How to add an SSL Certificate

Article:HOWTO93889  |  Created: 2013-11-13  |  Updated: 2014-09-15  |  Article URL http://www.symantec.com/docs/HOWTO93889
Article Type
How To




This document explains how to add an SSL Certificate for use with the Clearwell server.  Below are links to the sections of this technote:

Default Certificate

Symantec ships the Clearwell appliance with a default Clearwell-signed (self-signed) certificate that does not have a valid trust chain.  As a result, users attempting access the Clearwell interface over HTTPS will receive the following error in Internet Explorer every time they access the login screen.

There is a problem with this website's security certificate

Users can still proceed to access the interface by clicking Continue to this website.  Going through the steps to install this certificate will not suppress the message.

 

Clearwell Utility-Generated Certificate

Symantec provides a feature through the appliance's Windows Desktop Clearwell Utility to generate and install a self-signed certificate with the DNS name of the appliance. Note that the certificate generated through this feature will not be known by Internet Explorer trust chains.  As a result, users will receive the messages: There is a problem with this website's security certificate and Certificate Error warnings when they access the login screen. However, unlike the default certificate, if the user installs this certificate they will no longer receive these warnings.

Generating the self-signed certificate:

  1. From the Clearwell Utility (found on the appliance's Windows Desktop), Select Option 9 to Generate self-signed certificate.
  2. When prompted, enter the exact DNS name that end-users will ultimately use to access the appliance.
  3. Once complete, restart the Clearwell services using the Clearwell Utility.

Cluster Considerations

  • Since the Clearwell web interface for all appliances in a cluster is exposed to end users, a certificate is needed for each appliance in the cluster.

 

Provider-Generated Certificate

Overview

Deployments that require stringent security and/or those that wish to avoid browser warnings should obtain and install a certificate from a provider.  For new certificates or to change certificate providers, follow the instructions below to generate a new Certificate Signing Request (CSR), then generate a new keystore containing that certificate, and direct Clearwell to leverage this certificate.

Generate a CSR File

This section describes the process of generating a CSR file for the Clearwell platform.  For further details, refer to Oracle's Java security documentation: http://docs.oracle.com/javase/6/docs/technotes/guides/security/ and in particular, the chapter on PKCS:

http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html

Note: The web server that Clearwell ships with is Tomcat. This is important to know, since most certificates are generated based on the type of web server being secured. If Tomcat is not an option with your provider, use Apache instead. If you generate a certificate based on a different web server type (like Microsoft IIS), the certificate will not work with Clearwell.

To generate a CSR file

Before beginning taking any of the actions below, a remote connection will need to be established, such as Remote Desktop, to the Clearwell server and not in your Internet browser.

  1. Open a Command Prompt either from Start > Command Prompt or Start > Run and type cmd.
  2. Go to the JRockit directory.

    cd c:\ jrockit -jdkversion-x64\bin

    Note: Press tab until the proper 64-bit version, e.g. jrockit-jdk1.6.0_31-R28.2.3-4.1.0-x64, is printed and hit Enter.
     
  3. Create a certificate signing request “CSR” by creating a new keystore that matches the name/IP address of your appliance.

    keytool -genkey -alias clearwellkey -keyalg RSA -keystore new-server.keystore

    Note:
    If the certificate provider requires 2048-bit encryption, add the switch -keysize 2048 to the end of the aforementioned command.

    Enter keystore password: 123456
    What is your first and last name?
    [Unknown]: your_appliance_name
    What is the name of your organizational unit?
    [Unknown]: your_org_unit
    What is the name of your organization?
    [Unknown]: your_org
    What is the name of your City or Locality?
    [Unknown]: your_city
    What is the name of your State or Province?
    [Unknown]: your_state
    What is the two-letter country code for this unit?
    [Unknown]: your_country_code
    Is CN=your_appliance_name, OU=your_org_unit, O=your_org,L=your_city, ST=your_state, C=your_country_code correct?
    [no]: yes

    Note: In order for Clearwell to recognize the new keystore, the password MUST be 123456 and the response for first and last name (CN) must be the exact DNS name or IP address that end-users will ultimately use to access the appliance. You must use the fully qualified DNS name instead of the IP address in case the IP address changes in the future. All other responses do not matter; in general, items starting with 'your' should be replaced with appropriate values.
     
  4. Create the CSR.

    keytool -certreq -keyalg RSA -alias clearwellkey -file my.csr -keystore new-server.keystore

    Note: If the certificate provider requires 2048-bit encryption, add the switch -keysize 2048 to the end of the aforementioned command.
     
  5. Acquire the certificate by transmitting the CSR to your certificate provider.  You must acquire or convert your certificate in a form that can be imported in to Java via keytool.exe.  Java's SSL keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format, or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard. In the latter case, the encoding must be bounded at the beginning by a string that starts with "-----BEGIN", and bounded at the end by a string that starts with "-----END".

 

Install the Certificate and Examples

These steps will depend on your certificate provider. You should receive and follow the instructions from your certificate provider for installing the certificate into Sun's Java and/or Tomcat. Examples for several certificate providers are provided below. For certificate providers not listed in this document, contact Clearwell Support for further instructions.

