Customizing SSL in CA WCC r11.3 This document contains guidelines for customizing SSL access to CA Workload Control Center (CA WCC) r11.3.



Similar documents
SSL Certificate Generation

Exchange Reporter Plus SSL Configuration Guide

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

Creating an authorized SSL certificate

Configuring SSL in OBIEE 11g

Wildcard Certificates

CA Nimsoft Unified Management Portal

SolarWinds Technical Reference

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Configuring HTTPS support. Overview. Certificates

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

HTTPS Configuration for SAP Connector

Marriott Enrollment Server for Web User Guide V1.4

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December Document issue: 2.0

Cisco Prime Central Managing Certificates

How to Implement Transport Layer Security in PowerCenter Web Services

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

webmethods Certificate Toolkit

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

Configuring TLS Security for Cloudera Manager

Enterprise Content Management System Monitor 5.1 Security Considerations Revision CENIT AG Brandner, Marc

PowerChute TM Network Shutdown Security Features & Deployment

How to Implement Two-Way SSL Authentication in a Web Service

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Exchange 2010 PKI Configuration Guide

This document uses the following conventions for items that may need to be modified:

Installing BIRT Analytics 4.4

To install and configure SSL support on Tomcat 6, you need to follow these simple steps. For more information, read the rest of this HOW-TO.

Public Health Information Network Messaging System

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

CHAPTER 7 SSL CONFIGURATION AND TESTING

Oracle Enterprise Manager Installation and Configuration Guide for IBM Tivoli Enterprise Console Connector Release

Director and Certificate Authority Issuance

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the vwlan Appliance

User Guide Generate Certificate Signing Request (CSR) & Installation of SSL Certificate

Use Enterprise SSO as the Credential Server for Protected Sites

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

SSL CONFIGURATION GUIDE

IUCLID 5 Guidance and Support

How to Create Keystore and Truststore Files for Secure Communication in the Informatica Domain

Obtaining SSL Certificates for VMware Horizon View Servers

Obtaining SSL Certificates for VMware View Servers

Configuring an Oracle Business Intelligence Enterprise Edition Resource in Metadata Manager

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Working with Portecle to update / create a Java Keystore.

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Configuring the JBoss Application Server for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

Enabling SSO between Cognos 8 and WebSphere Portal

Encrypted Connections

SafeNet KMIP and Google Cloud Storage Integration Guide

Chapter 1: How to Configure Certificate-Based Authentication

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

(n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING

Replacing Default vcenter Server 5.0 and ESXi Certificates

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

DISTRIBUTED CONTENT SSL CONFIGURATION AND TROUBLESHOOTING GUIDE

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

Universal Content Management Version 10gR3. Security Providers Component Administration Guide

Enabling Single-Sign-On between IBM Cognos 8 BI and IBM WebSphere Portal

C-Series How to configure SSL

Version 9. Generating SSL Certificates for Progeny Web

C O N F I G U R I N G O P E N L D A P F O R S S L / T L S C O M M U N I C A T I O N

SSL: HOW TO APPLY SIGNED CERTFICATE TO TGP

Certificate technology on Pulse Secure Access

Enabling Single-Sign-On on WebSphere Portal in IBM Cognos ReportNet

Certificate technology on Junos Pulse Secure Access

ADSelfService Plus: Guide to Install SSL Certificate. 1 P a g e

Deploying Certificates with Cisco pxgrid. Using Self-Signed Certificates with ISE pxgrid node and pxgrid Client

Table of Contents INTRODUCTION... 2 SYSTEM REQUIREMENTS... 3 SERVICEDESK PLUS - MSP EDITIONS... 5 INSTALL SERVICEDESK PLUS - MSP...

