Technical data
[ ca ]
default_ca= CA_default
[ CA_default ]
database= index.txt
serial= serial.txt
default_days= 365
default_crl_days= 30
default_md= sha1
email_in_dn= no
name_opt= ca_default
cert_opt= ca_default
copy_extensions= copy
new_certs_dir = C:/OpenSSL-Win32/bin
[ policy_anything ]
countryName= optional
stateOrProvinceName= optional
organizationName= optional
organizationalUnitName= optional
commonName= optional
emailAddress= optional
[ verisign_SERVER ]
basicConstraints= critical, CA:false
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage= clientAuth,serverAuth
subjectKeyIdentifier= hash
authorityKeyIdentifier= keyid:always
nsCertType= client, server
subjectAltName = @alt_names_SERVER
The IP addresses for the SAN field are the IP addresses that the OSM client uses to communicate
with the OSM server on the NSK server, as well as any additional IP addresses available for
the OSM Event Viewer. For example, the OSM Service Connection may use any of the IP
addresses available for the default TCPIP processes $ZTCP0 and $ZTCP1, and also IP addresses
for the user-defined $ZTC0, $ZTC1, $ZTC4, etc. entered in OSMCONF with stack = entries.
This fact affects the entries needed for the SAN field.
Any IP addresses available for OSM server or OSM Event Viewer use which are not listed in
the SAN field of a customer-supplied SSL certificate will cause security warning dialogs for
the OSM Service Connection or OSM Event Viewer clients. The warnings may vary depending
on the specific client type and the specific LAN used by the client workstation. The certificate
SAN field, subjectAltName, must include both numerical IP addresses and any
corresponding DNS names to be used for OSM Service Connection sessions or Event Viewer
sessions. Note in the sample config.txt file that you must use a different syntax for DNS names
(DNS.1, DNS.2, etc.) than the syntax used for IP addresses (IP.1, IP.2, etc.)
The OSM Service Connection uses background NSK IP addresses for fault tolerance, not just
the IP address or DNS name visible in the original URL for the web browser session. All IP
addresses for $ZTCP0 and $ZTCP1, as well as those allowed by stack entries in the
OSMCONF file, are tried in the background of the user session. On the Service LAN, the
OSM Service Connection uses connections on both the $ZTCP0 and $ZTCP1 TCP/IP stacks,
even though only one IP address is included in the original URL address of the web browser
session. When using other LANs, the $ZTCP0 and $ZTCP1 IP addresses will probably be
inaccessible, but multiple other IP addresses allowed by OSMCONF stack parameter entries
may be accessible. The certificate SAN field, subjectAltName, must include the totality of
all IP addresses which could be used on any LAN, because only one SSL certificate is available
for the different LANs which will be used for the OSM Service Connection.
The OSM Event Viewer uses only the IP address specified in the original URL of the web
browser session. It uses the same SSL certificate as the OSM Service Connection.
24 OSM Server-Based Components