Note: Use caution if using copy/paste with the examples below as some PDF clients do not copy/paste the "-" character properly into a Command Prompt.

To install the certificate

Before beginning taking any of the actions below, a remote connection will need to be established, such as Remote Desktop, to the Clearwell server and not in your Internet browser.

Note: If this is a certificate renewal that has not expired, the file(s) provided by the certificate provider can be installed using steps 1, 2, and 3 except that the install can be done directly to into CW\V<version>\config\templates\tomcat\server.keystore.

  1. Open a Command Prompt either from Start > Command Prompt or Start > Run and type cmd.
  2. Create a backup copy of the previously‐used keystore
     
    1. Make a new directory to contain the keystore.

      d:
      cd CW\V<version>\config\templates\tomcat

      (Press tab until the proper CW version, e.g. V711, is printed.)

      mkdir oldcerts && mv server.keystore oldcerts
       
    2. Go to the JRockit directory.

      cd c:\ jrockit- -jdk <version>-x64\bin

      (Press tab until the proper 64-bit version, e.g. jrockit-jdk1.6.0_31-R28.2.3-4.1.0-x64, is printed and press Enter.)
       
    3. Copy the certificate provider’s certificates into intermediary files. Generally, there will be at least two intermediary files generated.
       
  3. Import certificates as shown in the appropriate examples.

    Comodo Example

    The following is an example of how to import certificates from Comodo:
keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore new-server.keystore
keytool -import -trustcacerts -alias INTER -file ComodoUTNServerCA.crt -keystore new-server.keystore
keytool -import -trustcacerts -alias clearwellkey -file EssentialSSLCA.crt -keystore new-server.keystore

GoDaddy Example

The following is an example of how to import certificates from GoDaddy:
keytool -import -trustcacerts -alias root -file valicert_class2_root.crt -keystore new-server.keystore
keytool -import -trustcacerts -alias cross -file gd_cross_intermediate.crt -keystore new-server.keystore
keytool -import -trustcacerts -alias intermed -file gd_intermediate.crt -keystore new-server.keystore
keytool -import -trustcacerts -alias clearwellkey -file <SSL-cert-name>.crt -keystore new-server.keystore

Note: The root certificate for GoDaddy.com is typically a separate download and can be found at https://certs.godaddy.com/anonymous/repository.seam

Instant SSL Example

The following is an example of how to import certificates from Instant SSL:

keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore new-server.keystore
keytool -import -trustcacerts -alias INTER -file ComodoUTNServerCA.crt -keystore new-server.keystore
keytool -import -trustcacerts -alias clearwellkey -file EssentialSSLCA.crt -keystore new-server.keystore

Network Solutions Example

The following is an example of how to import certificates from Network Solutions:

keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore new-server.keystore
keytool -import -trustcacerts -alias INTER -file NetworkSolutions_CA.crt -keystore new-server.keystore
keytool -import -trustcacerts -alias clearwellkey -file <SSL-cert-name> -keystore new-server.keystore

Note: Refer to “SSL Consideration Details” of the System Administration Guide (link below)

Thawte Example

The following is an example of how to import certificates from Thawte:

keytool -import -trustcacerts -alias clearwellkey -file <SSL-cert-file-name> -keystore new-server.keystore

Symantec (VeriSign) Example

The following is an example of how to import certificates from Symantec (VeriSign):
keytool -import -trustcacerts -alias primaryIntermediate -file primary_inter.cer -keystore new-server.keystore
keytool -import -trustcacerts -alias secondaryIntermediate -file secondary_inter.cer -keystore new-server.keystore
keytool -import -trustcacerts -alias clearwellkey -file <SSL-cert-name>.cer -keystore new-server.keystore
 
4. Verify the imported certificate information in the keystore.
Note: For further review of the certificate entries dump the output to a text file by adding > cert.txt at the end of the command.
keytool -v -list -keystore new-server.keystore

5. Create a backup copy of the newly-created keystore.
Note: See Step 2 for detailed instructions.

6. Copy the newly created keystore to the SSL cert directory.
cp new-server.keystore d:\CW\V<version>\config\templates\tomcat\server.keystore

7. From the Clearwell utility, run option 7, Build Incremental Configuration Changes, to redeploy the Clearwell application.
Note: This step must be done in order to deploy keystore. Performing this action stops Clearwell services for a short duration (5-7 minutes), thus should be done at an appropriate time (when no users are logged in and no jobs are currently running).

8. Attempt to access the newly-secured site by browsing to the fully-qualified domain name (FQDN) of the server, as used during the generation of the certificate signing request.

9. Verify server name, expiry date, and provider information is correct.


Cluster Considerations

Since the Clearwell web interface for all appliances in a cluster is exposed to end-users, a certificate is needed for each appliance in the cluster.

SSL Consideration Details

By default, the SSL configuration in the Clearwell eDiscovery Platform is set to accept 128-bit or greater ciphers and requires the use of SSLv3 or TLSv1 protocols. SSLv2 is disabled. The set of supported ciphers and protocols can be modified if needed.





Article URL http://www.symantec.com/docs/HOWTO93889


Terms of use for this information are found in Legal Notices