Developers Integration Lab (DIL) Certificate Installation Instructions. Version 1.4



Similar documents
Configuring SSL in OBIEE 11g

Exchange Reporter Plus SSL Configuration Guide

SSL Certificate Generation

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

CHAPTER 7 SSL CONFIGURATION AND TESTING

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

RHEV 2.2: REST API INSTALLATION

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

Centers for Medicare & Medicaid Services CMS expedited Life Cycle (XLC) Electronic Submission of Medical Documentation / esmd HIH Onboarding Manual

Configuring a Windows 2003 Server for IAS

Certificate technology on Pulse Secure Access

Chapter 1: How to Configure Certificate-Based Authentication

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Setting Up SSL on IIS6 for MEGA Advisor

1 Reflection ZFE 5. 2 Security Considerations Troubleshooting the Installation 19. Contents 1

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December Document issue: 2.0

PowerChute TM Network Shutdown Security Features & Deployment

Certificate technology on Junos Pulse Secure Access

Version 9. Generating SSL Certificates for Progeny Web

DISTRIBUTED CONTENT SSL CONFIGURATION AND TROUBLESHOOTING GUIDE

Sun Access Manager CAC Authentication Deployment Configuration Guide

Enable SSL in Go2Group SOAP Server

Installing Logos SSL Certificates on Mobile Devices

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

Creating an authorized SSL certificate

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

IBM Security QRadar Vulnerability Manager Version User Guide

Configuring HTTPS support. Overview. Certificates

Installing BIRT Analytics 4.4

How to Implement Two-Way SSL Authentication in a Web Service

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Enterprise Content Management System Monitor 5.1 Security Considerations Revision CENIT AG Brandner, Marc

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Public Health Information Network Messaging System

Configuring the JBoss Application Server for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION WITH CLIENTS

Iowa Immunization Registry Information System (IRIS) Web Services Data Exchange Setup. Version 1.1 Last Updated: April 14, 2014

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Universal Content Management Version 10gR3. Security Providers Component Administration Guide

JAMF Software Server Installation Guide for Linux. Version 8.6

CA Nimsoft Unified Management Portal

Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware

IBM Unica emessage Version 8 Release 6 February 13, Startup and Administrator's Guide

Configuring TLS Security for Cloudera Manager

Customizing SSL in CA WCC r11.3 This document contains guidelines for customizing SSL access to CA Workload Control Center (CA WCC) r11.3.

Copyright 2013 EMC Corporation. All Rights Reserved.

To install and configure SSL support on Tomcat 6, you need to follow these simple steps. For more information, read the rest of this HOW-TO.

Wildcard Certificates

HTTPS Configuration for SAP Connector

FreeBSD OpenVPN Server/Routed - Secure Computing Wiki

Sophos Mobile Control Installation guide

Working with Portecle to update / create a Java Keystore.

etoken Enterprise For: SSL SSL with etoken

Integration and Configuration of SofwareAG s webmethods Broker with JBOSS EAP 6.1

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

How to Create Keystore and Truststore Files for Secure Communication in the Informatica Domain

Enabling SSO between Cognos 8 and WebSphere Portal

VMware vrealize Operations for Horizon Security

Installation Guide for Windows May 2016

Install MS SQL Server 2012 Express Edition

Marriott Enrollment Server for Web User Guide V1.4

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Integrating EJBCA and OpenSSO

VMware vrealize Operations for Horizon Security

Step- by- Step guide to extend Credential Sync between IBM WebSphere Portal 8.5 credential vault and Active Directory 2012 using Security Directory

Sametime Gateway Version 9. Deploying DMZ Secure Proxy Server

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com

IIS, FTP Server and Windows

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION AND TROUBLESHOOTING

Enabling Single-Sign-On between IBM Cognos 8 BI and IBM WebSphere Portal

Yale Software Library

Security Guide vcenter Operations Manager for Horizon View 1.5 TECHNICAL WHITE PAPER

Intro to AppDynamics with SSL

Stronger Authentication with Biometric SSO

SQL EXPRESS INSTALLATION...

