Ssl Certificate Overview; Ssl Server Certificate Management - IBM BladeCenter Management Module User Manual

Note: Changes to the SSL client configuration take effect immediately and do
not require a restart of the management module.

SSL certificate overview

You can use SSL with either a self-signed certificate or with a certificate signed by a
third-party certificate authority. Using a self-signed certificate is the simplest method
for using SSL, but it does create a small security risk. The risk arises because the
SSL client has no way of validating the identity of the SSL server for the first
connection attempted between the client and server. It is possible that a third party
could impersonate the server and intercept data flowing between the management
module and the Web browser. If at the time of the initial connection between the
browser and the management module, the self-signed certificate is imported into the
certificate store of the browser, all future communications will be secure for that
browser (assuming the initial connection was not compromised by an attack).
For more complete security, you can use a certificate signed by a certificate
authority. To obtain a signed certificate, use the SSL Certificate Management page
to generate a certificate signing request. You must then send the certificate signing
request to a certificate authority and make arrangements to procure a certificate.
When the certificate is received, it is then imported into the management module
using the Import a Signed Certificate link, and you can enable SSL.
The function of the certificate authority is to verify the identity of the management
module. A certificate contains digital signatures for the certificate authority and the
management module. If a well-known certificate authority issues the certificate or if
the certificate of the certificate authority has already been imported into the Web
browser, the browser will be able to validate the certificate and positively identify the
management-module Web server.
The management module requires a certificate for the secure Web server and one
for the secure LDAP client. Also, the secure LDAP client requires one or more
trusted certificates. The trusted certificate is used by the secure LDAP client to
positively identify the LDAP server. The trusted certificate is the certificate of the
certificate authority that signed the certificate of the LDAP server. If the LDAP
server uses self-signed certificates, the trusted certificate can be the certificate of
the LDAP server itself. Additional trusted certificates can be imported if more than
one LDAP server is used in your configuration.

SSL server certificate management

The SSL server requires that a valid certificate and corresponding private encryption
key is installed before SSL is enabled. There are two methods available for
generating the private key and required certificate: using a self-signed certificate
and using a certificate signed by a certificate authority. If you want to use a
self-signed certificate for the SSL server, see "Generating a self-signed certificate"
on page 45. If you want to use a certificate authority signed certificate for the SSL
server, see "Generating a certificate signing request" on page 46.
44
BladeCenter Management Module: User's Guide