UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Lieutenant
Lieutenant
343 views

Anyone tried to use 3rd party CA cert?

Theres a documentation about it but the steps #5 is confusing.. has anyone tried it?
0 Likes
12 Replies
Micro Focus Expert
Micro Focus Expert

Please elaborate more!

Regards,
Mahmoud Ibrahim
https://www.itmthoughts.com
New version of Mahmoudthoughts witten by other IT experts, if you want to share tips and tricks you are invited to join and write your own articles.
  • Say thanks by clicking the "Thump Up!" which is on the left.

  • Make it easier for other people to find solutions, by marking my answer with "Accept as Solution" if it solves your issue.
  • Yes, I've used 3rd-party certificates in the past.

    The first thing you need to do is use openssl, keytool, or an excellent Windows tool, called keytool explorer, to see what the certificate chain is, if there are intermediate certificates involved in the chain and do forth. With that said, please post the link to where this mysterious "step number five" is, so I know the OS platform you are working on, the exact tool you are attempting to use a third-party certificate with, and what you are attempting to accomplish with this third-party cert, and if it involves an integration of any kind, that would be excellent.

    In short, your post is too vague for me to provide better advice. 🙂

    Best Regards,

    ~ Michael "OpenView Mike" Stollery
    Tags (2)
    0 Likes
    Micro Focus Expert
    Micro Focus Expert

    Dear @silverbacks  ,

    if you mean , OBM 2020.10 , then here is the link. 

    https://docs.microfocus.com/itom/Operations_Bridge_Manager:2020.10/ConfigTLS

    With Kind Regards,

     

    0 Likes

    Third-party certs would refer to vendors such as Digicert, Sectigo, etc.

    Best Regards,

    ~ Michael "OpenView Mike" Stollery
    Tags (3)
    0 Likes
    Micro Focus Expert
    Micro Focus Expert

    Dear @OpenView_Mike  ,

    My Understanding as far as hardning configuration is concerend, Its Selfsigned Vs CA ( any ThirdParty ).

    Just had a quick search on digicert related in OBM 2020_10 docs but not sure if there is any specified procedure.

    With Kind Regards,

     

    0 Likes

    Look Here:

    Obtain server certificates from a CA (microfocus.com)

     

    Best Regards,

    ~ Michael "OpenView Mike" Stollery

    Look what I just accidentally came across...

    MySupport - Micro Focus Software Support (softwaregrp.com)

    Using a 3rd Party Certificate Authority with OpsBridge

    • KM03178704

    Summary

    This white paper provides all the necessary steps to use a 3rd party Certificate Authority (CA) for a secure communication environment for Operations Bridge Manager (OBM) and Operations Agent (OA),
    Best Regards,

    ~ Michael "OpenView Mike" Stollery
    Micro Focus Expert
    Micro Focus Expert

    Hello Michael,

    I think this white paper is for a different use case than what  silverbacks was inquiring about.

    The white paper explains how to use 3rd party CA to create L-Core certificates for Agent to Server communication, which is a very exotic use case.

    I think silverbacks wants to use a third party CA to create a certificate for the OBM web server (as configured in the configuration wizard).

    I myself create my certificates using openssl, but that of course doesn't make them very trustworthy. Every user will need to import that CA cert into their browser.

    Usually your company would have a central IT department that creates certificates for all the web servers. That's where you could request such certificates. You will need to provide them with node names and they give you the certificate along with the trusted certificate and potentially intermediate CAs. Since it's probably the same CA certificate as used by your internal web applications, all your users probably trust this certificate already and don't need to do anything in their web browser.

    And then there is companies like Digicert that sell certificates. I haven't used that so far, but I would assume they have a web form where you give them your node names and money and they give you a certificate.

    When requesting certificates, make sure you also specify the Subject Alternative Names. For an installation with 2 GW and DPS, I would request:

    Subject: LB (load balancer FQDN)

    Subject alternative names: LB, GW1, GW2, DPS1, DPS2

     

    Best regards,
    Tobias

    0 Likes
    Lieutenant
    Lieutenant

    https://docs.microfocus.com/itom/Operations_Bridge_Manager:2020.10/PN/Using_Third_Party_Certificate_Authority_with_OBM_and_Operations_Agent

    On this document, i am referring the steps 5. How to create a .p12 file when using the command ovcoreid or ovcoreid -ovrg server. Whenever, you do check the certificate it will give us the out of authority cert as HP Openview.

    thanks 

    Micro Focus Expert
    Micro Focus Expert

    Dear @silverbacks ,

    Im not an expert of security/hardening configurations related to OBM but here is my understaning from step (5) you had requested.

    ==============================================================================

    Step (5) You can use the preferred third party CA to issue two certificates as follows:

    • For the node with the CN from the output of ovcoreid command.
    • For the server with the CN from the output of ovcoreid -ovrg server command.
      These certificates must be in p12 format.
      Create a copy of the trusted CA certificate in pem format. Copy the certificates to the OBM server.

    ==============================================================================

    Generally inorder to generate a certificate by third party  there are certain environment related information needed to be exchanged between the security team and the thirdparty ( CA ). CA would require certain information such as server name / FQDN name / URL name / validity of the certifiacte etc. 

    on this contest, we need to provide them with the output from OBM servers , by running the commands mentioned, and this ID will be used as the CN ( Common Name ) entry in the certificate. 

    ==============================================================================

    C:\Windows\system32>ovcoreid
    c6016e2d-d113-4b7d-a831-ef0a251a2081

    C:\Windows\system32>ovcoreid -ovrg server
    a2fc44e2-1ca2-75bf-09d2-d2dcbe8dee92

    ==============================================================================

    In general cert related conversation is between Security Team ( or whichever the team responsible for certs in any organization) and the thridparty (CA) , thus our eyes  being tool experts are bit limited.

    With Kind Regards,

     

    Micro Focus Expert
    Micro Focus Expert

    Hello Silverbacks,

    I think you should just forget about this white paper. Like I wrote, it's for an exotic use case.

    Normally, the OBM installation creates a CA (Certificate Authority) that allows to create certificates for the managed nodes. It is highly automated, and you just need to select the certificate request in the GUI and say grant, and the certificate is created and sent to the managed node.

    If you don't like this CA that comes with OBM, you can use your own CA. That means, you first need to replace the already existing certificates with new ones that were created by your company CA.

    And for every new managed node, you will need to manually get the OvCoreID of the managed node (because that's the identity of the node), go to your CA and say, give me a certificate with Common Name of the OvCoreID (as reported by ovcoreid command), and then copy and install the certificate.

     

    The third party CA could be either your company's CA, an external CA or a self-created CA for this particular purpose.

    The only advantage of having a 3rd party CA would be that the certificate says that the issuer is company xyz instead of O=Hewlett-Packard, OU=OpenView. But it comes at a huge administrative overhead.

    Best regards,
    Tobias

    The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.