TDM Portal: What steps are needed to import a Third Party Certificate for Portal
Article ID: 189744
Updated On:
Products
CA Test Data Manager (Data Finder / Grid Tools)
Issue/Introduction
Would like to know the steps needed to import our own signed certificate into the TDM Portal's keystore.
Environment
All supported releases of TDM
Component: CA Test Data Manager Portal
Resolution
Here are the steps to import certificates and create a new keystore file to be used by TDM Portal.
-
Your security team should provide a PKCS #12 file (in this example, the file name is my.p12 or my.pfx) which contains the private key and related certificates.
- This keytool command will import the certificates and private key into the new keystore that you designate in a single step.
keytool -importkeystore -deststorepass <keystore_password> -destkeystore <path_and_file_specification_for_keystore> -srckeystore <my.p12 or my.pfx file> -srcstoretype PKCS12
WHERE:-
- -importkeystore = Imports one or all entries from another keystore.
- -deststorepass = Destination keystore password. This will be the password you have set for the new keystore file. Please make a note of the keystore password for future reference.
- -destkeystore = Destination keystore path and name. This is the name of the new keystore file to be used by TDM.
- -srckeystore = Source keystore name. In this example, the source is the my.p12 file or the my.pfx file that was provided by the Certificate Authority, or your Security Team.
- -srcstoretype = Source keystore type. The source type should be PKCS12 if you have been provided a P12 or PFX file.
For Example: keytool -importkeystore -deststorepass myS3cr3tpasswrd -destkeystore "C:\Program Files\CA\CA Test Data Manager Portal\conf\.myNewKeystore" -srckeystore my.p12 -srcstoretype PKCS12
Now, your keystore file contains your server certificate and its private key. You may be asked to enter the password to the p12/pfx file, so you will want that information handy.
-
- If you receive a warning that the JKS keystore use a proprietary format, run the provided command to convert the keystore to the PKCS12 format:
keytool -importkeystore -srckeystore <path_to_the _keystore_file> -destkeystore <path_to_the converted_keystore_file> -deststoretype PKCS12
NOTE: if the source and destination keystores are the same, the keytool utility will back up of the source keystore, before overwriting it with the converted keystore file. - If your signed certificate contains a password that is different from that of your keystore file, you'll want to change the certificate password to match that of the keystore:
keytool -keypasswd -alias <your alias> -keystore <path/file_specification_for_keystore>
You'll be prompted to enter the passwords to get access to the keystore and certificate (key), and then prompted to enter your new certificate (key) password. - The portal needs to access the keystore <path_and_file_specification_for_keystore> you should therefore update application.properties
tdmweb.keystorePath=<path_and_file_specification_for_keystore> - TDM Portal needs to use the <keystore_password> to access stored certificate and private key. You should therefore follow the steps below, to create the encrypted version of your keystore password.
- To obtain an encrypted version of the keystore password.
- Open a Windows Command prompt
- Navigate to %TDM_HOME%\service\bin.
- Run the Encryption Utility from the command line, and supply the password to be encrypted.
- EncryptionUtil.bat -p <enter>
- You will be prompted to enter the password.
Note: you must manually type the password. The command line will not display the keys you are typing. - You will be prompted to re-enter your password.
- If successful, the encrypted password will be displayed.
For example: Encrypted password:{cry}5FDhywfuS9JsIR9ab1MFKxvUmiHqRoG+qtTAfLwYM+5y
- EncryptionUtil.bat -p <enter>
- Save the encrypted value returned for entry in the TDM Portal's application.properties file.
- Open a Windows Command prompt
- Update the application.properties file with the encrypted password
tdmweb.keystorePassword=<encryptedpassword>
For example: tdmweb.keystorePassword={cry}5FDhywfuS9JsIR9ab1MFKxvUmiHqRoG+qtTAfLwYM+5y
- To obtain an encrypted version of the keystore password.
- Verify the trusted certificate and private key have been imported properly, and also verify the current Alias name.
Note, you may also want to change the Alias name to something more meaningful. For example, Test Data Manager.
- To view the contents of the keystore file:
- Open a Windows Command prompt.
- Navigate to %TDM_HOME%\jre\bin.
- From the command line, run the following:
keytool -list -v -keystore <path_and_file_specification_for_keystore>
For example. keytool -list -v -keystore "C:\Program Files\CA\CA Test Data Manager Portal\conf\.keystore"
You will see something similar to ...
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 1
Creation date: Jun 21, 2019
NOTE: In this example, the alias name is 1.
- Open a Windows Command prompt.
- To change the alias name from 1 to Test Data Manager
keytool -changealias -keystore <path_and_file_specification_for_keystore> -storepass <accesspassword> -alias 1 -destalias "Test Data Manager" - Update application.properties with the new alias
tdmweb.keyAlias="Test Data Manager"
NOTE: When updating the Alias Name in the application.properties file, the alias is case-sensitive. Therefore, case matters.
NOTE: it is also important to verify the Server's domain name matches the CN of the certificate. If they are different, then the domain name needs to be included as an alternate in the SAN.
- To view the contents of the keystore file:
- Restart the CA Test Data Manager Portal service and verify the Portal is running on your new certificate.
Additional Information
- For more information, see "Manage Certificates" in the documentation of the TDM version you are running.
- Also see Knowledge Base Article: TDM Portal: After replacing our expired SSL Certificates, No one is able to access Portal.
Feedback
Yes
No
Powered by
