Certificate Management For Das_Proxy - Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 Reference Manual

das_query_0.*.log
das_binary_0.*.log
das_itrac_0.*.log
das_aggregation0.*.log
das_rt0.*.log
das_cmd0.*.log
das_proxy0.*.log
The 0 indicates the unique number to resolve conflicts and the * indicates a generation number to
distinguish rotated logs. For example,
rotated set of log files for the DAS Query process.
Log messages are also written to the process's console (standard output). However, since the
processes are running as services, users do not have access to the console output. It is possible,
however, to capture the console output in the
if the process is producing an error that is not printed to the process's own log file. This can be
enabled by adding the following line to the
esecurity.base.process.MonitorableProcess.level=FINEST

5.1.3 Certificate Management for DAS_Proxy

The DAS_Proxy SSL Server uses an asymmetric key pair, consisting of a certificate (or public key)
and a private key, to encrypt communications. When the Sentinel Communication Server is started
for the first time, it automatically creates a self-signed certificate which is used by the DAS_Proxy
SSL Server.
You can replace the self-signed certificate with a certificate signed by a major Certificate Authority
(CA), such as Verisign,
You can also replace the self-signed certificate with a certificate signed by a less common CA, such
as a CA within your company or organization.
This section describes several certificate management tasks that you can perform in Sentinel:
Replace the default certificate with a certificate signed by a Certificate Authority (CA)

 Change default keystore and keyEntry passwords. This is recommended on all Sentinel
systems.
 Change the location of the .proxyServerKeystore file
Change the default keyEntry alias to avoid potential conflicts with other keys in the keystore or

for simplicity
Replacing the default certificate with a CA-signed certificate
Novell provides a self-signed certificate for the DAS_Proxy SSL Server to use. To improve security,
you can replace the default, self-signed certificate that gets installed with a certificate signed by a
Certificate Authority (CA). The CA may be a major CA, such as Verisign,
www.thawte.com/), or
such as one that is within your organization.
54 Sentinel 6.1 Reference Guide
das_query0.0.log
sentinel0.*.log file
sentinel_log.prop
Thawte (http://www.thawte.com/), or
Entrust (http://www.entrust.com/), or it may be a less widely-known CA,
is the log with index 0 (latest) file in a
. This is useful, for example,
file:
Entrust (http://www.entrust.com/).
Thawte (http://