Please elaborate more!
New version of Mahmoudthoughts witten by other IT experts, if you want to share tips and tricks you are invited to join and write your own articles.
Yes, I've used 3rd-party certificates in the past.
The first thing you need to do is use openssl, keytool, or an excellent Windows tool, called keytool explorer, to see what the certificate chain is, if there are intermediate certificates involved in the chain and do forth. With that said, please post the link to where this mysterious "step number five" is, so I know the OS platform you are working on, the exact tool you are attempting to use a third-party certificate with, and what you are attempting to accomplish with this third-party cert, and if it involves an integration of any kind, that would be excellent.
In short, your post is too vague for me to provide better advice. 🙂
~ Michael "OpenView Mike" Stollery
Dear @OpenView_Mike ,
My Understanding as far as hardning configuration is concerend, Its Selfsigned Vs CA ( any ThirdParty ).
Just had a quick search on digicert related in OBM 2020_10 docs but not sure if there is any specified procedure.
With Kind Regards,
Look what I just accidentally came across...
Using a 3rd Party Certificate Authority with OpsBridge
- Document ID:KM03178704
- Creation Date:13-Jun-2018
- Modified Date:22-Jun-2018
- Micro Focus Product(s):
- operations agent
- operations bridge manager
~ Michael "OpenView Mike" Stollery
I think this white paper is for a different use case than what silverbacks was inquiring about.
The white paper explains how to use 3rd party CA to create L-Core certificates for Agent to Server communication, which is a very exotic use case.
I think silverbacks wants to use a third party CA to create a certificate for the OBM web server (as configured in the configuration wizard).
I myself create my certificates using openssl, but that of course doesn't make them very trustworthy. Every user will need to import that CA cert into their browser.
Usually your company would have a central IT department that creates certificates for all the web servers. That's where you could request such certificates. You will need to provide them with node names and they give you the certificate along with the trusted certificate and potentially intermediate CAs. Since it's probably the same CA certificate as used by your internal web applications, all your users probably trust this certificate already and don't need to do anything in their web browser.
And then there is companies like Digicert that sell certificates. I haven't used that so far, but I would assume they have a web form where you give them your node names and money and they give you a certificate.
When requesting certificates, make sure you also specify the Subject Alternative Names. For an installation with 2 GW and DPS, I would request:
Subject: LB (load balancer FQDN)
Subject alternative names: LB, GW1, GW2, DPS1, DPS2
On this document, i am referring the steps 5. How to create a .p12 file when using the command ovcoreid or ovcoreid -ovrg server. Whenever, you do check the certificate it will give us the out of authority cert as HP Openview.
Dear @silverbacks ,
Im not an expert of security/hardening configurations related to OBM but here is my understaning from step (5) you had requested.
Step (5) You can use the preferred third party CA to issue two certificates as follows:
- For the node with the CN from the output of
- For the server with the CN from the output of
ovcoreid -ovrg servercommand.
These certificates must be in p12 format.
Create a copy of the trusted CA certificate in pem format. Copy the certificates to the OBM server.
Generally inorder to generate a certificate by third party there are certain environment related information needed to be exchanged between the security team and the thirdparty ( CA ). CA would require certain information such as server name / FQDN name / URL name / validity of the certifiacte etc.
on this contest, we need to provide them with the output from OBM servers , by running the commands mentioned, and this ID will be used as the CN ( Common Name ) entry in the certificate.
C:\Windows\system32>ovcoreid -ovrg server
In general cert related conversation is between Security Team ( or whichever the team responsible for certs in any organization) and the thridparty (CA) , thus our eyes being tool experts are bit limited.
With Kind Regards,
I think you should just forget about this white paper. Like I wrote, it's for an exotic use case.
Normally, the OBM installation creates a CA (Certificate Authority) that allows to create certificates for the managed nodes. It is highly automated, and you just need to select the certificate request in the GUI and say grant, and the certificate is created and sent to the managed node.
If you don't like this CA that comes with OBM, you can use your own CA. That means, you first need to replace the already existing certificates with new ones that were created by your company CA.
And for every new managed node, you will need to manually get the OvCoreID of the managed node (because that's the identity of the node), go to your CA and say, give me a certificate with Common Name of the OvCoreID (as reported by ovcoreid command), and then copy and install the certificate.
The third party CA could be either your company's CA, an external CA or a self-created CA for this particular purpose.
The only advantage of having a 3rd party CA would be that the certificate says that the issuer is company xyz instead of O=Hewlett-Packard, OU=OpenView. But it comes at a huge administrative overhead.