How to add signed certificate to the Security Information Manager when sub-CA is implemented

book

Article ID: 156545

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

You have successfully imported CA Root certificate via WEB UI and created a certificate signing request (CSR)

When you try to add signed certificate using option Receive Signed located in Settings --> Certificate operation fails with the error specified below: 

INFO - Host Name: example-SSIM-01
INFO - IP: 10.5.10.5
INFO - SESA Manager is installed
INFO - SESA Directory (IBM Directory Server) is installed
INFO - SESA Agent is installed
INFO - Checking preconditions.
INFO - Executing action: com.symantec.cert.actions.
InstallCertificateToKeyDatabaseAction
ERROR - Certificate operation failed: An invalid certificate chain was
found.  You must import all certificate authority certificates for this
chain.
INFO - ************* Task Completion Report *************
INFO - com.symantec.cert.actions.InstallCertificateToKeyDatabas
eAction FAILED

INFO - PROCESS FAILED
 

Cause

To successfully add signed certificate to SSIM it is required to import intermediate certificate

 

Resolution

 

WEB UI in the current version does not provide functionality to import intermediate certificate
Please follow the instructions below to import intermediate certificate:
 
Steps to be performed on the Security Information Manager appliance
 
a) Add certificate to the SSIM manager keystore
1. Transfer intermediate certificate to /tmp directory
2. Execute the following command:
 
gsk7cmd.ssim -cert -add -file /tmp/intermediate.crt -db /etc/symantec/ses/key.kdb -label IntermediateCert -format ascii -trust enable -pw `/opt/Symantec/simserver/bin/get_stash_pwd.pl /etc/symantec/ses/key.sth`
 
b) Add certificate to the SSIM Java keystore

1. Copy intermediate certificate to /tmp

2. Change the directory to /opt/jdk/jre/bin

cd /opt/jdk/jre/bin

3. Execute the following command:
./keytool -importcert -trustcacerts -alias IntermediateCert -file /tmp/intermediate.crt -keystore /opt/jdk/jre/lib/security/cacerts -storepass changeit
 
c) add certificate to the SSIM Onboard Event Agent
1. Copy intermediate certificate to /opt/Symantec/sesa/Agent/jre/bin
2. From the folder specified above execute the following command:
./keytool -importcert -trustcacerts -alias IntermediateCert -file intermediate.crt -keystore /opt/Symantec/sesa/Agent/jre/lib/security/cacerts -storepass changeit
 
Steps to be performed on the Off-box Event Agent
 
a) Event Agent istalled on Windows OS
1. Copy intermediate certificate file to the C:\Program Files\Symantec\Event Agent\jre\bin directory 
 2. Execute the following command:
 keytool -importcert -trustcacerts -alias IntermediateCert -file intermediate.crt -keystore "C:\Program Files\Symantec\Event Agent\jre\lib\security\cacerts" -storepass changeit
 
b) Event Agent installed on Linux OS
1. Copy intermediate certificate to /opt/Symantec/sesa/Agent/jre/bindirectory
2. Execute the following command:
   ./keytool -importcert -trustcacerts -alias IntermediateCert -file intermediate.crt -keystore /opt/Symantec/sesa/Agent/jre/lib/security/cacerts -storepass changeit
 
Steps to be performed on the machine where SSIM client is used
 
a) SSIM Client
 
1. Copy intermediate certificate file to the C:\Program Files\Security Information Manager\jre\vm\bin directory 
2.  Execute the following command:
keytool -importcert -trustcacerts -alias IntermediateCert -file intermediate.crt -keystore "C:\Program Files\Security Information Manager\jre\vm\lib\security\cacerts" -storepass changeit
 
b) Web Start SSIM Client
 
1. Copy intermediate certificate file to the C:\Program Files\Java\jre\bin folder 
2.  Execute the following command:
keytool -importcert -trustcacerts -alias IntermediateCert -file <intermediate.crt> -keystore" C:\Program Files\Java\jre\lib\security\cacerts" -storepass changeit