Akansha Absent Member.
Absent Member.
1003 views

How can I renew Single Sign On certificate in Service Cataloge

I have a certificate for SSO for service cataloge that is going to be expired soon. Please assist in renewing the certificate.

Tags (1)
0 Likes
4 Replies
zafar291_1 Absent Member.
Absent Member.

Re: How can I renew Single Sign On certificate in Service Cataloge

If the certificate is from thiird party then you have to contact them and they will renew and give the certificate to you. And that is local manually created certificate then you have to create them again.

0 Likes
Akansha Absent Member.
Absent Member.

Re: How can I renew Single Sign On certificate in Service Cataloge

yes the certificate is from third party and they no longer support us. thay have given us the new certificate file and has asked to renew by ourselves.

please assist how can we do so..

 

Thanks,

Akansha

0 Likes
zafar291_1 Absent Member.
Absent Member.

Re: How can I renew Single Sign On certificate in Service Cataloge

you have to use keytool to  import new certificate

keytool - import -alias <servicemanager> -keystore <path of cacerts file> - trustcacerts -file <path and name of file provided>

you can check in google, after reading 4-5 article on this you can surely be able to do it. 

0 Likes
Highlighted
sanyada185 Outstanding Contributor.
Outstanding Contributor.

Re: How can I renew Single Sign On certificate in Service Cataloge

Hi,

In this case, just follow steps as per sso guide to re generate the certificates for sm enviornment. Hope below steps help you, i had tried to give steps to generate self signed certificates as well as certificate using Microsoft CA authority.

***Below are steps incase you are using self signed sso certificates

As an example, the following describes how to create signed server and client certificates using the OpenSSL toolkit as a private certificate authority. This example also uses the keytool utility available with the Sun Microsystems™ standard Java Development Kit (version 1.4 or later).

Prerequisites:

You must have the following software installed on a machine (on which you will create signed certificates for the Service Manager server and clients):

o OpenSSL: can be downloaded from http://www.slproweb.com/products/Win32OpenSSL.html

o JDK 1.4 or later: Can be downloaded from http://www.oracle.com/technetwork/java/javase/downloads/index.html

You need to add the bin folders of your JDK and OpenSSL to the PATH environment variable definition of the machine, so that you do not need to change directories to the bin folders before running openssl or keytool commands:

o OpenSSL bin folder: <InstallDir>\OpenSSL-Win32\bin

o JDK bin folder: <InstallDir>\Java\jdk1.x.x_xx\bin

Kindly put the above both path in path variable.

NOTES:

These steps applies for 9.41 with java 8 too

The following procedures will prompt you to enter several passwords multiple times. Using the same password over and over is not best practice in production, however if you are performing the procedures for test purposes, you are recommended to enter the same password at each prompt to avoid any confusion about which password you are being asked for. Also be aware that nothing displays on the screen when you are entering pass phrases.

Whenever asked to confirm whether to trust the current certificate, type y and press ENTER (the default response is no). If you just press ENTER, the certificate will not be trusted and you will have to start over.

Task 1: Create a root CA

Note: The following steps use the JDK bin folder as the working directory, in which you will create the certificates and keystore files. If you wish, you can create your own working directory and run the commands from there.

Open the operating system’s command prompt, and change directory to the JDK bin folder.
Create the private key for your private certificate authority by running the command:

openssl genrsa -des3 -out cakey.pem 2048

When prompted, enter a pass phrase you want to use to protect your certificate authority's private key file (cakey.pem). For example, CAKeyPassword.You must use the same password phrase each time you sign a certificate request with your private certificate authority. You will be asked to enter this pass phrase later many times again.

Note: Has used password

Export the public key as the self-signed root CA certificate by running the command:

openssl req -new -key cakey.pem -x509 -days 1825 -out mycacert.pem

Note: modify -days 1825 to value in days for which u want to generate certificate

When prompted, enter the pass phrase you selected for cakey.pem.
Enter other required information. When asked for a Common Name, enter the fully-qualified domain name of the machine on which you are creating the root CA.
Import your private certificate authority's certificate into the Java cacerts file that you will publish to the rest of your network. It is very important that the cacerts file in the <JAVA_HOME>\lib\security folder is updated to include the root CA information.

