Sentinel Using Externally Signed Certificates
By default Sentinel creates a self-signed certificate which would be valid for 100 years. Due to security reasons we should sign the SSL certificate with Certificate Authority.
This document describes the steps involved in creating a custom certificate for Sentinel with the third-party CA.
I am using a free SSL Trial of external Certificate Authority (Thawte) here for testing.
Step 1:
Creating the Certificate Signing Request
/opt/novell/sentinel/jdk/jre/bin/keytool -genkey -alias webserver -validity 365 -storetype JKS -keyalg RSA -keysize 2048 -storepass password -keypass password -keystore .webserverkeystore.jks -dname "CN=server1.Atlas.com,OU=Security, O=Microfocus.com, L=Vienna, ST=Washington, C=US" -ext san=dns:server1.Atlas.com,dns:server2.Atlas.com && /opt/novell/sentinel/jdk/jre/bin/keytool -certreq -alias webserver -file .webserverkeystore.csr -keystore .webserverkeystore.jks -storepass password
Note:
- The above command generates a Certificate Signing Request (CSR), using the PKCS#10 format.
- A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
Step 2:
Getting a Signed Certificate
Go to your third party CA website Eg: http://www.thawte.com/
I am using a free SSL Trial here for testing.
<img class="alignnone size-medium wp-image-95473" src="https://www.netiq.com/communities/cool-solutions/wp-content/uploads/sites/2/2017/06/ca10-500x256.png"
alt="ca10" width="500" height="256" />
Step 3:
Check your inbox for an email from Thawte.
This email will contain your signed certificate, intermediate certificate and root certificate.
Importing the Signed Certificates and Root Certificate into Sentinel truststore
Step 4:
Now we need to import these certificates into .webserverkeystore.jks keystore generated in the step #1 and the certificates copied in the step #3.
- Copy the .webserverkeystore.jks file (generated in step#1) and the certificates saved in the step#3 to Sentinel server.
- Backup the default self-signed certificate:
Command:
mv /etc/opt/novell/sentinel/config/.webserverkeystore.jks /etc/opt/novell/sentinel/config/.webserverkeystore.jks_bkp
- Copy the .webserverkeystore.jks file mentioned in the point#1 to /etc/opt/novell/sentinel/config/
Command:
cp .webserverkeystore.jks /etc/opt/novell/sentinel/config/
Note: make sure this file has novell permission.
- Import the intermediate certificate first --> then the root certificate --> and then the signedcert
- Command to import intermediate certificate:
/opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias inter -file /opt/cert/intermediate.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password
- Command to import root certificate:
/opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias root -file /opt/cert/root.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password
- Command to import signedcert:
/opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias webserver -file /opt/cert/signedcert.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password
Note:
- The intermediate and root certificate should have different alias names, but the signed certificate should be imported with the same alias that was used while creating a certificate pair.
- After importing all three certificates you should see : " Certificate reply was installed in keystore " message.
Step 5:
- Now list the keystore and check if all the certificates are imported successfully.
Command:
/opt/novell/sentinel/jdk/jre/bin/keytool -list -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password
- To get a detailed output:
Command:
/opt/novell/sentinel/jdk/jre/bin/keytool -list -v -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password
Note:
Check for the following in the detailed output:
Alias name: webserver
Entry type: PrivateKeyEntry
Certificate chain length: 3
Step 6:
Restart sentinel service
Command:
rcsentinel restart
Step 7:
Import the intermediate certificate and the root certificate in browser of your choice and access Sentinel Server using the FQDN.
Ex: https://server1.atlas.com:8443/
DISCLAIMER:
Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore .webserverkeystore.jks -destkeystore .webserverkeystore.jks -deststoretype pkcs12".
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore .webserverkeystore.jks -destkeystore .webserverkeystore.jks -deststoretype pkcs12".
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content