded to the web server, you can use the Terminal Session tool in the Deployment Director to create web pages that run secure sessions.

For information on creating secure terminal sessions or on uploading files to a web server, see the Tutorials page in the How To section of the Administrative WebStation.
©2007 Crystal Point, Inc. All Rights Reserved. • Contact Us • Sales: 800.982.0628