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

NetApp SANtricity Web Service for E-Series Proxy 1.0

How To Configure Bm Atrium Sso For A Long Term Memory (Long Term Memory) On A Microsoft Server (For A Long Time) On An Ubuntu 2.5 (For An Uborg 2.4) (For Ub

IN STA LLIN G A VA LA N C HE REMOTE C O N TROL 4. 1

Configuring Global Protect SSL VPN with a user-defined port

SAS 9.3 Foundation for Microsoft Windows

Virtual Owl. Guide for Windows. University Information Technology Services. Training, Outreach, Learning Technologies & Video Production

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

How to Implement Transport Layer Security in PowerCenter Web Services

bbc Installing Your Development Environment Adobe LiveCycle ES July 2007 Version 8.0

CommandCenter Secure Gateway

Immotec Systems, Inc. SQL Server 2005 Installation Document

BlackBerry Enterprise Service 10. Version: Configuration Guide

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

Wavecrest Certificate

Cisco Prime Central Managing Certificates

Deploying NetSupport Manager. or NetSupport School. Overview. Available Installers. There are 4 main ways to install NSM or NSS, these are as follows:

Djigzo S/MIME setup guide

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Enterprise Content Management System Monitor. How to deploy the JMX monitor application in WebSphere ND clustered environments. Revision 1.

Best Practices for Disaster Recovery with Symantec Endpoint Protection

Transcription:

Developers Integration Lab (DIL) Certificate Installation Instructions Version 1.4 July 22, 2013

REVISION HISTORY REVISION DATE DESCRIPTION 0.1 17 September 2011 First Draft Release DIL Certificate Installation Instructions 0.2 17 September 2011 Updated certificate download link examples 1.0 13 November 2012 First Publication Release DIL Certificate Installation Instructions 1.1 3 January 2013 Addition of section 5.4.6 describing how to import alternate certificates for use with other environments 1.2 20 January 2013 Added general grammatical changes 1.3 22 May 2013 Included additional steps for Certificate Set Up 1.4 22 July 2013 Added section 5.4.7 i

TABLE OF CONTENTS 1. INTRODUCTION... 1 1.1 PURPOSE... 1 1.2 SCOPE... 1 2. DOCUMENT DESCRIPTION... 1 3. REFERENCED DOCUMENTS... 1 4. PROBLEM DESCRIPTION & GOALS... 1 5. INSTRUCTIONS... 2 5.1 REQUIRED INFORMATION... 2 5.2 DOWNLOAD YOUR CERTIFICATE... 2 5.3 DOWNLOAD THE CA CERTIFICATES... 3 5.4 NON-FIPS INSTALLATION (WINDOWS / GLASSFISH)... 3 5.4.1 SETUP YOUR WORK FOLDER... 3 5.4.2 KEYSTORE AND TRUSTSTORE... 3 5.4.3 INSTALL THE CERTIFICATES (GLASSFISH)... 5 5.4.4 UPDATE GLASSFISH DOMAIN CONFIGURATION... 5 5.4.5 VERIFY GLASSFISH DOMAIN CONFIGURATION... 6 5.4.6 USE OF ALTERNATIVE CERTIFICATES... 6 5.4.7 CERTIFICATE REVOCATION LIST (CRL) CHECKING... 7 5.5 FIPS INSTALLATION (RED HAT LINUX / JBOSS)... 8 5.5.1 SETUP YOUR WORK FOLDER... 8 5.5.2 NSS DATASTORE... 8 5.5.3 UPDATE JBOSS SERVER CONFIGURATION... 10 5.5.4 VERIFY JBOSS SERVER CONFIGURATION... 10 ii

1. INTRODUCTION 1.1 PURPOSE This document provides the required steps to download, install, and configure a DIL Certificate. 1.2 SCOPE The instructions in this document are applicable to all participants, both internal and external, in the DIL environment. 2. DOCUMENT DESCRIPTION This document includes the following sections: Section 1.0 Introduction Section 2.0 Document Description Section 3.0 Referenced Documents Section 4.0 Problem Description & Goals Section 5.0 Instructions 3. REFERENCED DOCUMENTS N/A 4. PROBLEM DESCRIPTION & GOALS Communication between gateways requires a secured transport mechanism. This is accomplished by SSL certificates issued to each gateway server AEGIS.net is a Certificate Authority with the ability to issue SSL certificates using the following hierarchy: AEGISROOTCA AEGISDILCA [Issued Server Certificate] The hierarchy mentioned above is the three-level certificate architecture used within the DIL. All SSL certificates are of the type PKS-12, however you can add your own private certificate under the trust chain as well. If you are planning on using the Private Cert provided by the DIL, please skip over section 5.4.6. 1

