Enabling Transport Layer Security encryption for InfoPrint Manager servers for AIX
To enable TLS encryption for InfoPrint Manager servers, follow these steps:
- Copy the provided sample configuration file,
ipmssl.cfg
, from/usr/lpp/pd/cfg-samples/ssl/server
directory to/var/pddir/default_cell/ssl
directory. - If you are using a custom CA, copy the CA certificate file (public part) to the InfoPrint Manager server.
- Copy the server certificate and key to the InfoPrint Manager server. Make sure that the certificate key is stored in a secure location and only available for reading to the user that runs the InfoPrint Manager server.
- If you have Certificate Revocation List (CRL), copy the CRL file to the InfoPrint Manager server.
- Edit
ipmssl.cfg
file using a text editor. These keywords must be configured: EnableTLS, CertFile, KeyFile. If the server certificate key file and the server certificate are combined in one file, onlyCertFile
keyword must be configured andKeyFile
must be left commented. If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.Uncomment and change the following keywords value (where available):
- Uncomment and set
EnableTLS
to 1. - Uncomment
CertFile
keyword and specify the filename for server certificate file. - Uncomment
KeyFile
keyword and specify the filename for server certificate key. - Optional: uncomment
CAFile
keyword and specify the filename for CA certificate if you are using a custom CA. - Optional: uncomment
CrlFile
keyword and specify the filename for CRL certificate if you have one available. - ) Optional: uncomment and set
MutualAuthenticationRequired
to 1 if you are planning to use Mutual Authentication.The last two optional keywords are usually used if errors occur during TLS handshake:
CertValidationIgnoreHostName
can help if client host name from the DNS is different from the value set in the certificate presented by the client during TLS handshake (Subject field and X509v3 Subject Alternative Name (SAN) field). Setting this keyword to 1 prevents validation of host name.This table shows how validation is made if the Subject field from the certificate contains a wildcard:
Host name Certificate Subject or certificate Subject Alternative Name Validation host.example.com host.example.com OK host.example.com *.example.com OK host.subdomain.example.com *.subdomain.example.com OK
- Uncomment and set