Table of Contents INTRODUCTION... 2 SYSTEM REQUIREMENTS... 3 SERVICEDESK PLUS EDITIONS... 4 INSTALL SERVICEDESK PLUS... 5

RHEV 2.2: REST API INSTALLATION

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

NetApp SANtricity Web Service for E-Series Proxy 1.0

SafeNet KMIP and Amazon S3 Integration Guide

Renewing an SSL Certificate Provided by a Certificate Authority (CA) on the vwlan Appliance

e-cert (Server) User Guide For Apache Web Server

etoken Enterprise For: SSL SSL with etoken

Developers Integration Lab (DIL) Certificate Installation Instructions. Version 1.4

Scenarios for Setting Up SSL Certificates for View

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the BlueSecure Controller (BSC)

SWITCHBOARD SECURITY

ECA IIS Instructions. January 2005

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

Intro to AppDynamics with SSL

Installation and Administration Guide. BlackBerry Web Desktop Manager for Microsoft Exchange. Version: 1.0 Service Pack: 1

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION WITH CLIENTS

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

Enable SSL in Go2Group SOAP Server

1 Reflection ZFE 5. 2 Security Considerations Troubleshooting the Installation 19. Contents 1

SSL Considerations for CAS: Planning, Management, and Troubleshooting. Marvin Addison Middleware Services Virginia Tech October 13, 2010

CA Spectrum. Administrator Guide. Release 9.4

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Generating SSH Keys and SSL Certificates for ROS and ROX Using Windows AN22

SAML v1.1 for.net Developer Guide

Control-M Workload Automation SSL Guide May 2015

Transcription:

Customizing SSL in CA WCC r11.3 This document contains guidelines for customizing SSL access to CA Workload Control Center (CA WCC) r11.3. Overview This document shows how to configure a custom SSL Certificate for CA WCC s Tomcat instances. In addition, the steps for changing WCC server name to match a SSL certificate are explained. Note: The procedures in this document are for reference only; you may need to adjust them according to your needs and specifications. Important! The installation of CA WCC on which this procedure is being performed must have had the Enable SSL option selected during installation. Conventions Used in This Document The following conventions are used in this document: $CA_WCC_INSTALL_LOCATION is the root directory of the CA WCC installation (typically, /opt/ca/workloadcc on Unix or c:\program Files\CA\Workload Control Center on Windows). The pound character (#) denotes the UNIX shell command prompt for the root user on UNIX, and a normal command prompt on Windows. This character should not be typed, The backslash character (\) at the end of a line indicates that the command continues on the next line. On Windows, this character should not be typed. On Unix it can be typed provided it is followed immediately by a newline. C.A. stands for Certificate Authority. Changing the Certificate There are three methods of changing the certificate: Generate a self signed certificate This is the easiest method. Users will need to acknowledge your certificate the first time they use it. Generate a secret key and request a certificate The keystore will generate a secret key and a certificate request. You need to submit your request to the C.A. (Certificate Authority) of your choice, which will in turn issue a certificate for you. Import an existing private key and certificate Use this method if you already have a private key and a matching certificate that you want to reuse. Page 1 of 10

Note: After changing the certificate using any of the methods above, you will need to restart the CA services. Prerequisites If you want to generate a self signed certificate, no additional software needs to be installed. For the other two methods of changing the certificate (Generate a secret key and request a certificate, and Import an existing private key and certificate), OpenSSL must be installed on the CA WCC server before you perform either of those procedures. The OpenSSL version used in this document is 0.98. Install OpenSSL on Windows OpenSSL for Windows is available from the following URL: http://www.openssl.org/related/binaries.html Note: The recommended version is OpenSSL v0.9.8r Light. You might have to install first the Visual C++ 2008 Redistributables, also available from the same URL. Edit the Path Environmental Variable After you install OpenSSL, edit the Path environmental variable: 1. Click Start, Run, enter the following command, and click OK: SYSDM.CPL The System Properties dialog opens. 2. Go to Advanced, Environment Variables, System variables, select the Path variable, and click Edit. 3. Add the following text at the end of the Path environment variable: ;C:\OpenSSL\bin 4. Click OK to close each dialog that appears. OpenSSL on UNIX OpenSSL for UNIX can be obtained through your distribution s repository. For example, on debian based distributions, simply type: # apt-get install openssl On rpm based distributions, simply type: # yast -i openssl Page 2 of 10

