ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to configure UMP/Admin Console/OC/CABI wasp to use SSL certificates with a Subject Alternate Name (SAN)

book

Article ID: 16748

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) NIMSOFT PROBES Unified Infrastructure Management for Mainframe CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

We use https://<hostname.domain.com> for our UMP, and DNS also allows https://<hostname>/.  We would like to implement a single SSL certificate to cover both cases. How can this be accomplished?

Cause

- Guidance with CSRs/SSL Certificates

Environment

Release: UIM 8.4 or higher

Resolution

The following (high-level overview) steps  are required.  For specifics, see the product documentation.

1. Reinitialize the keystore 
2. Delete the "wasp" alias from the keystore 
3. Generate a key pair, but do NOT use the command from the docs (which does not include the SAN info):

<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize <key_size> -keystore wasp.keystore -validity <days_cert_is_valid> 

Instead, generate the keypair thusly (substituting the appropriate values for your domain): 

<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize <key_size> -keystore wasp.keystore -dname "CN=hostname, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext SAN=dns:hostname.domain.com,ip:1.2.3.4 -validity <days_cert_is_valid>

Note that you should not use "Unknown," but enter the correct values for your organization.  The Country value (C) must be a two-letter country code.

You can verify the SAN info was included by issuing the following command: 

   keytool -list -v -keystore wasp.keystore 

Here is an example result of the list command above.

#1: ObjectId: 2.5.29.17 Criticality=false 
SubjectAlternativeName [ 
DNSName:hostname.domain.com 
IPAddress: 1.2.3.4

Next, generate the CSR using the same -ext command, like this:

<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -certreq -alias wasp -validity <days_cert_is_valid> -keystore wasp.keystore -file <your_domain>.csr -ext SAN=dns:hostname.domain.com,ip:1.2.3.4 

Now you should have a valid CSR that contains the SAN. You can submit this to a certificate signing authority to obtain a certificate.

Then you would simply import the resulting certificates as described in the techdocs link listed below in the Additional Information section of this article, and that should resolve any SAN-related errors as described above.

Additional Information

Configure HTTPS in Admin Console or OC (Authority-Signed Certificate)