Technical data
The v3_req_ext_SERVER section in the config.txt file specifies the Subject Alternative
Name (SAN) to be added when a certificate is issued.
6. Convert the key to PKCS#8 DER format.
openssl pkcs8 -topk8 -outform DER -in server.key.pem -out server.key
7. Sign the new CSR with the CA key.
openssl ca -days 365 -policy policy_anything -keyfile ca.key.pem -cert ca.cer.pem
-in server.csr -out server.cer.pem -config config.txt -extensions verisign_SERVER
The verisign_SERVER section in the config.txt file contains the contents of multi-valued
extensions to be added when a certificate is issued.
Before issuing this command, check that the subjectAltName section occurs in the section
specified by the –extensions flag of this command. In the example configuration file config.txt,
the verisign_SERVER section includes a subjectAltName reference which in turn includes
the alt_names_SERVER section with the desired IP addresses and DNS names.
If the Subject Alternative Names extensions are not included when signing the CSR, the SAN
entries will generally be dropped from the signed certificate. This omission will cause warnings
when you later use the OSM Service Connection.
If you engage an external Certificate Authority to sign the CSR, consult with the vendor or
vendor’s documentation to make certain that the desired Subject Alternative Names are
included in the signed certificate.
8. Convert the signed certificate to DER format.
openssl x509 -inform PEM -outform DER -in server.cer.pem -out server.cer
9. FTP the files to the NonStop server. Be sure to select binary transfer mode.
cd $SYSTEM.OSMCERTS
put server.cer OSMCERTS.SERVCERT
put server.key OSMCERTS.SERVKEY
put ca.cer OSMCERTS.CACERT
10. Using TACL, add these lines to OSMCONF:
UseSSL = On
SERVCERT = $SYSTEM.OSMCERTS.SERVCERT
CACERTS = $SYSTEM.OSMCERTS.CACERT
SERVKEY = $SYSTEM.OSMCERTS.SERVKEY
SERVKEYPASS = password
11. Restart the OSM CIMOM ($ZCMOM) and Event Viewer ($ZOEV) processes in SCF.
12. On the PC, import ca.cer into the IE list of Trusted Root Certification Authorities.
Configuring Event Viewer Security Timeout
With OSM version T0682 H02 ABP and later, the OSM Event Viewer has a new security feature
whereby an event viewer session left idle for more than 20 minutes expires, requiring you to log
on again before you can access that session again. After being idle for 24 hours, that event viewer
session is deleted, meaning that session cannot be accessed again. Idle refers to the period of
time since the user last clickable action in either the OSM Event Viewer main window or the EMS
Events Returned window. Both the 20 minute and 24-hour default values are configurable and can
be changed by inserting the following parameters into your OSMCONF file.
EvtMgr_Session_Expiration_Time = nn
nn is the number in minutes before an idle event viewer session expires and requires logon to
access that session again. The minimum possible value is 1 minute. It can be set to any value,
such as 1440 for one day or 524160 for one year (the upper limit being the maximum value
that a 32-bit field can take: 2^32); however, it must be set to a lower value than the
EvtMgr_Session_Deletion_Time parameter, or the idle session will be deleted without
an opportunity to log on again.
EvtMgr_Session_Deletion_Time = nn
Optional OSM Configuration 27