Fleet Admiral Fleet Admiral
Fleet Admiral
2536 views

SSL setup on hp sm windows server

Hello Experts,

I am trying to gather the steps for setting up SSL on HP Service Manager application server.  I understand there are multiple ways of configuring SSL on HP SM . What I am trying to achieve is ONLY for windows clients alone, NO TLS / SSL connection from web servers.

I have got .cer file from the CA, whcih I have imported into the cacerts. So Far I have executed the below steps on the server,

// Imported the signed certificate into truststore.
keytool -import -keystore cacerts -trustcacerts -alias smdev  -file myserver.cer -storepass changeit

// Created the privatekey & serverkeystore 

keytool -genkey -alias hpsmdev -keyalg RSA -keystore devserver.keystore -storepass serverkeystore

I am not able to understand the next steps from the SSL document of HP. not able to follow why create .crs file again for the hp sm server.

Could someone guide with the steps which needs to be followed if we are getting the certificate from an external CA, rather than using self signed cert.

thx

dev

I am Listening..
Tags (2)
0 Likes
42 Replies
Fleet Admiral
Fleet Admiral

I did that for couple of days ago, but that did not include Windows client. But maybe this helps to understand the process. I don't claim to be expert in this topic so please excuse, if I'm not using 100% correct terminology.

My steps were (in short):

1) Create your own private CA or use existing one

2) Create Server keystore and a certificate request for a server

3) After the certificate is signed by the certificate authority, install to server keystore

* first the certificates the signing authority uses (in my case I had to import two certificates)

%keytool% -importcert -alias rootca -file "certs/root_ca.cer" -keystore key/server.keystore -storepass %SERVER_KEYSTORE_PASSWD%
%keytool% -importcert -alias issuing -file "certs/issuing_ca.cer" -keystore key/server.keystore -storepass %SERVER_KEYSTORE_PASSWD%

* then the server certificate signed by the authority

%KEYTOOL% -import -alias smserverjava -keystore key/server.keystore -file certs/myserver.cer -storepass %SERVER_KEYSTORE_PASSWD%

If signers' certificates are not imported first, your cerficate's issuer is deemed to be your server itself (since keytool does not know the signing authority), which of course can't be trusted by the client.

4) Generate private client keystore and a certificate request for each of clients

* for example, I created one keystore and certificate request for SRC and web client. In your case every Windows client needs one EXCEPT if the shared certificate is used. However, I don't know how it works, I have not used it.

5) After the certificate is signed by the certificate authority, install to each of the client keystore (see the commands above and modify a bit)

* first the certificates the signing authority uses (in my case I had to import two certificates)

* then the client certificate

* export the client certificate from the client keystore, and import it to trustedclients.keystore

(Please note that server.keystore and trustedclient.keystore and server.keystore are the file names I used.)

My headache was to understand that it does matter in which order you import the signing certificates to keystores.

---
Moving on, this account is no longer active. Best regards, Kelalek
- So Long, and Thanks for All the Fish
Fleet Admiral Fleet Admiral
Fleet Admiral

Thank you for the reply. Let me try this and get back to you.
I am Listening..
0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

Hi Kelalek2, Below are the steps which I am following (planning to follow). As I am going to be dependent on Internal CA (not open SSL) , I would follow the below steps ( these steps are creating the certificates for the HP SM application server ) 1) Create a server key store 2) Create a .csr file 3) Get it signed by Internal CA. 4) Generate private key ?? < I am confused from this step onwards . In which format the file would come.? what are the files which are required to execute the command ?> 5) Sign the internal CA certificate with the private key ?? < Confused . In what format the output file would come ?? > I assume step 1 - Step 5 would give me the certificates for the HP SM server alone. Also Shouldn't we import the signed certificate into java trust store file ( cacerts ) ??.
I am Listening..
0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

Kelalek2,

Also you have mentioned that, 

"After the certificate is signed by the CA, install to server keystore 1) Certificate the signing authority uses "

How do I find out these files ?.

When I provide the .csr  file to the internal CA, they give me only one file which is a .cer format file.

Could you please help me with that step?.

I am Listening..
0 Likes
Fleet Admiral
Fleet Admiral

Once you have the cer file, try changing it to .pem extension.  Then try to import it into your server keystore.  Using the Java keytool, the command is something like:

keytool -import -trustcacerts -alias smserver1 -keystore server.keystore -file smservercert.pem -storepass %SERVER_KEYSTORE_PASSWD%

Replace %SERVER_KEYSTORE_PASSWD% with the real password of the keystore

Fleet Admiral Fleet Admiral
Fleet Admiral

Hi TomPowe,

Thank you for the reply.

I am a little confused with the steps I had mentioned in my post.

1) when should I create the private key ?

2) Should I use the private key for generating the csr file ? 

     I have used the below keytool command to create .csr file. 

keytool -certreq -keyalg RSA -alias hpsm -keystore smserver.keystore -file servercrt.csr 

Most of the sites whcih I am browsing, i am seeing they use openssl commands to create .csr file

first they run to create a private key and then create the .csr file

openssl genrsa -out catest.key 2048

openssl req -new -key catest.key -out servercert.csr

what difference does it make if we use keytool instead of openssl in creating a .csr file ?

thx

I am Listening..
0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

I got the answer to my question of 

what difference does it make if we use keytool instead of openssl for generating .csr file

difference-between-openssl-and-keytool

I am Listening..
0 Likes
Fleet Admiral
Fleet Admiral

I only use self-signed certs, but here is what I think you would do if you were using another CA.

1.  They give you their root certificate which you import into your cacerts file.

2. create a server keystore

3. using the server keystore, create the server request certificate and send it to them.

4. they will sign the server request certificate with their root certificate and send you that server certificate.

5.  import that server certificate into your server keystore.

That finishes the server certificate part....then you have to do the client certificates for your webtier and your desktop , if you want.  To do that , you.

1.  create a client keystore

2. using the keystore, create a client certificate request and send it to them.

3.  They sign that certificate request with and send you the client certificate.

4. import client certificate into the client keystore.

5.  export the public key/certificate from the client keystore.

6. import the public key/certificate  in the trustedclients keystore.

 

Fleet Admiral Fleet Admiral
Fleet Admiral

Thank you for the reply.

I have a question regarding the step 1 and step 3 you have mentioned for creating HP SM app server certificate.

Shouldnt the step 1 come after step 3  ?. 

If I am wrong, how would i get the root certificate ?. 

Here usually the middleware team would issue the certificate based on the .csr file which we provide.

I am Listening..
0 Likes
Fleet Admiral
Fleet Admiral

ask your middleware team for their root certificate which they are using to sign the server certificate they are sending you (so they should give you two files.  the root certifcate..and the server certificate based off the request you sent them)

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

In what format the root certificate would be ?.

Would there be any kind of security concern from the middleware in sharing the root certificate ?. 

what additional information would the root certificate will contain from the signed certificate ?.

I was thinking , signed .cer file would be stamped with all the required values and this can be imported into java trust store file (cacerts).

I am Listening..
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.