Generate a Self-signed Certificate The first method of changing the certificate is to generate a self signed certificate. The steps are as follows: 1. Remove the previous key with the following command: # $CA_WCC_INSTALL_LOCATION/jre/bin/keytool -delete -alias tomcat \ -keystore $CA_WCC_INSTALL_LOCATION/config/.keystore -storepass changeit Note: The default name of the key is tomcat. To access the keystore, you also need the keystore password which by default is changeit. 2. Generate a new key with the following command: # $CA_WCC_INSTALL_LOCATION/jre/bin/keytool -genkey -alias tomcat -keyalg RSA \ keystore $CA_WCC_INSTALL_LOCATION/config/.keystore -storepass changeit \ -keypass changeit \ -keysize 1024 -dname "cn=wcc_server_name" -validity 14600 In the command above: Replace WCC_SERVER_NAME with the name of the CA WCC server that was specified during the installation of CA WCC. The keysize argument lets you specify the key size. Typical values are 1024 or 2048. The validity argument lets you specify how long the certificate should be valid (expressed in days). 3. Restart the CA WCC services. On Unix, use the following commands: #./StopWCCServices.sh #./StartWCCServices.sh On Windows use the following commands: # StopWCCServices.bat # StartWCCServices.bat Page 3 of 10

Generate a Secret Key and Request a Certificate The second method of changing the certificate is to generate a secret key and request a certificate. The process is as follows: 1. Generate a key and request 2. Send the request to your C.A. 3. Add the certificate chain in the keystore 4. Insert your certificate into the keystore 5. Restart CA WCC services Note: File extensions used for certificates have several standards. The following extensions are used in this document: csr Certificate request der Certificate, encoded in Der (binary) cer Certificate, encoded in PEM (text) Generate a Key and Request To generate the secret key: 1. Perform steps 1 and 2 in the Generate a Self signed Certificate section. Notes: Do not restart CA WCC services. A self signed certificate will be generated. That certificate will be overwritten in a later procedure. 2. Issue a request file (certreq.csr) with the following command: # $CA_WCC_INSTALL_LOCATION/jre/bin/keytool -certreq -alias tomcat \ -keystore $CA_WCC_INSTALL_LOCATION/config/.keystore -storepass changeit \ -file certreq.csr Send the Request to your C.A. Using the request file (certreq.csr), obtain a certificate in PEM format from your C.A. How this certificate is obtained differs on every C.A. Typically, you will send the request file (certreq.csr); the C.A. will also require some proof of your identity. Note: Obtaining the certificate can take hours or days. Page 4 of 10

Retrieve the Certificate Chain While you are waiting to obtain the certificate, you must insert the public certificates of the root C.A. into the keystore, plus possibly several Sub C.A.s. This is because typically, a C.A. does not issue certificates directly. Instead they delegate to a Sub C.A., which can in turn delegate to another Sub C.A., and so on. The list of the Root Certificate and Sub C.A.s is referred to as the certificate chain. The public certificate of the C.A. and Sub C.A.s are always available on the website of the C.A. (Certificate Authority). In case a PEM version is not available, the following section describes how to convert from DER to PEM, and also how to clean a PEM certificate to make sure it will be understood by the keytool program. Converting and Cleaning the Certificate Certificates are usually available in DER or PEM format. If the certificate is in DER format, it must be converted to PEM format. If the certificate is in PEM format, it must be cleaned. Convert the Certificate from DER to PEM When you obtain a certificate in DER format you must convert it to the PEM format. The certificate is also cleaned during the conversion. To convert a DER certificate to PEM format and clean it, use the following command: # openssl x509 inform DER in certificate.der out certificate.cer Clean a PEM Certificate When you obtain a certificate in PEM format, it can contain optional information which should be removed because the keytool program will not understand it. Cleaning the PEM certificate removes the optional information. Unless you obtained your certificates in PEM format by converting them from DER using the command in the previous section, it is recommended that you run the following command to remove this optional information and obtain a clean PEM: # openssl x509 in certificate-with-extra-info.cer out certificate.cer This command is safe to run when the original certificate is already clean. Insert the Certificate Chain into the Keystore Once you have downloaded the certificate of the root C.A. and converted it or cleaned it, you must run the following command: # $CA_WCC_INSTALL_LOCATION/jre/bin/keytool -importcert -alias RootCA \ -file RootCA.cer \ -keystore $CA_WCC_INSTALL_LOCATION/config/.keystore -storepass changeit Page 5 of 10

