Highlighted
Absent Member.. Absent Member..
Absent Member..
649 views

UCMDB Support Tip: How to configure SSL on ucmdb server with CA signed certificate

A common way is to use Microsft MMC to export the certificate into a pfx file is to use keytool to convert the pfx into java keystore format.  It is important to note that one must use the same password used to export the pfx file as the password for the keystore file as well as the inner key. 

 

The following steps can be used as reference:

1. Generating keystore:

     a. Configure SSL for client/server communication:

         i. Generate a certificate request on the application server as follows:
        • Start > run > mmc > OK
        • File > Add/Remove snapin
        • Certificates > Computer Account > OK, etc…
         ii. On “Personal” folder, right click and choose “advanced operations” > “custom request”
         iii. Next > “(no template) Legacy Key” as template
         iv. Format = PKCS #10 (default)
         v. Next > Details > Properties
         vi. Do tabs from right to left:
        • Private Key Tab: Set type as Exchange (NOT signature, which is the default)
        • Key Options Tab: Enable “allow export” option (do NOT check “strong private key protection” and do NOT check “key archival”); Set the key size
        • Extensions Tab: under enhanced key usage, select server authentication and add it to the list on the right hand side
        • Subject Tab: Add a common name entry as the dns service alias of the server
        • General Tab: Add descriptive text
         vii. OK > save to c:\...etc. (i.e. c:\cert_req.csr)

     b. Have this certificate signed by a CA

     c. Back on the application server double click the cmdbd.cer file from where you saved it above and proceed to install the certificate

     d. Open the certificate console again (mmc > add/remove snapins > certificates > Computer Account) and right click “personal” folder then choose import.  Find the signed certificate and import it
         i. Browse to the certificate from the certificates folder under the “Personal” parent folder and right click it > All Tasks > export > Next > Yes > Next > Next > Choose a password and remember it (you must use this password when generating keystore file) > Next > finish (save it to \hp\UCMDB\UCMDBServer\conf\security as cmdb_cert.pfx for example)

     e. Ensure CMDB services are stopped, then delete \hp\UCMDB\UCMDBServer\conf\security\server.keystore (or move it to a network path (NOT on the same server because uCMDB will find it and load the wrong one or attempt to load both!)
         i. Right click cmd.exe from start menu and choose “run as administrator” then change directory to \hp\UCMDB\UCMDBServer\bin\jre\bin
         ii. From this path, execute the following one line command to convert the keystore type from PKCS12 to JAVA:
keytool -importkeystore -srckeystore c:\hp\UCMDB\UCMDBServer\conf\security\cmdb_cert.pfx -srcstoretype PKCS12 -destkeystore c:\hp\UCMDB\UCMDBServer\conf\security\server.keystore


Note: you will be asked for the keystore password (which by default is hppass) twice, and the password you set on the exported pfx certificate earlier. 

Important: you must use the same password used to create the pfx file in step d above.

1. Reboot the server and start the uCMDB services up then browse to https://<ucmdb>:8443/status and log into uCMDB at https://<ucmdb>:8443/ucmdb to validate SSL is working

2. If SSL is working, disable HTTP (recommended)

3. Change the default keystore and truststore passwords using jmx (reference the hardening guide).  You must use the same password as the password for the keystore.and pfx files.

 

 

Reference: http://support.openview.hp.com/selfsolve/document/KM00394511

"HP Support
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution."

Click the KUDOS star on the left to say 'Thanks'
Labels (1)
Tags (1)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.