Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
Environment
SLES 12
SLES 15
Situation
My commercial certificate used for Vibe is either expired or soon to expire, how can I update the commercial certificate information ?
Cause
n/a
Resolution
NOTE: Please before updating any Vibe server with this procedure, make a snapshot backup of the Vibe server if it is virtualized, just in case. If it is “bare metal”, then at least backup the /opt/novell/teaming/apache-tomcat/conf/ directory before making any changes. And READ this document completely before implementing it.
Updating Public Cert for Vibe
Note:
It is assumed that you have placed a copy of the new updated commercial certificate files on your linux Vibe server, in the /root/Documents/certs/ directory. You have obtained them from your commercial “Certificate Authority”. It should contain the new updated SERVER certificate file ( example for this document is “server.crt” ) . The Intermediate certificate file ( example is : “intermediate.crt” ), and the Private Key file ( “private.key” ). Substitute your names as needed.
Note:
If this procedure is not done correctly, or if you used another procedure, there is a chance the Vibe server process will not start OR it will start but when you go to a browser and try to go to the Vibe website, you will not be able to reach a Vibe login page.
Vibe can use a pkcs#12 file to import into a .keystore. The following steps allow you to convert the components of a standard or wildcard Certificate appropriately, and then put it in place on the Vibe Server.
Steps to Follow :
openssl rsa -in <private.key> -out <nopass.key>
(If prompted for pass phrase, enter the password used during private key creation)
Note: The key file should be the original private key used, when creating the certificate signing request (CSR)
openssl pkcs12 -export -in <server.crt> -inkey <nopass.key> -out <keypair.p12> -name tomcat -certfile <intermediate.crt>
Note: Use the certificate files from step 1 to replace <server.crt> and <intermediate.crt>. Use your names as needed.
Note: IF needed, add another statement of -certfile for every intermediate or root certificate if there is more than one.
Also, -certfile is not required if there are no other certificate chain file.
Note: Input a password that will be used to import the pkcs12 key pair
4. Create the new .keystore file:
Note: “changeit” is a common password to use when creating the new “keypair.p12” certificate file for Vibe. Consider that .
/opt/novell/teaming/jre/bin/keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore .keystore_new -srckeystore keypair.p12 -srcstoretype PKCS12 -srcstorepass <pass phrase of keypair.p12> -alias tomcat
Note: changeit is the default keytool password.
mv .keystore_new /opt/novell/teaming/apache-tomcat/conf/
cd /opt/novell/teaming/apache-tomcat/conf/
Change the ownership, and rights of the .keystore_new
chown --reference .keystore .keystore_new
chmod --reference .keystore .keystore_new
Test Keystore:
keytool -list -keystore .keystore OR
keytool -list -keystore .keystore -storetype pkcs12
Back up the existing .keystore
mv .keystore .keystore_old
Rename the new .keystore
mv .keystore_new .keystore
systemctl stop vibe
systemctl start vibe
systemctl status vibe
NOTE: After you restart Vibe, give it about 10 minutes before trying to login at the browser.