If you change your machine name at any time, you will need to generate a new certificate. This can be done by notifying the development team at DIL_Support@aegis.net. 5. INSTRUCTIONS These instructions are intended for use by a participant within the DIL environment. The participant must first complete the self-registration of their DIL account. 5.1 REQUIRED INFORMATION 1. The participant must provide the full machine name of the gateway server as part of their Gateway Profile. a. Example of machine name machine.domain.com 2. The participant s CA account information is then defined as: a. Your account name will be your machine name; e.g. machine.domain.com. b. Your password will be your machine name without the domain extension; e.g. machine. c. If you do not know your password, please contact the DIL Help Desk Support. 5.2 DOWNLOAD YOUR CERTIFICATE 1. Once logged onto the DIL Test Platform application select the Download Certificate menu item. 2. Then select the following link on the Download Certificate page: Please download your DIL private certificate here machine.domain.com.p12 3. You will now be prompted with a browser dialog to either open or save. Note that if your browser is configured to save by default, you may not see this window. Save your certificate file to your local machine. a. Your certificate file name will be your gateway machine name with a.p12 extension; e.g. machine.domain.com.p12 b. If the install fails, please contact DIL Help Desk Support. 2

5.3 DOWNLOAD THE CA CERTIFICATES Your certificate is the end of a three-part chain. You need to download the other two certificate parts: AEGISROOTCA and AEGISDILCA. 1. Select the following link on the Download Certificate page to download the AEGISROOTCA: Please download the DIL Root certificate here AEGISROOTCA.pem 2. Select the following link on the Download Certificate page to download the AEGISDILCA: Please download the DIL Cross certificate here AEGISDILCA.pem 5.4 NON-FIPS INSTALLATION (Windows / Glassfish) 5.4.1 SETUP YOUR WORK FOLDER Windows XP/2003 Server 64 bit is the operating system and Glassfish 2.1.1 is the target application server for these instructions. 1. Create a work folder; e.g. C:\Sun\AppServer\certificaterequest 2. Copy all certificates generated and downloaded from the AEGIS.net CA site to your work folder. 3. Copy the cacerts.jks truststore from the Glassfish domain config folder: C:\Sun\AppServer\domains\domain1\config\cacerts.jks 4. Open a command prompt window and change directory to your work folder. 5.4.2 KEYSTORE AND TRUSTSTORE Execute the following commands to generate your keystore and install the certificates to your keystore and truststore. Replace the text <machine> with the value of your machine name. IMPORT PKCS12 KEYSTORE TO JAVA KEYSTORE keytool -importkeystore -srckeystore <machine>.aegis.net.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore gateway.jks * You will be prompted to enter your password three (3) times. After correctly entering your password you should have an output similar to this: Enter destination keystore password: Re-enter new password: 3

Enter source keystore password: Entry for alias <machine>.aegis.net successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled NOTE: The destination keystore password above is the password specific to the machine or IP address registered with the DIL. VERIFY JAVA KEYSTORE keytool -list -v -keystore gateway.jks > gatewaylist * You will be prompted to enter your password. This will list the private key details. Examine the output to insure there are no errors. IMPORT CHAIN OF TRUST CERTIFICATES TO THE TRUSTSTORE keytool -import -v -trustcacerts -alias AEGISROOTCA -file AEGISROOTCA.pem -keystore cacerts.jks -keypass changeit -storepass changeit * Enter yes or y to the prompt. You should see the following output: Trust this certificate? [no]: yes Certificate was added to keystore [Storing cacerts.jks] NOTE: The keypass value is the literal value changeit. The storepass value is the password specific to the machine or IP address registered with the DIL. keytool -import -v -trustcacerts -alias AEGISDILCA -file AEGISDILCA.pem - keystore cacerts.jks -keypass changeit -storepass changeit * No input is required. You should see the following output: Certificate was added to keystore [Storing cacerts.jks] NOTE: The keypass value is the literal value changeit. The storepass value is the password specific to the machine or IP address registered with the DIL. keytool -importkeystore -srckeystore <machine>.aegis.net.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore cacerts.jks * You will be prompted to enter the truststore password followed by your password. You should see the following output: Enter destination keystore password: Enter source keystore password: Entry for alias d6ctptl1.aegis.net successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled 4