If your certificate is issued by a sub CA, you must also download the certificate of the Sub C.A., convert it or clean it, and then run the following command: # $CA_WCC_INSTALL_LOCATION/jre/bin/keytool -importcert -alias SubCA \ -file SubCA.cer \ -keystore $CA_WCC_INSTALL_LOCATION/config/.keystore -storepass changeit Obtain the Certificate and Insert the Certificate into the Keystore When you receive your certificate, do the following: 1. Convert the certificate to a clean PEM as described in the Converting and Cleaning the Certificate section. 2. Insert the certificate into the keystore with the following command: # $CA_WCC_INSTALL_LOCATION/jre/bin/keytool -importcert -trustcacerts \ -file certificate.cer alias tomcat \ -keystore $CA_WCC_INSTALL_LOCATION/config/.keystore -storepass changeit And keytool should reply with: Certificate reply was installed in keystore Restart CA Services Finally, restart the CA WCC services. On Unix use the following commands: #./StopWCCServices.sh #./StartWCCServices.sh On Windows use the following commands: # StopWCCServices.bat # StartWCCServices.bat Page 6 of 10

Import an Existing Key and Certificate The third method of changing the certificate is to import an existing key and certificate. You can either reuse an existing.keystore file or import a private key and certificate from a Pkcs12 file. You must then restart the CA Services. Reusing an Existing.keystore File If you want to move your.keystore file from a 11.1.sp2 wcc installation, you can simply copy the ConfigServer/conf/.keystore file from your 11.1sp2 installation to the following location in r11.3: $CA_WCC_INSTALL_LOCATION/config/.keystore Importing from a Pkcs12 If you have a private key and certificate packaged as a Pkcs12, you can install it in the keystore with the following commands: # $CA_WCC_INSTALL_LOCATION/jre/bin/keytool -importkeystore \ -srckeystore myp12.p12 -srcstoretype PKCS12 -srcstorepass my-password \ -deststorepass changeit -destkeypass changeit \ -destkeystore $CA_WCC_INSTALL_LOCATION/config/.keystore \ -alias 1 destalias tomcat Note: The certificate chain found in the Pkcs12 will be imported into the keystore (although it is not visible with the keytool program). In case the C.A. s certificate was not provided inside the Pkcs12, you can import it as described in the Insert the Certificate Chain into the Keystore section. Restart CA Services The final step is to restart the CA WCC services. On Unix use the following commands: #./StopWCCServices.sh #./StartWCCServices.sh On Windows use the following commands: # StopWCCServices.bat # StartWCCServices.bat Note: Although it is outside of the scope of this document, it should be mentioned that it is usually possible to reassemble a Pkcs12 based on keys and certificates found in.keystore (as used by Tomcat) or separate PEM files (as used by Apache) with the openssl p12 command. Page 7 of 10

