IntelligenceCenter ships with a default keystore that contains a self-signed certificate. This keystore - named server.keystore - is located in the \jboss-4.0.3\server\management_application\conf directory in the IC installation location (C:\Packeteer\IntelligenceCenter by default). However, in order to fully support the SSL protocol, you must purchase a certificate from a trusted third-party Certificate Authority (CA) and install it on the IC server. You can either replace the keys contained in the existing keystore or you can replace the existing keystore with a new one. Note that if you replace the keystore, the new keystore you create must also be named server.keystore in order for it to work with IC.

There are many different ways to generate and install keys and certificates. The following procedure describes one way to do it. The examples in this procedure assume that you installed IC in the default location. If you installed IC in a different location, adjust the commands accordingly. Additionally, the default server.keystore uses the password management_application. If you do not want to use this password, you can replace it with a different one in the commands.

To replace the default keystore:

1. Go to the website of the CA from which you are purchasing your certificate. Locate the CA root certificate and copy and paste it into a file.
2. To create a new keystore and store the root certificate file you just saved, go to the Windows command prompt and enter the following command (replacing root_certificate_filename with the actual name of the certificate file):
   
   C:\Packeteer\IntelligenceCenter\jre\bin\keytool -import -alias rootcert
   -storepass management_application -keystore server.keystore -keypass management_application -file <root_certificate_filename>
3. Generate your public/private key pair. When generating your key pair, you must provide parameters that create the distinguished name (DN) of the IC server. These parameters include the URL of the IC server, the department name where it is located and the name and location of the organization to which it belongs. To create the key pair, enter the following command (replacing the variables with your own values):
   
   C:\Packeteer\IntelligenceCenter\jre\bin\keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass management_application -keypass management_application -dname”CN=, OU=, O=, L=, ST=, C=”
   
   For example, to create a key pair for an IC server with IP address 123.45.6.78 in the IT department of Acme corporation located in Cupertino, California, you would enter the following command:
   
   C:\Packeteer\IntelligenceCenter\jre\bin\keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass management_application -keypass management_application -dname”CN=123.45.6.78, OU=IT_Department, O=Acme Corporation, L=Cupertino, ST=CA, C=US”
4. Create the certificate signing request (CSR). This is the file that you will submit to the CA in order to purchase your certificate. To create a CSR named request.csr, enter the following command:
   
   C:\Packeteer\IntelligenceCenter\jre\bin\keytool -certreq -alias serverkeys -file request.csr -keystore server.keystore -storepass management_application
5. Submit the .csr file you just created to the CA. The procedure for submitting the CSR depends on which CA you are using. After the CA processes the CSR, the organization will usually email your certificate to you. The certificate will look something like this:
   
   -----BEGIN CERTIFICATE-----
   MIICwzCCAiygAwIBAgICAzMwDQYJKoZIhvcNAQEEBQAwgbcxCzAJBgNVBAYTAlVT
   MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xKDAmBgNVBAoT
   H1VuaXZlcnNpdHkgb2YgV2lzY29uc2luLU1hZGlzb24xKzApBgNVBAsTIkRpdmlz
   aW9uIG9mIEluZm9ybWF0aW9uIFRlY2hub2xvZ3kxKzApBgNVBAMTIlVXMS0yMDAz
   MTIxOCBNaWRkbGV3YXJlIFRlc3RpbmcgQ0EwHhcNMDMxMjE5MDQwOTQ4WhcNMDcw
   NDAzMDQwOTQ4WjCBxzELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCVdpc2NvbnNpbjEQ
   MA4GA1UEBxMHTWFkaXNvbjEoMCYGA1UEChMfVW5pdmVyc2l0eSBvZiBXaXNjb25z
   aW4tTWFkaXNvbjErMCkGA1UECxMiRGl2aXNpb24gb2YgSW5mb3JtYXRpb24gVGVj
   aG5vbG9neTEUMBIGA1UEAxMLRXJpYyBOb3JtYW4xJTAjBgkqhkiG9w0BCQEWFmVq
   bm9ybWFuQGRvaXQud2lzYy5lZHUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp/27
   x8st0GPRUulw5AIOOausOvWw9/B3W4XRVrxsk3Yfn2jW4K+YarQKv4rjXJb4BRIl
   PGBzx4KhVa0umcv1rQIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEB
   BAUAA4GBAA/3rfNggPFRblZMv7UufOrxGxK9QkZAULwbpboYVCophRUM//aRuGO4
   s/v/cySA91GLjLl8giPWW7Z3JkIE1Cv+G3ycM83Ygtlu1yhB26/JBvC0jg4hl+c1
   g1v32RR+E+pESbfSIYoKoJKBX2WElm0IBlLpDrRL+mUhJmcWMzx1
   -----END CERTIFICATE-----
6. Copy the certificate text into a file and save it with the extension .pem.
7. Convert the PEM file — named ICcert.pem in this example — to the DER format required format required for Java implementations using an SSL conversion tool. For example, using the openSSL utility you would enter the following command:
   C:\openssl\bin\openssl x509 -in C:\ICcert.pem -out C:\ICcert.der -outform DER
8. Import the certificate into your keystore using the following command:
   C:\BlueCoat\IntelligenceCenter\jre\bin\keytool -import -alias serverkeys -file
   ICcert.der -keypass management_application -keystore server.keystore -storepass
   management_application
9. Replace the default server.keystore with your new server.keystore by copying the file to the following
   location:
   C:\BlueCoat\IntelligenceCenter\apache-tomcat-6.0.18\webapps\ROOT\conf \server.keystore