VERIFY THE TRUSTSTORE CONTENTS keytool -list -keystore cacerts.jks > cacertslist * You will be prompted to enter the truststore password. This will list all of the trusted certificates. Examine the output to insure the imported certificates are present aegisrootca, aegisdilca and <machine>.domain.com. NOTE: The truststore password is the password specific to the machine or IP address registered with the DIL. IMPORT ALL CERTIFICATES TO YOUR KEYSTORE keytool -import -v -trustcacerts -alias AEGISROOTCA -file AEGISROOTCA.pem -keystore gateway.jks -keypass <machine> -storepass <machine> * Enter yes or y to the prompt. You should see the following output: Trust this certificate? [no]: yes Certificate was added to keystore [Storing cacerts.jks] keytool -import -v -trustcacerts -alias AEGISDILCA -file AEGISDILCA.pem - keystore gateway.jks -keypass <machine> -storepass <machine> * No input is required. You should see the following output: Certificate was added to keystore [Storing cacerts.jks] VERIFY KEYSTORE CONTENTS keytool -list -keystore gateway.jks > gatewaylist2 * You will be prompted to enter your password. This will list all of the trusted certificates. Examine the output to insure the imported certificates are present aegisrootca, aegisdilca and <machine>.aegis.net. 5.4.3 INSTALL THE CERTIFICATES (GLASSFISH) 1. Copy the keystore and truststore files from your work folder to the Glassfish domain config folder: C:\Sun\AppServer\domains\domain1\config\gateway.jks C:\Sun\AppServer\domains\domain1\config\cacerts.jks 5.4.4 UPDATE GLASSFISH DOMAIN CONFIGURATION Modify the domain.xml Glassfish configuration file to now use your new keystore. 5

1. Locate and update all key.alias values to your certificate alias; i.e. <machine>.domain.com. 2. Update the following <jvm-options> settings related to your keystore: -Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/gateway.jks -Djavax.net.ssl.keyStorePassword=<machine> -DSERVER_KEY_ALIAS=<machine>.domain.com -DCLIENT_KEY_ALIAS=<machine>.domain.com - Dcom.sun.enterprise.security.httpsOutboundKeyAlias=<machine>.domain.com 5.4.5 VERIFY GLASSFISH DOMAIN CONFIGURATION 1. Start your Glassfish server. 2. Examine the server logs after the application server start up is complete and verify that there are no errors. 5.4.6 USE OF ALTERNATIVE CERTIFICATES You may store and use additional, alternate certificates in your keystore and truststore files if your test system has the need to communicate with other testing environments. An example of this would be if your test system will also be used for onboard testing with the ehealth Exchange (formerly the NwHIN). The DIL Certificate Architecture mirrors that of the ehealth Exchange in that it relies on 3 levels, the Root Certificate, Cross Certificate, and finally the Private certificate. This Chain of Trust, i.e. the Root and Cross certificates validates and trusts the private certificate. You must first successfully obtain the required ehealth Exchange Root Certificate, Cross Certificate, and their Private certificate. Please refer to the CONNECT Open Source Wiki page, Certificate Setup, for specific instructions. This page is found at: https://developer.connectopensource.org/display/connectwiki/certificate+setup The following steps are those that are needed to add these certificates to your existing keystore and truststore files: C:\Sun\AppServer\domains\domain1\config\gateway.jks 6

C:\Sun\AppServer\domains\domain1\config\cacerts.jks IMPORT THE WEB SERVICE [PRIVATE] CERTIFICATE: keytool -import -v -trustcacerts -alias gateway -file servercert.bin -keystore gateway.jks -keypass changeit -storepass changeit * The -keypass and storepass passwords need to match those of the servercert.bin and gateway.jks respectively. IMPORT CHAIN OF TRUST CERTIFICATES TO THE TRUSTSTORE keytool -import -v -trustcacerts -alias entrust -file cacert.crt -keystore cacerts.jks - keypass changeit -storepass changeit * The -keypass and storepass passwords need to match those of the cacert.crt and cacerts.jks respectively. * Enter yes or y to the prompt. You should see the following output: Trust this certificate? [no]: yes Certificate was added to keystore [Storing cacerts.jks] keytool -import -v -trustcacerts -alias entrust-cross -file cross.crt -keystore cacerts.jks -keypass changeit -storepass changeit * The -keypass and storepass passwords need to match those of the cross.crt and cacerts.jks respectively. * No input is required. You should see the following output: Certificate was added to keystore [Storing cacerts.jks] 5.4.7 Certificate Revocation List (CRL) Checking Certificate Revocation Lists (CRLs) are lists of certificates that are no longer valid or that have been revoked by a Certification Authority (CA). Each gateway must implement either Online Certificate Status Protocol (OCSP) based certificate revocation checking or use CRLs against an NHIN-governed CA to determine the revocation status of each certificate. To enable the CRL checking in glassfish application server, add the following two JVM options in the domain.xml file as the two properties would remain false by default. You will need JDK 6 update 18 or later versions for supporting CRL checking. 7