Troubleshooting This section contains solutions to problems you may encounter. 1. Problem: I get the following SecurityAlert in my browser: The name on the security certificate is invalid or does not match the name of the site. Solution: You can get this error when trying to access CA WCC using localhost. For example, https://localhost:8443/wcc. You can also receive this error if the URL you used to connect to CA WCC does not match the CN attribute of the certificate Issued To field exactly. For example, https://wcc01:8443/wcc will cause a SecurityAlert if the CN attribute of the certificate Issued To field is wcc01.ca.com. The solution is to use the name of the server as it is specified in the CN attribute of the certificate Issued To field. For example, https://wcc01.ca.com:8443/wcc. 2. Problem: I get a SecurityAlert in my browser even though I am using a genuine Certificate Authority generated certificate. The CN attribute of the certificate Issued To field matches the hostname/url that I used to access CA WCC. Solution: You may need to check with the Certificate Authority about whether or not a Chain Certificate is needed in the keystore to establish the full authenticity of the certificate. Page 8 of 10

Changing WCC s server name A computer can have several DNS name, and the certificate that you obtained might be for a different DNS name than the name entered during WCC installation. When connecting with https, the name used in the network address (URL) must match the name in the certificate, otherwise a Hostname mismatch certificate error will be displayed. Hence it might be necessary to change WCC s server name so that it matches the name in the certificate, and this section describes how. It is assumed that the file $CA_WCC_INSTALL_LOCATION/config/.keystore has already been updated following one of the methods above. Notes Since this procedure involve modifying several configuration files, please make a complete backup of your WCC installation directory before beginning. WCC supports only one name, i.e. after the server s name is changed, accessing WCC with the previous name might not work correctly. Identify the name in the certificate This step is optional. Should you want to double check the name in the certificate, it is possible to do so with the keytool command: # $CA_WCC_INSTALL_LOCATION/jre/bin/keytool \ -list -keystore $CA_WCC_INSTALL_LOCATION/config/.keystore \ -storepass changeit -alias tomcat -v The command will output all the certificates used by tomcat. Typically there will be one for the WCC server, and one for the C.A. s and/or sub C.A. s. Each certificate printout will contain a line starting with Owner: CN=. In the server s certificate, the name of the server is contained between Owner:CN= and the first following comma. E.g. if your server s name is www.acme.com,, you should see something similar to: Alias name: tomcat Creation date: May 11, 2011 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=wcc.acme.com, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU Issuer: CN=Dummy, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU... Page 9 of 10

Update the configuration files to use the server s name as in the certificate In the following files (relative to $CA_WCC_INSTALL_LOCATION), replace the name used during the installation by the name used in the certificate. Any method can be used, including a search and replace with a text editor. ConfigServer/config/application/config/resources/internal-componentURLs.properties ConfigServer/config/application/config/resources/internal-install.properties ConfigServer/config/application/config/resources/internal-misc.properties ConfigServer/config/application/mainui/themes/Theme1/tab1.properties ConfigServer/config/application/mainui/themes/Theme1/tab10.properties ConfigServer/config/application/mainui/themes/Theme1/tab11.properties ConfigServer/config/application/mainui/themes/Theme1/tab12.properties ConfigServer/config/application/mainui/themes/Theme1/tab2.properties ConfigServer/config/application/mainui/themes/Theme1/tab3.properties ConfigServer/config/application/mainui/themes/Theme1/tab4.properties ConfigServer/config/application/mainui/themes/Theme1/tab5.properties ConfigServer/config/application/mainui/themes/Theme1/tab6.properties ConfigServer/config/application/mainui/themes/Theme1/tab7.properties ConfigServer/config/application/mainui/themes/Theme1/tab8.properties ConfigServer/config/application/mainui/themes/Theme1/tab9.properties product.xml _uninst/uninstall_ca Workload Control Center/installvariables.properties _uninst/uninstall_wccapplicationserverconfig/installvariables.properties Restart CA Services The final step is to restart the CA WCC services. On Unix use the following commands: #./StopWCCServices.sh #./StartWCCServices.sh On Windows use the following commands: # StopWCCServices.bat # StartWCCServices.bat Page 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information