Note: Always use default cacert, incase cacert file was earlier used to generate certificate, kindly use the original file and not the used/updated file as it may be generate issue like not able to insert certificate in chain etc.

Make a backup copy of the cacerts file in the <JAVA_HOME>\lib\security\ folder, and copy this file to the <JDK_home>\bin folder.
Run the following command:

keytool -import -keystore ./cacerts -trustcacerts -file mycacert.pem -storepass changeit

When prompted, type: y to trust the root CA’s certificate.

The root CA certificate is added to the Java cacerts file.

Copy the updated Java cacerts file to the <JAVA_HOME>\lib\security\ folder.

Task 2: Set up the Service Manager server

Note: Change directory to the <JDK_home>\bin folder before proceeding.

Subtask 1: Create a keystore for the Service Manager server

Generate a private/public key pair by running the command:

keytool -genkey -alias myserver -keystore servercert.keystore

Enter a password for the server keystore (<Service Manager server keystore password>). Write down this password, which will be added to the sm.ini file later.
When prompted to enter your first and last name, enter the fully-qualified domain name (computer.domain.com) of the Service Manager server host.
Enter other identification information.
When prompted for a key password for <smserver>, press ENTER to use the same password as the server keystore password.

Note: Do not use the same password as your root CA key password.

Had used **** (use ur own J )

Generate a request file by running the command:

keytool -certreq -alias myserver -keystore servercert.keystore -file smserver_certrequest.crs

Enter the password you selected for the server keystore in step 1 of this subtask.

Self-sign the request by running the command:

openssl x509 -req -days 1825 -in smserver_certrequest.crs -CA mycacert.pem -CAkey cakey.pem -CAcreateserial -out smserver_cert.pem

Note: modify -days 1825 to value in days for which u want to generate certificate

If everything goes well, a message “Signature ok” displays. When prompted, enter the pass phrase for the root CA’s private key.

Import the signed certificate into the server keystore by running the command:

keytool -import -trustcacerts -alias myserver -keystore ./servercert.keystore -file smserver_cert.pem

Enter the password you selected for the server keystore in step 1 of this subtask.

The signed certificate is installed in the server keystore. C

Getting error in this step

Note: if there is a error message like “keytool error: java.lang.Exception: Failed to establish chain from reply” This means the cacert file used above is not correct, try and use the default unused cacert file and regenerate the certificate using above steps till you avoid this error message.

Subtask 2: Create a trusted client keystore

This task will create a client keystore that contain the signed certificates of your Service Manager server's trusted clients. You need to repeat this task for each trusted client, including the web tier host and Windows client hosts.

Best Practice recommendation: When you configure the web tier, type the word web in front of the keystore, certificate request and certificate name. For Windows client certificates, enter the name of the machine in front of all names to make them unique and easier to distinguish.

Generate a private/public key pair for your client by running the command:

keytool -genkey -alias client name -keystore AGISMAPPDEV.aagc.corp.keystore

here we have to update the client name in the above command with the name of the client fqdn

Enter a password for the client keystore.
When prompted to enter your first and last name, always enter the fully-qualified domain name (computer.domain.com) of the web tier or Windows client host.
When asked for a password for the client private key (<client>), press ENTER to use the same password as the client keystore password.
Generate a request file:

keytool -certreq -alias client name -keystore clientname.keystore -file client_certrequest.crs

here we have to update the client name in the above command with the name of the client

When prompted, enter the client keystore password.

Self-sign the request:

openssl x509 -req -days 1825 -in client_certrequest.crs -CA mycacert.pem -CAkey cakey.pem -CAcreateserial -out client_cert.pem

If everything goes well, a message “Signature ok” displays.

When prompted, enter the pass phrase of the root CA’s private key.

Import the signed certificate into the client keystore:

keytool -import -trustcacerts -alias clientname -keystore clientname.keystore -file client_cert.pem

here we have to update the client name in the above command with the name of the client

When prompted, enter the client keystore password.

