Video Screencast Help

Veritas Operation Manager 4.1-cert file

Created: 04 Jun 2012 | 3 comments

Hello,

 

I`ve just installed VOM 4.1 on sparc solaris 10. But I have a question about certificate changing.

I`ve noticed that /opt/VRTSsfmcs/esmweb/jre/bin/java use cert from /opt/VRTSsfmcs/esmweb/tomcat/cert/.keystore. I can`t change cert inside because I don`t know what is the password for .keystore file. When I replace this file with my cert file, java not starting, because password is diffrent.

The ask is: How I can change password in java or what is the defualt password pod .keystore file.

 

Thank You in advance :)

Regards,

Martin

Comments 3 CommentsJump to latest comment

Vidyut's picture

Presuming that you are planning to import 3rd party SSL certificates and use those to login into VOM, if that is the case, below is a procedure outlined to achieve the same:

1. cd  /opt/VRTSsfmcs/esmweb/tomcat/cert

 

2. Make a backup of the existing  /opt/VRTSsfmcs/esmweb/tomcat/cert/.keystore file. Please note it is important to take backup incase there are problem encountered during this process.

      The backup file will be useful to get VOM MS functional with the old keystore.

 

3. Create a 2048 bit keystore using with the keytool utility

 

/opt/VRTSsfmcs/esmweb/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -validity 3650 -keypass changeit -keystore /opt/VRTSsfmcs/esmweb/tomcat/cert/.new_keystore -storepass changeit -dname "CN=<server-hostname>,OU=<organization>,O=<company>,L=<location>,S=<state>,C=<country>" -keysize 2048

 

Note: Change the –dname parameters as required.

 

4. Create the certificate signing request (CSR).

 

/opt/VRTSsfmcs/esmweb/jre/bin/keytool -certreq -keyalg RSA -alias tomcat -file cert.csr -keystore /opt/VRTSsfmcs/esmweb/tomcat/cert/.new_keystore 

Enter keystore password: changeit

  

5. Use this CSR to get the certificates signed from the Certificate Authority.

The Certificate Authority will provide signed certificates in 3 parts. The Root Certificate/s  ,  Intermediate Certificate  and the Server Certificate. These should be in Base64 Encoded format X.509 certificates  ( .PEM  or .CER ).

6. Take a backup for the  /opt/VRTSsfmcs/esmweb/tomcat/cert/.new_keystore file and the *.CSR file used to obtain the certificate.
     This step is a precautionary step incase there are issues encountered during the import process mentioned below.

 

7. At this point the tomcat webserver (VOM web server) is still running with the old/original certificates.
  Steps below need to be executed only once a response containing the certificate chain is obtained from the certificate issuing authority.

   

8. In this example they are as follows:

            a) GTE CyberTrust Global Root.CER        (Root Certificate) 

            b) CyberTrust Global Root.CER (2nd Root Certificate for EV) 

            c) Cybertrust SureServer Standard Validation CA.CER (Intermediate certificate/ Chain certificate)

            d) [vomms].CER    (Server Certificate)  //Here [vomms] should be replaced with the actual server name

 

Note:-  These are the .CER certificates and they should each be opened in “Notepad” and edited so all the white spaces are removed and replaced with simple “carriage returns”  and saved.

 

9. Import the 2 x Root CA certificates.

 

/opt/VRTSsfmcs/esmweb/jre/bin/keytool -import -alias root -keystore /opt/VRTSsfmcs/esmweb/tomcat/cert/.new_keystore -trustcacerts -file "GTE CyberTrust Global Root.CER"

 Enter keystore password: changeit

 

NOTE: This is required only if there is an second RootCA, this step can be skipped and we can move over to step (9) to import intermediate certificate:

/opt/VRTSsfmcs/esmweb/jre/bin/keytool -import -alias root1 -keystore /opt/VRTSsfmcs/esmweb/tomcat/cert/.new_keystore -trustcacerts -file "CyberTrust Global Root.CER"

 Enter keystore password: changeit

  

Note:-  A different alias is needed for the second RootCA . Also If you see the instruction as below, select the default option "no".

 

Certificate already exists in system-wide CA keystore under alias <gtecybertrustglobalca>

Do you still want to add it to your own keystore? [no]:  no

  

10. Import the Intermediate certificate

 

/opt/VRTSsfmcs/esmweb/jre/bin/keytool -import -trustcacerts -alias intermediate -keystore /opt/VRTSsfmcs/esmweb/tomcat/cert/.new_keystore -file "Cybertrust SureServer Standard Validation CA.CER"

 Enter keystore password: changeit

 

 11. Import the Server certificate

 

/opt/VRTSsfmcs/esmweb/jre/bin/keytool -import -alias tomcat  -keystore /opt/VRTSsfmcs/esmweb/tomcat/cert/.new_keystore -trustcacerts -file vomms.CER

 Enter keystore password: changeit

 

12. Stop the VOM UI Web server process using vomcs.

 

13. Please ensure that the backup for the keystore is preserved till a time all is working well.

         Now Replace the original key store with the one which contains the newly obtained certificates from the certificate issuing authority.

        
          cp
/opt/VRTSsfmcs/esmweb/tomcat/cert/.new_keystore  /opt/VRTSsfmcs/esmweb/tomcat/cert/.keystore

 14. Start the VOM UI WebServer using vomsc

Thanks,

 Vidyut.

owczar's picture

Vidyut thanks for reply. Your post was very helpfull. I`ve send csr file to CA :)

owczar's picture

I`ve received signed cer from CA, but I`ve problem to import it.

keytool error: java.lang.Exception: Failed to establish chain from reply