How to import CA Spectrum SSL (https) private self-signed certificate into Spectrum Gateway Probe
CA Spectrum 10.3.x and CA UIM 8.51
1. On the OneClick server machine, open a bash shell (bash -login)
2. Navigate to the $SPECROOT/Java/bin directory
3. Run the following syntax:
> ./keytool -export -keystore c:/win32app/Spectrum/custom/keystore/cacerts -alias tomcatssl -file OCServer.cer
4. Enter the keystore password: (which is "changeit" without quotes)
5. The following message is displayed:
Certificate stored in file <OCServer.cer>
6. Copy the $SPECROOT/Java/bin/OCServer.cer file to the machine where you installed the spectrumgtw probe, in the C:\Program Files (x86)\Nimsoft\probes\gateway\spectrumgtw\ directory.
7. On the spectrumgtw probe machine, open a Command Prompt window
8. Navigate to the C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin directory (for example)
9. In Windows Explorer, create the "security" folder under C:\Program Files (x86)\Nimsoft\probes\gateway\spectrumgtw\ directory
10. In the Command Prompt window run this syntax (in the C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\ directory):
keytool.exe -importcert -alias tomcatssl -file "C:\Program Files (x86)\Nimsoft\probes\gateway\spectrumgtw\OCServer.cer" -keystore "C:\Program Files (x86)\Nimsoft\probes\gateway\spectrumgtw\security\cacerts"
11. Enter the keystore password: (which is "changeit" without quotes)
12. Re-enter keystore password: (which is "changeit" without quotes)
13. The content of the certificate will be displayed.
14. Trust this certificate? [no]: yes (type yes)
15. The following message is displayed:
Certificate was added to keystore
16. Stop the spectrumgtw probe service.
17. Start the spectrumgtw probe.
NOTE: In the Spectrumgtw probe - AC (Admin Console) configuration wizard, in Spectrum Configuration section, ensure the "Host Name/IP*" field's value matches with the value supplied in the "first and last name" when you generated the private self-signed certificate.
If the value does not match, follow these steps:
1. Delete the previous self-signed certificate by running this syntax on the OneClick machine:
./keytool.exe -delete -alias tomcatssl -keyalg RSA -keystore c:/win32app/Spectrum/custom/keystore/cacerts
2. Generate a new self-signed certificate by running this syntax on the OneClick machine:
./keytool.exe -genkey -alias tomcatssl -keyalg RSA -keystore c:/win32app/Spectrum/custom/keystore/cacerts
3. Export the self-signed certificate.
4. Import the self-signed certificate on the spectrumgtw probe machine.
5. Restart the spectrumgtw probe.
6. Supply the correct value of the "Host Name/IP*" field. The same that was provided in the self-signed certificate
When generating the private, self-signed certificate, you use the following command:
./keytool -genkey -alias tomcatssl -keyalg RSA -keystore $SPECROOT/custom/keystore/cacerts
This command then asks a number of questions, the second of which is: What is your first and last name?
This refers to the common name (singular hostname) or the FQDN of the OneClick server . So when logging in with the browser, you need to refer to this hostname in the URL (not the IP address) for the HTTPS connection to work and the certificate to be validated by the browser.
Replace the <SPECROOT> variable in the value for the keystoreFile attribute with the fully qualified path to the directory where CA Spectrum is installed. You can use the cacerts file for the keytool commands to generate the certificates. Verify the following examples:
Windows
C:/win32app/SPECTRUM/custom/keystore/cacerts
Note: After adding the tomcatssl key, ensure you take a backup of the $SPECROOT/custom/keystore/cacerts file, in case the keystore gets corrupted.
Troubleshooting:
Syntax to list the tomcatssl alias from the cacerts file:
$ keytool -list -keystore ../../custom/keystore/cacerts -alias tomcatssl
Syntax to list the tomcatssl alias (full data) from the cacerts file - locate the tomcatssl:
$ keytool -v -list -keystore ../../custom/keystore/cacerts
$ keytool -v -list -keystore ../../custom/keystore/cacerts -alias tomcatssl
Make sure that the OneClick host name/IP matches what is in the cert as Owner.