A message displays: “Certificate reply was installed in keystore”.

Subtask 3: Generate a trust-list keystore for the Service Manager server

This task applies for both the Windows and web clients. You need to import all client certificates to a JKS list of trusted clients.

Note: Repeat this task for each trusted client certificate.

Import the client certificate you created in subtask 2 into a jks file:

keytool -import -alias clientname -file client_cert.pem -keystore trustedclients.keystore

here we have to update the client name in the above command with the name of the client

When prompted, enter a password for the trusted keystore (<trusted client keystore password>. NOTE: Write down this password, which will be added to the sm.ini file later.
When asked, type y to confirm that you want to trust the certificate. A message displays: “Certificate was added to keystore”.

Subtask 4: Modify the Service Manager configuration

Go to the <JDK_home>\bin folder, and copy the generated files cacerts, servercert.keystore, and trustedclients.keystore into the <Service Manager installation path>\Server\RUN\ folder.
In the sm.ini file, set the sslConnector parameter to 1 if it is 0.
Add the following entries to the sm.ini file:

keystoreFile:servercert.keystore

keystorePass:<Service Manager server keystore password>

ssl:1

ssl_reqClientAuth:2

ssl_trustedClientsJKS:trustedclients.keystore

ssl_trustedClientsPwd:<trusted client keystore password>

trustedsignon:1

truststoreFile:cacerts

truststorePass:changeit

Restart the Service Manager server.

***Below are steps incase you are using thirdparty as Mirosoft CA.

Extract SSO_Tool_For_Cert_Authority.zip (extract “using folder names”) to a newly created, empty directory. This will be called the SSL_TOOL_ROOT directory.

Modify the JAVA_HOME setting in all four batch files to point to your JRE location.

For the JRE location specified above, go to the "<JAVA_HOME>\lib\security" directory and verify the original cacerts file supplied is being used, and has not been copied/modified by the tool previously.

Access the MS Certificate Server (MCS) and download the CA Certificate. For example, http://<Certificate Server Host>/certsrv/.

Click on “Download a CA certificate, certificate chain, or CRL”

Select the Current CA Certificate.

Set the encoding method to Base 64.

Click on “Download CA certificate”
Download the CA Certificate to the <SSL_TOOL_ROOT>\certs directory. Name the certificate "ca_base64.cer" for the batch files to use and recognize it.

Execute the following batch file under SSL_TOOL_ROOT:

tso_srv_svlt-mod2.bat

NOTE 1: Whenever prompted for a first and last name, enter the hostname (FQDN) of the Service Manager Server.

NOTE 2: The default password for the Java JRE “cacerts” store is ‘changeit’. This is already set by the CACERT_PASSWD variable.

This will import the CA Certificate into the Java JRE “cacerts” store and generate a server certificate request under <SSL_TOOL_ROOT>\crs.

Take the server crs file, open it in a text editor, and copy all contents to the clipboard.

Access the MS Certificate Server (MCS) to obtain a signed server certificate using the server certificate request. For example, http://<Certificate Server Host>/certsrv/

Click on Request a certificate, and then click on advanced certificate request.

Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Paste the entire content of the clipboard from step 6 into the "Saved Request" field. Select "Web Server" for the Certificate Template field. Click on Submit.

On the next screen, select the Base 64 encoded radio button, and click on Download certificate . Save the certificate under the <SSL_TOOL_ROOT>\certs directory and name it "smservercert.cer" for use by the batch files.

Execute the following batch file under SSL_TOOL_ROOT:

tso_srv_svlt-mod2-import-signed-server-cert.bat

This will import the certificate into the server keystore named "server.keystore".

Execute the following batch file under SSL_TOOL_ROOT with a “<name of client>” parameter:

tso_cln_svlt-mod2.bat <name of client>

NOTE 1: <name of client> is the hostname (FQDN) of the Java Application Server in this case, which could be Tomcat, WebSphere or WebLogic. An example for this parameter is "tomcatserver.hp.com".

