SSL setup on hp sm windows server - Micro Focus Community

brav0 · ‎2016-12-16

Hello Experts,

I am trying to gather the steps for setting up SSL on HP Service Manager application server. I understand there are multiple ways of configuring SSL on HP SM . What I am trying to achieve is ONLY for windows clients alone, NO TLS / SSL connection from web servers.

I have got .cer file from the CA, whcih I have imported into the cacerts. So Far I have executed the below steps on the server,

// Imported the signed certificate into truststore.
keytool -import -keystore cacerts -trustcacerts -alias smdev  -file myserver.cer -storepass changeit

// Created the privatekey & serverkeystore 

keytool -genkey -alias hpsmdev -keyalg RSA -keystore devserver.keystore -storepass serverkeystore

I am not able to understand the next steps from the SSL document of HP. not able to follow why create .crs file again for the hp sm server.

Could someone guide with the steps which needs to be followed if we are getting the certificate from an external CA, rather than using self signed cert.

thx

dev

I am Listening..

Kelalek2 · ‎2016-12-21

I did that for couple of days ago, but that did not include Windows client. But maybe this helps to understand the process. I don't claim to be expert in this topic so please excuse, if I'm not using 100% correct terminology.

My steps were (in short):

1) Create your own private CA or use existing one

2) Create Server keystore and a certificate request for a server

3) After the certificate is signed by the certificate authority, install to server keystore

* first the certificates the signing authority uses (in my case I had to import two certificates)

%keytool% -importcert -alias rootca -file "certs/root_ca.cer" -keystore key/server.keystore -storepass %SERVER_KEYSTORE_PASSWD%
%keytool% -importcert -alias issuing -file "certs/issuing_ca.cer" -keystore key/server.keystore -storepass %SERVER_KEYSTORE_PASSWD%

* then the server certificate signed by the authority

%KEYTOOL% -import -alias smserverjava -keystore key/server.keystore -file certs/myserver.cer -storepass %SERVER_KEYSTORE_PASSWD%

If signers' certificates are not imported first, your cerficate's issuer is deemed to be your server itself (since keytool does not know the signing authority), which of course can't be trusted by the client.

4) Generate private client keystore and a certificate request for each of clients

* for example, I created one keystore and certificate request for SRC and web client. In your case every Windows client needs one EXCEPT if the shared certificate is used. However, I don't know how it works, I have not used it.

5) After the certificate is signed by the certificate authority, install to each of the client keystore (see the commands above and modify a bit)

* first the certificates the signing authority uses (in my case I had to import two certificates)

* then the client certificate

* export the client certificate from the client keystore, and import it to trustedclients.keystore

(Please note that server.keystore and trustedclient.keystore and server.keystore are the file names I used.)

My headache was to understand that it does matter in which order you import the signing certificates to keystores.

---
Moving on, this account is no longer active. Best regards, Kelalek
- So Long, and Thanks for All the Fish

brav0 · ‎2016-12-22

Thank you for the reply. Let me try this and get back to you.

I am Listening..

brav0 · ‎2016-12-22

Hi Kelalek2, Below are the steps which I am following (planning to follow). As I am going to be dependent on Internal CA (not open SSL) , I would follow the below steps ( these steps are creating the certificates for the HP SM application server ) 1) Create a server key store 2) Create a .csr file 3) Get it signed by Internal CA. 4) Generate private key ?? < I am confused from this step onwards . In which format the file would come.? what are the files which are required to execute the command ?> 5) Sign the internal CA certificate with the private key ?? < Confused . In what format the output file would come ?? > I assume step 1 - Step 5 would give me the certificates for the HP SM server alone. Also Shouldn't we import the signed certificate into java trust store file ( cacerts ) ??.

I am Listening..

brav0 · ‎2016-12-22

Kelalek2,

Also you have mentioned that,

"After the certificate is signed by the CA, install to server keystore 1) Certificate the signing authority uses "

How do I find out these files ?.

When I provide the .csr file to the internal CA, they give me only one file which is a .cer format file.

Could you please help me with that step?.

I am Listening..

TomPowe · ‎2016-12-23

Once you have the cer file, try changing it to .pem extension. Then try to import it into your server keystore. Using the Java keytool, the command is something like:

keytool -import -trustcacerts -alias smserver1 -keystore server.keystore -file smservercert.pem -storepass %SERVER_KEYSTORE_PASSWD%

Replace %SERVER_KEYSTORE_PASSWD% with the real password of the keystore

brav0 · ‎2016-12-23

Hi TomPowe,

Thank you for the reply.

I am a little confused with the steps I had mentioned in my post.

1) when should I create the private key ?

2) Should I use the private key for generating the csr file ?

I have used the below keytool command to create .csr file.

keytool -certreq -keyalg RSA -alias hpsm -keystore smserver.keystore -file servercrt.csr

Most of the sites whcih I am browsing, i am seeing they use openssl commands to create .csr file

first they run to create a private key and then create the .csr file

openssl genrsa -out catest.key 2048

openssl req -new -key catest.key -out servercert.csr

what difference does it make if we use keytool instead of openssl in creating a .csr file ?

thx

I am Listening..

brav0 · ‎2016-12-23

I got the answer to my question of

what difference does it make if we use keytool instead of openssl for generating .csr file

difference-between-openssl-and-keytool

I am Listening..

TomPowe · ‎2016-12-23

I only use self-signed certs, but here is what I think you would do if you were using another CA.

1. They give you their root certificate which you import into your cacerts file.

2. create a server keystore

3. using the server keystore, create the server request certificate and send it to them.

4. they will sign the server request certificate with their root certificate and send you that server certificate.

5. import that server certificate into your server keystore.

That finishes the server certificate part....then you have to do the client certificates for your webtier and your desktop , if you want. To do that , you.

1. create a client keystore

2. using the keystore, create a client certificate request and send it to them.

3. They sign that certificate request with and send you the client certificate.

4. import client certificate into the client keystore.

5. export the public key/certificate from the client keystore.

6. import the public key/certificate in the trustedclients keystore.

brav0 · ‎2016-12-23

Thank you for the reply.

I have a question regarding the step 1 and step 3 you have mentioned for creating HP SM app server certificate.

Shouldnt the step 1 come after step 3 ?.

If I am wrong, how would i get the root certificate ?.

Here usually the middleware team would issue the certificate based on the .csr file which we provide.

I am Listening..

TomPowe · ‎2016-12-23

ask your middleware team for their root certificate which they are using to sign the server certificate they are sending you (so they should give you two files. the root certifcate..and the server certificate based off the request you sent them)

brav0 · ‎2016-12-23

In what format the root certificate would be ?.

Would there be any kind of security concern from the middleware in sharing the root certificate ?.

what additional information would the root certificate will contain from the signed certificate ?.

I was thinking , signed .cer file would be stamped with all the required values and this can be imported into java trust store file (cacerts).

I am Listening..