<jvm-options>-dcom.sun.net.ssl.checkrevocation=true</jvm-options> <jvm-options>-dcom.sun.security.enablecrldp=true</jvm-options> For debugging certification issues, add the following jvm option in domain.xml <jvm-options>-djava.security.debug=certpath</jvm-options> For other application servers, please check your server documentation regarding enabling CRL checking. FOR CRL checking, you need to open port 9345 at firewall so that you can have access to CRL list at http://ca.dil.aegis.net:9345/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=cn=aegi SDILCA,O=AEGISnetInc,C=US. 5.5 FIPS INSTALLATION (Red Hat Linux / JBoss) The following set of instructions is intended for users utilizing FIPS mode enabled on the participant machine. 5.5.1 SETUP YOUR WORK FOLDER Red Hat Enterprise Linux is the operating system and Glassfish 2.1.1 or JBoss 5.1.0 are the target application servers for these instructions. The Mozilla NSS 3.12.4 datastore database is installed in the directory /opt/fipsdb for these instructions. 1. Create a work folder; e.g. /opt/fipsdb/cert 2. Copy all certificates generated and downloaded from the AEGIS CA site to your work folder. 3. Open a command prompt window and change directory to your work folder. 5.5.2 NSS DATASTORE Execute the following commands to import your server certificate and the AEGIS DIL and ROOT CA certificates to your NSS datastore. Replace the text <machine> with the value of your machine name. DISABLE FIPS MODE modutil -fips false -dbdir /opt/fipsdb 8

* FIPS Mode must be disabled before making any modifications to prevent corruption of the NSS datastore. You will be prompted to continue. Simply press the Enter key again. You should see the following output: WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: FIPS mode disabled. IMPORT PKCS12 SERVER CERTIFICATE TO THE NSS DATASTORE pk12util -i <machine>.domain.com.p12 -n <machine>.domain.com -d /opt/fipsdb * You will be prompted to enter the NSS password. After correctly entering that password, you will be prompted to enter the password for your server certificate. After correctly entering that password you should have an output similar to this: Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL IMPORT THE AEGIS ROOT AND DIL CA CERTIFICATES certutil -A -n "AEGISROOTCA" -t "TC,," -i AEGISROOTCA.pem -d /opt/fipsdb certutil -A -n "AEGISDILCA" -t "TC,," -i AEGISDILCA.pem -d /opt/fipsdb * No input is required. CONFIRM THE CONTENTS OF YOUR NSS DATABASE certutil -L -d /opt/fipsdb * No input is required. This will list all of the certificates. Examine the output to insure the imported certificates are present aegisrootca, aegisdilca and <machine>.domain.com. You should see the following output: Certificate Nickname <machine>.domain.com AEGISDILCA AEGISROOTCA Trust Attributes SSL,S/MIME,JAR/XPI u,u,u TC,, TC,, VERIFY THE CERTIFICATE CHAIN IS CORRECT vfychain -d /opt/fipsdb <machine>.domain.com 9

* No input is required. This will verify that the certificate chain has been correctly established. You should see the following output: Chain is good! ENABLE FIPS MODE modutil -fips true -dbdir /opt/fipsdb * FIPS Mode must be enabled before (re)starting the application server. You should see the following output: WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: FIPS mode enabled. 5.5.3 UPDATE JBOSS SERVER CONFIGURATION Follow the FIPS 140-2 Red Hat Linux / JBoss configuration instructions for CONNECT 3.2: https://developer.connectopensource.org/display/nhinr32/fips+install+%28linux+and+jboss%29 5.5.4 VERIFY JBOSS SERVER CONFIGURATION 1. Start your JBoss server. 2. Examine the server logs after the application server start up is complete and verify that there are no certificate errors. 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information