UCMDB Support Tip: How to configure SSL on ucmdb server with CA signed certificate
A common way is to use Microsft MMC to export the certificate into a pfx file is to use keytool to convert the pfx into java keystore format. It is important to note that one must use the same password used to export the pfx file as the password for the keystore file as well as the inner key.
The following steps can be used as reference:
1. Generating keystore:
a. Configure SSL for client/server communication:
i. Generate a certificate request on the application server as follows:
• Start > run > mmc > OK
• File > Add/Remove snapin
• Certificates > Computer Account > OK, etc…
ii. On “Personal” folder, right click and choose “advanced operations” > “custom request”
iii. Next > “(no template) Legacy Key” as template
iv. Format = PKCS #10 (default)
v. Next > Details > Properties
vi. Do tabs from right to left:
• Private Key Tab: Set type as Exchange (NOT signature, which is the default)
• Key Options Tab: Enable “allow export” option (do NOT check “strong private key protection” and do NOT check “key archival”); Set the key size
• Extensions Tab: under enhanced key usage, select server authentication and add it to the list on the right hand side
• Subject Tab: Add a common name entry as the dns service alias of the server
• General Tab: Add descriptive text
vii. OK > save to c:\...etc. (i.e. c:\cert_req.csr)
b. Have this certificate signed by a CA
c. Back on the application server double click the cmdbd.cer file from where you saved it above and proceed to install the certificate
d. Open the certificate console again (mmc > add/remove snapins > certificates > Computer Account) and right click “personal” folder then choose import. Find the signed certificate and import it
i. Browse to the certificate from the certificates folder under the “Personal” parent folder and right click it > All Tasks > export > Next > Yes > Next > Next > Choose a password and remember it (you must use this password when generating keystore file) > Next > finish (save it to \hp\UCMDB\UCMDBServer\conf\security as cmdb_cert.pfx for example)
e. Ensure CMDB services are stopped, then delete \hp\UCMDB\UCMDBServer\conf\security\server.keystore (or move it to a network path (NOT on the same server because uCMDB will find it and load the wrong one or attempt to load both!)
i. Right click cmd.exe from start menu and choose “run as administrator” then change directory to \hp\UCMDB\UCMDBServer\bin\jre\bin
ii. From this path, execute the following one line command to convert the keystore type from PKCS12 to JAVA:
keytool -importkeystore -srckeystore c:\hp\UCMDB\UCMDBServer\conf\security\cmdb_cert.pfx -srcstoretype PKCS12 -destkeystore c:\hp\UCMDB\UCMDBServer\conf\security\server.keystore
Note: you will be asked for the keystore password (which by default is hppass) twice, and the password you set on the exported pfx certificate earlier.
Important: you must use the same password used to create the pfx file in step d above.
2. If SSL is working, disable HTTP (recommended)
3. Change the default keystore and truststore passwords using jmx (reference the hardening guide). You must use the same password as the password for the keystore.and pfx files.
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution."
Click the KUDOS star on the left to say 'Thanks'