Previous Topic: Default Certificates for Linux and UNIXNext Topic: Modify or Repair an Installation

Post-Installation TasksHow to Introduce Your Own X.509 Certificates into the Install ImageCustomize X.509 Certificates Using cfcert.ini

Customize X.509 Certificates Using cfcert.ini

The cfcert.ini file controls the certificates installed by CA ITCM. The cfcert.ini file contains several sections that correspond to each application group in the installation. The default cfcert.ini file is as follows:

[CAF]
files=itrm_dsm_r11_root.der,basic_id.p12

[Configuration]
files=ccsm.p12

[Manager]
files=itrm_dsm_r11_cmdir_eng.p12

[Registration]
files=registration.p12

[USD.Agent]
files=itrm_dsm_r11_sd_catalog.p12

[USD.Manager]
files=itrm_dsm_r11_agent_mover.p12,itrm_dsm_r11_sd_catalog.p12




[Files]
itrm_dsm_r11_root.der=cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3
basic_id.p12=cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon
ccsm.p12=cacertutil import -i:ccsm.p12 -t:csm -ip:enc:IWhun2x3ys7y1FM8Byk2LMs56Rr8KmXQ
itrm_dsm_r11_cmdir_eng.p12=cacertutil import -i:itrm_dsm_r11_cmdir_eng.p12 -ip:enc:gYuzGzNcIYzWjHA6w542pW68E8FobJhv -t:dsm_cmdir_eng
itrm_dsm_r11_sd_catalog.p12=cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat
itrm_dsm_r11_agent_mover.p12=cacertutil import -i:itrm_dsm_r11_agent_mover.p12 -ip:enc:sytOQtZteLopAt1CX0jIJUJcpqBWrb7G7VegY7F7udogc1c5kLIylw -t:dsmagtmv
registration.p12=cacertutil import -i:registration.p12 -ip:enc:z5jLhmvfkaAF4DLMDp3TWuC7nG8yh3dfvmN668thfrU -t:dsm_csvr_reg
babld.p12=cacertutil import -i:babld.p12 -ip:enc:TrdWglmuNCdeOAfj2j3vMwywVbGnlIvX -t:babld_server
dsmpwchgent.p12=cacertutil import -i:dsmpwchgent.p12 -ip:enc:QWF8vknD5aZsU1j5RLzgt1NQgF5DcXj4v1vS4ewDzOA -t:ent_access
dsmpwchgdom.p12=cacertutil import -i:dsmpwchgdom.p12 -ip:enc:sqb9qO2SGjbYqzIvwM7HEbx0M6UJk8Dc82EvUoDeJmE -t:dom_access
dsmpwchgrep.p12=cacertutil import -i:dsmpwchgrep.p12 -ip:enc:x901eho57IZ19zg6g97rQetHjA1461na7nhBmJl7mcc -t:rep_access

[Tags]
dsmcommon=x509cert://DSM r11/CN=Generic Host Identity,O=Computer Associates,C=US
csm=x509cert://dsm r11/CN=Configuration and State Management,O=Computer Associates,C=US
dsm_cmdir_eng=x509cert://dsm r11/cn=dsm directory synchronisation,o=computer associates,c=us
dsmsdcat=x509cert://dsm r11/CN=DSM r11 Software Delivery Catalog,O=Computer Associates,C=US
dsmagtmv=x509cert://dsm r11/CN=DSM r11 Agent Mover,O=Computer Associates,C=US
dsm_csvr_reg=x509cert://dsm r11/CN=DSM Common Server Registration,O=Computer Associates,C=US
babld_server=x509cert://dsm r11/cn=babld server,o=computer associates,c=us
ent_access=x509cert://dsm r11/CN=Enterprise Access,O=Computer Associates,C=US
dom_access=x509cert://dsm r11/CN=Domain Access,O=Computer Associates,C=US
rep_access=x509cert://dsm r11/CN=Reporter Access,O=Computer Associates,C=US

Each section of the cfcert.ini file declares the certificates that are required to be installed by the associated installer. The installer reads the “files=” entry from its associated section in cfcert.ini and installs each certificate listed in turn by using the command located in the [Files] section of the cfcert.ini file.

For example, the common application framework (CAF) installer finds that it needs to install the certificates itrm_r11_dsm_root.der and basic_id.p12. In the [Files] section, the CAF installer finds the cacertutil commands associated to these certificates in the first two lines, and executes these commands.

The [Tags] section allows you to create new certificates that do not use the standard certificate URIs. When installing a DSM manager node the installation components will read this section and set up security profiles for the named URIs. The tags and URIs listed previously are the CA ITCM defaults and will be used if not present in the cfcert.ini file.

By convention, the file names listed in the “files=” entry in each section of cfcert.ini are the same as the names of the underlying certificate file. This allows for easier maintenance of the cfcert.ini initialization file.

To replace the default certificates with your own, change each individual section and the [Files] section to reflect the new certificate names and passwords.

Important! Ensure that the new certificates are imported using the correct tag names. The tags are specified by the -t: switch. For more information and a list of available certificates, see Installation of Application-Specific Certificates and Current Certificates.