NOTE 2: During execution of the batch file, whenever prompted for a first and last name, enter the hostname (FQDN) of the Java Application Server, such as Tomcat, WebSphere or WebLogic.

This will generate a client certificate request under <SSL_TOOL_ROOT>\crs.

Take the client CRS file, open it in a text editor, and copy all contents to the clipboard.

Reference Addendum A below to create a “Web Client” template. Then, follow the same steps to sign the client certificate request as in step 7 above, except, in step 7 iii, select the "Web Client" certificate template. Under step 7 iv, save the certificate file as "scclientcert.cer" for use by the batch files.

NOTE: The "Web Client" template does not contain any certificate extensions which could cause the Java SSL engine to deny usage permissions at runtime. For example, an extension may say the certificate can only be used for web server authentication, and not client authentication.

Execute the following batch file under SSL_TOOL_ROOT:

tso_cln_svlt-mod2-import-signed-client-cert.bat <name of client>

NOTE: <name of client> is the hostname (FQDN) of the Java Application Server in this case (the same as used in step 10), which could be Tomcat, WebSphere or WebLogic. An example for this parameter is "tomcatserver.hp.com".

This will import the client certificate into a trusted keystore named "trustedclients.keystore".

Copy the files to the appropriate directories and then configure Service Manager and the Java Application Server.

Copy the following files under the SSL_TOOL_ROOT certs and key directories to the Service Manager RUN directory:

trustedclients.keystore

server.keystore

cacerts

Configure sm.ini as follows:

ssl:1

ssl_reqClientAuth:2

trustedsignon:1

keystoreFile:server.keystore

keystorePass:password

truststoreFile:cacerts

truststorePass:changeit

ssl_trustedClientsJKS:trustedclients.keystore

ssl_trustedClientsPwd:trustedclients

Copy the client keystore (the file should be renamed to "web.keystore" for this example configuration) under “<SSL_TOOL_ROOT>\key” to the Service Manager WAR file, under the WEB-INF directory. Copy the cacerts file under “<SSL_TOOL_ROOT>\certs” to the WEB-INF directory.

Modify the web.xml file under WEB-INF as follows:

If using single sign-on (SSO) with SSL:

<context-param>

<param-name>isCustomAuthenticationUsed</param-name>

<param-value>false</param-value>

</context-param>

Remainder of settings:

<!-- Control the encryption of network communication between the application server

and the HP Service Manager server -->

<init-param>

<param-name>ssl</param-name>

<param-value>true</param-value>

</init-param>

<!-- Specify the CA certificate store to use in encrypted communication -->

<init-param>

<!-- If this value is empty, the JDK's default jre/lib/security/cacerts file is used -->

<!-- If this is a relative path, it will be relative to the web application's deploy directory

but still needs a leading slash -->

<param-name>cacerts</param-name>

<param-value>/WEB-INF/cacerts</param-value>

</init-param>

<!-- Specify the client's private keystore to use in encrypted communication. This is necessary

for client authentication when using single sign-on, but not for a standard SSL connection. -->

<!-- If this is a relative path, it will be relative to the web application's deploy directory but still needs a leading slash -->

<init-param>

<param-name>keystore</param-name>

<param-value>/WEB-INF/web.keystore</param-value>

</init-param>

<!-- Specify the password for the client's private keystore -->

<init-param>

<param-name>keystorePassword</param-name>

<param-value>clientkeystore</param-value>

</init-param>

Start the Service Manager Server and the Java Application Server, plus the web server (such as Apache HTTP) and test.

***Ini and cfg configuration to enable sso and non sso

How to enable Single Sign-On(SSO) for the some ESS users, while some operators should work without.
Clientcertificatemanagement on the clients is not an option right now; only the web application server (as a client).
Can we separate the requests into 2 servlets one with SSO and the other without SSO using a loadbalancer?
Solutio
There are two ways to accomplishing this:

1.) start a separate listener that is specifically used by the Eclipse clients, and that is outside of the loadBalancer. The sm.ini and the sm.cfg would need to be configured the accordingly :

## sm.ini ##

#Connection parameters
#all httpPort, httpsPort and sslConnector parameters moved to sm.cfg !!

