prasenjitmass Respected Contributor.
Respected Contributor.
756 views

How to create self sign certificate for PAM 3.2.0.5

Hi ,
We are using NetIQ PAM 3.2.0.5 and it is using internally. We want that system should not display "Not Secure" when we access PAM through browser. We have create Request Certificate from hosts->pam server->packages->admin->Request Certificate option.
Signed by Internal CA and get certificate in .cer format, converted it to certificate.csr but when going to paste it in "Install certificate" option , it shows error message "Failed to read .."

Can anyone tell me what is the exact procedure? Our objective is to not to see "not secure" option.

Thanks
0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

Re: How to create self sign certificate for PAM 3.2.0.5

The procedure defined in documentation can be found here:
Securing Access to the Framework Manager Console.

Does it make a difference if you install using the .cer format file you receive from the CA? (i.e. .csr is for certificate signing requests, which is the file you received when you export from PAM to have it signed by CA)
I think both file extensions should be read similarly though, so this may not be the issue. Perhaps something improper about the actual order of the certificate perhaps.

Did you receive a single file from the internal CA or were there other intermediate certificates that should be included as well as part of the chain with the signed server certificate?

There was some problem when reading the certificate chain, so I expect there to be more information in the unifid.log on the server when the logging is set to DEBUG from the Hosts Console.
0 Likes
prasenjitmass Respected Contributor.
Respected Contributor.

Re: How to create self sign certificate for PAM 3.2.0.5

Hi,
Our objective is to see the option "Secured" instead of "not Secured" while accessing the pam admin console or myaccess page through URL.
Can anyone help me please ?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: How to create self sign certificate for PAM 3.2.0.5

I responded to this thread with my suggestions, see above. I'll explain some certificate concepts here which hopefully help.

First, the traffic is still happening over https and not http, so it is "secure," but it is secured with a self-signed certificate that the browser provider hasn't established a trust relationship with. To see "Secured" instead of "not Secured" you need to use a trusted certificate, which means it has been signed by a 3rd party certificate authority who has been trusted by the browser. You could also import the certificate manually into the certificate store in the OS and/or browser to manually enforce trust. Or import some internal CA from your environment so that it has been manually trusted by the browser/OS and have the certificate signed by that internal authority.

The private key remains in PAM and the link provided above shows the steps necessary to export a Certificate Signing Request that should be signed by a Certificate Authority. The response from this Authority will be a signed server certificate and perhaps some chain certificates that point to some trusted certificate these browsers hold. Then this signed response is installed as a certificate into PAM.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.