1. Security Guide
  2. Secure Installation
  3. Using the ACSLS GUI
  4. SCI Certificate

SCI Certificate

This section describes SCI Certificate information for ACSLS. The SCI certificate is used in communication between SL4000 libraries and ACSLS using the SCI protocol which is layered on https protocol. This is not to be confused with GUI certificates which are used for communication between the ACSLS GUI and browsers. See ACSLS GUI Certificates for more information about GUI certificates. The following sub-sections describe various SCI certificate options a user has for ACSLS:

Auto-Generated SCI Certificate

When ACSLS is installed, an SCI certificate customized to the targeted ACSLS server is generated during ./install.sh phase. This SCI certificate has a 1024 bit key and is self-signed. This SCI generated certificate has a level of encryption and security sufficient for communications with SL4000. The SCI generated certificate is also valid for 1824 days. An SCI certificate is generated at install time regardless of whether SL4000 libraries will be connected to ACSLS. See "SCI Certificates Signed by a Third Party Signing Authority", below, for a higher level certificate security which are not self -signed.

If a customer wishes to re-generate a SCI self-signed certificate and have it automatically installed, simply re-run ./install.sh on the ACSLS server and respond y when asked to re-generate the certificates. You can also use this procedure to re-generate a SCI certificate if it expires.

Manually Generate an SCI Self-Signed Certificate

If you would like to manually generate a custom SCI Self-signed certificate use the following outline command example. This example will create a self-signed 1024 bit key certificate in a .pem format which can be used by ACSLS (gSOAP) in SL4000 library communications. Use a copy of the file openssl.cnf so as not to disrupt the auto-generated SCI certificate procedure. 

# Generate the gSOAP root CA certificate.......
echo "Generating the gSOAP root CA certificate......."
openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem -passout pass:$keyPassword -subj "$subjectName" -days $validDays >> $generateLogFile 2>&1
openssl x509 -req -in rootreq.pem -sha1 -extfile $keyPath/openssl.cnf -extensions v3_ca -signkey rootkey.pem -out cacert.pem -days $validDays -passin pass:$keyPassword >> $generateLogFile 2>&1
cat cacert.pem rootkey.pem > root.pem
 
# Create a certificate and signing request
echo "Generating the gSOAP server certificate......."
openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem  -passout pass:$keyPassword -subj "$subjectName" -days $validDays >> $generateLogFile 2>&1
 
# Sign the certificate with the root CA
echo "Signing the gSOAP server certificate......."
openssl x509 -req -in serverreq.pem -sha1 -extfile $keyPath/openssl.cnf -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial -out servercert.pem  \
        -days $validDays -passin pass:$keyPassword >> $generateLogFile 2>&1
 
# Bundle the CA certificate cacert with the certificate file
echo "Bundling the gSOAP server certificate......."
cat servercert.pem cacert.pem > servertmp.pem
mv -f servertmp.pem servercert.pem
 
# Bundle certificates with the private key file
cat serverkey.pem servercert.pem > $(ACS_HOME)/data/external/server.pem

Note:

The final product is a combined private key and server Certificate in a .pem file format located at: $(ACS_HOME)/data/external/server.pem.

SCI Certificates Signed by a Third Party Signing Authority

Each customer site must determine whether they need to provide certificate authentication by a third-party signing authority such as Verisign or Entrust.net. The procedure for generating such a signed digital certificate is described in the Oracle online document, Configuring Identity and Trust at:

http://docs.oracle.com/cd/E13222_01/wls/docs92/secmanage/identity_trust.html