Using NIM to install clients configured with SSL authentication

NIM can be used to install machines in an RS/6000® environment configured for SSL authentication.

Clients configured for SSL authentication must use the NIM Service Handler (NIMSH) for handling NIM master push operations. For more information about NIMSH, see Using the NIM service handler for client communication.

You can install and configure the OpenSSL cryptographic software using the NIM command options. Scripts are provided for configuring OpenSSL in the NIM environment, and you can use these without any modifications. The scripts are installed as part of the bos.sysmgt.nim.client fileset and located in the /usr/samples/nim/ssl directory. The scripts are used to define SSL keys and certificates for NIM SSL usage.

Because NIM masters can support a large system environment, it is necessary to impose a hierarchy on SSL certificate and key storage structure. During NIM setup, the following directory structure is created:
/ssl_nimsh
SSL parent directory for NIM
/ssl_nimsh/configs
Contains scripts used to configure SSL in NIM
/ssl_nimsh/certs
Contains SSL certificates used during host authentication
/ssl_nimsh/keys
Contains SSL keys used during SSL protocol communication
The NIM SSL directory structure is considered static and you should not modify it. To change SSL certificate options, you can modify the following configuration scripts:
SSL_root.cnf
Generates Certificate Authority key for signing certificates
SSL_server.cnf
Generates the NIM master's certificate for distributing to clients
SSL_client.cnf
Generates the NIM master's local certificate for authenticating
Note: You should configure NIM SSL using default settings prior to modifying the configuration scripts. To verify changes, a certificate viewer script called certview is located in the /usr/samples/nim/ssl directory. For more information about certview, see Using the certificate viewing file.

For more information on installing and configuring OpenSSL in NIM, see the nimconfig command and nimclient command.