#SSL General parameters
#all ssl, ssl_reqClientAuth and trustedsignon parameters moved to sm.cfg !!

#SSL Servlet parameters
keystoreFile:server.keystore
keystorePass:serverkeystore
ssl_trustedClientsJKS:trustedclients.keystore
ssl_trustedClientsPwd:trustedclients
truststoreFile:cacerts
truststorePass:changeit

## sm.cfg ##

#
# HP Service Manager Server Configuration File
#
# Used by HP Service Manager service on Windows and smstart script on Unix
# to start the Service Manager server processes.
#
##############################################################################
#
# Copyright (c) 1997-2007 HP, Inc.
# All Rights Reserved
#
##############################################################################

#
# start a Service Manager listener
#

sm -loadBalancer -httpPort:14080
sm -httpPort:14081 -httpsPort:14441 -sslConnector:1 -ssl:1 (-ssl_reqClientAuth:2 -trustedsignon:1 <last two pararmeters only needed for Trusted Sign-on>)
sm -httpPort:14082 -httpsPort:14442 -sslConnector:1 -ssl:1 (-ssl_reqClientAuth:2 -trustedsignon:1 <last two pararmeters only needed for Trusted Sign-on>)
sm -httpPort:14083 -httpsPort:14443 -sslConnector:1 -ssl:1 (-ssl_reqClientAuth:2 -trustedsignon:1 <last two pararmeters only needed for Trusted Sign-on>)
sm -httpPort:14084 -sslConnector:0 -debugnode:1

This way, the Eclipse clients connect to port 14084, which has no SSL encryption enabled (and is outside of the loadBalancer, due to the -debugnode parameter being enabled), the ESS users connect to the loadBalancer on port 14080, which uses SSL encryption.

2.) start a loadBalancer listener, that has the SSL encryption connector enabled, but no SSL mandatory. For that you would need to configure the sm.ini and the sm.cfg as follows :

## sm.ini ##

#Connection parameters
#all httpPort, httpsPort and sslConnector parameters moved to sm.cfg !!

#SSL General parameters
#all ssl, ssl_reqClientAuth and trustedsignon parameters moved to sm.cfg !!

#SSL Servlet parameters
keystoreFile:server.keystore
keystorePass:serverkeystore
ssl_trustedClientsJKS:trustedclients.keystore
ssl_trustedClientsPwd:trustedclients
truststoreFile:cacerts
truststorePass:changeit

## sm.cfg ##

#
# HP Service Manager Server Configuration File
#
# Used by HP Service Manager service on Windows and smstart script on Unix
# to start the Service Manager server processes.
#
##############################################################################
#
# Copyright (c) 1997-2007 HP, Inc.
# All Rights Reserved
#
##############################################################################

#
# start a Service Manager listener
#

sm -loadBalancer -httpPort:14080
sm -httpPort:14081 -httpsPort:14441 -sslConnector:1 -ssl:0 (-ssl_reqClientAuth:2 -trustedsignon:1 <last two pararmeters only needed for Trusted Sign-on>)
sm -httpPort:14082 -httpsPort:14442 -sslConnector:1 -ssl:0 (-ssl_reqClientAuth:2 -trustedsignon:1 <last two pararmeters only needed for Trusted Sign-on>)
sm -httpPort:14083 -httpsPort:14443 -sslConnector:1 -ssl:0 (-ssl_reqClientAuth:2 -trustedsignon:1 <last two pararmeters only needed for Trusted Sign-on>)

Note the different value of the -ssl parameter, now set to : 0. This way, the sslConnector is enabled, but the ssl parameter is disabled, allowing also non-SSL encrypted connections.
This way, all clients, both Eclipse and ESS users all connect to port 14080.

Note: If option 2 is used, patch 5 has to be installed - therwise, ssl:0 will not allow SSL connections (ref. KM1346606 QCCR1E73466).

Regards,

Sanjay

 

Regards,
Sanjay Yadav
Assign Kudo, if found post useful and mark it accepted if solves the issue.
Tags (1)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.