Enabling Transport Layer Security encryption for InfoPrint Manager servers for AIX

To enable TLS encryption for InfoPrint Manager servers, follow these steps:

  1. Copy the provided sample configuration file, ipmssl.cfg, from /usr/lpp/pd/cfg-samples/ssl/server directory to /var/pddir/default_cell/ssl directory.
  2. If you are using a custom CA, copy the CA certificate file (public part) to the InfoPrint Manager server.
  3. Copy the server certificate and key to the InfoPrint Manager server. Make sure that the certificate key is stored in a secure location and only available for reading to the user that runs the InfoPrint Manager server.
  4. If you have Certificate Revocation List (CRL), copy the CRL file to the InfoPrint Manager server.
  5. Edit ipmssl.cfg file using a text editor. These keywords must be configured: EnableTLS, CertFile, KeyFile. If the server certificate key file and the server certificate are combined in one file, only CertFile keyword must be configured and KeyFile must be left commented. If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.

    Uncomment and change the following keywords value (where available):

    1. Uncomment and set EnableTLS to 1.
    2. Uncomment CertFile keyword and specify the filename for server certificate file.
    3. Uncomment KeyFile keyword and specify the filename for server certificate key.
    4. Optional: uncomment CAFile keyword and specify the filename for CA certificate if you are using a custom CA.
    5. Optional: uncomment CrlFile keyword and specify the filename for CRL certificate if you have one available.
    6. ) Optional: uncomment and set MutualAuthenticationRequired to 1 if you are planning to use Mutual Authentication.

      The last two optional keywords are usually used if errors occur during TLS handshake:

      • CertValidationIgnoreHostName can help if client host name from the DNS is different from the value set in the certificate presented by the client during TLS handshake (Subject field and X509v3 Subject Alternative Name (SAN) field). Setting this keyword to 1 prevents validation of host name.

        This table shows how validation is made if the Subject field from the certificate contains a wildcard:

        Host name Certificate Subject or certificate Subject Alternative Name Validation
        host.example.com host.example.com OK
        host.example.com *.example.com OK
        host.subdomain.example.com *.subdomain.example.com OK
        host.example.com host.another-example.com FAIL
        host.subdomain.example.com host.another-subdomain.example.com FAIL
        host.example.com host*.example.com FAIL