Makes an SGD server secure.
tarantella security enable
tarantella security enable --certfilecfile
[ --keyfilekfile
] [ --rootfilecarootfile
] [ --firewalltraversal on|off ]
Use this command to secure an SGD server.
The following limitations apply for this command:
New installations only. The SGD installation must be a fresh installation using standard connections. There must have been no attempt to configure SGD secure connections.
Standalone servers only. The SGD server must not be joined with other SGD servers in an array. If the SGD server is a member of an array, detach the SGD server from the array before using this command.
Use the --certfile
option to specify a server SSL
certificate to install. Certificates must be Base 64-encoded
PEM-format, with a header line including "BEGIN
CERTIFICATE"
, as used by OpenSSL.
If you omit the --certfile
option, this command
generates and installs a self-signed server SSL certificate. Only
use self-signed server SSL certificates for test purposes.
If you use the --certfile
option and the
--keyfile
option together, SGD
creates symbolic links to the specified SSL
certificate and key files.
Use the --rootfile
option to install the CA
certificate if the SSL certificate is signed by an unsupported CA.
This option also imports the CA certificate into the CA
certificate truststore for the SGD server. This is
the /opt/tarantella/bin/jre/lib/security/cacerts
file.
Use the --firewalltraversal
option to enable or
disable the SGD server for firewall traversal.
SGD servers configured for firewall traversal cannot
be used with the SGD Gateway.
tarantella security enable command is used when you install SGD in secure mode. This is the default installation mode.
If you have attempted to configure security previously, the tarantella security enable command has no effect. The command exits with an error message, indicating that security settings have been modified previously.
Ensure that the SGD server is running before you use this command. You can use the tarantella status command to show the current status of an SGD server.
The following table shows the available options for this command.
Option | Description |
---|---|
| Specifies the location of a file containing the SSL certificate.
You must specify the full path to the SSL certificate
file. The path must be readable by the
|
|
Specifies the location of a file containing the private
key for the SSL certificate specified by
Use this option to tell SGD about a private key you have already. If you used the Section D.86, “tarantella security certrequest” command to generate a CSR and obtain an SSL certificate, you do not need to use this option.
You must specify the full path to the key file. The path
must be readable by the |
|
Specifies the location of a file containing the CA's
root certificate. Details are copied to
You must specify the full path to the CA root
certificate file. The path must be readable by the
|
| Configures the SGD server for firewall traversal. If you do not specify this option, firewall traversal is enabled by default. |
If you use this command to secure an SGD server, the tarantella security disable command can be used to restore the security settings to their previous state.
See Section 1.5.3, “Enabling Secure Connections (Automatic Configuration)” for more details about how to secure an SGD server using this command.
The following example secures the SGD server, installs the specified SSL certificate, and uses the private key generated when the Section D.86, “tarantella security certrequest” command was used to generate a CSR:
# tarantella security enable \ --certfile /opt/certs/cert
The following example secures the SGD server, and installs the specified SSL certificate and private key. A CA root certificate is also installed. The Section D.86, “tarantella security certrequest” command was not used to generate a CSR.
# tarantella security enable \ --certfile /opt/certs/cert \ --keyfile /opt/keys/key \ --rootfile /tmp/rootcert
The following example secures the SGD server and installs a self-signed SSL certificate. Firewall traversal is not enabled for the SGD server.
# tarantella security enable \ --firewalltraversal off