How to add a pre-existing SSL certificate to wasp for UMP/CABI/Admin Console

book

Article ID: 198424

calendar_today

Updated On:

Products

NIMSOFT PROBES DX Infrastructure Management

Issue/Introduction

I have obtained an authority-signed SSL certificate from an external vendor or internal security team and need to apply it to the UMP, Admin Console, and or Bundled CABI servers.  How can I do this with a certificate I already have vs. requesting a whole new certificate?

Environment

UIM/UMP/CABI (Bundled)  - any version

wasp probe - any version

Resolution

The overall process to follow for certificates for bundled/internal cabi is the same as the process for the Admin Console on primary hub (or UMP for that matter) which is documented here:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/9-0-2/installing/optional-post-installation-tasks/configure-https-in-admin-console-or-ump.html

This contains some technical details about the process which are relevant to this issue and it would be good to familiarize yourself with the overall process.
Below I have outlined the steps which are actually relevant in an easier-to-follow manner:


IMPORTANT: back up both the wasp.cfg and the file /wasp/conf/wasp.keystore before proceeding.   If anything goes wrong, you can restore the wasp.cfg and wasp.keystore to bring back the original self-signed cert.

First, follow these steps to reinitialize the keystore - this isn't stricly necessary but if you don't have the password for the existing keystore it makes things neater - if you do have the password you can skip it:

a. stop the wasp probe on the cabi robot
b. in the wasp/conf/ folder, delete wasp.keystore
b. activate wasp 
c. run the wasp callback ssl_reinitialize_keystore and provide a password which will create a new wasp.keystore with the specified password.

Otherwise if you already know the keystore password you can proceed without those steps.

You will also need to locate keytool.exe which will be in \Nimsoft\jre\(jre_version)\bin\ and make note of the path.   From now on you will be running commands within the above /wasp/conf/ folder, and specifying the full path to keytool.exe to execute it.

You can alternately go into the /jre/bin/ folder and run keytool while specifying output paths along the way; but this set of steps assumes you are running from wasp/conf/.

To generate the CSR you will execute these commands in the command prompt:

First you want to list the keystore to verify the aliases in it.  It may either be "wasp" or "cabi" - it doesn't strictly matter but you'll need that info for the next command.


 PATH_TO_KEYTOOL)\keytool.exe -list -keystore wasp.keystore
 
 You will get something like this:
 
 Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entries

wasp, Nov 1, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5):4C:7D:FC:9F:20:A7:B4:7F:DC:93:C0:38:83:7C:7F:AB

It will either say "wasp" or "cabi" on that "PrivateKeyEntry" line.  Make note of which it is.  (It will be wasp by default. The following examples assume this is so, however in some cases this may be "cabi" if this process was followed previously by someone else.)

Now we want to delete this (which represents the self-signed certificate) and generate a new public/private keypair:

 (PATH_TO_KEYTOOL)\keytool.exe -delete -alias wasp -keystore wasp.keystore
 
 (PATH_TO_KEYTOOL)keytool.exe -genkeypair -alias wasp -keyalg RSA -keysize 2048 -keystore wasp.keystore
 
Now you will want to generate a new CSR (certificate signing request):
 
 (PATH_TO_KEYTOOL)\keytool -certreq -alias wasp -keystore wasp.keystore -file cabi.csr
 
 this generates a certificate signing request (CSR) and saves it to the file cabi.csr in wasp/conf/
 
 You will be prompted for information - you must make sure this information matches what's on the existing cert.
 
 First and Last Name:  This must be the FQDN of the server as issued 
 Other options such as Locality/state/OU/etc: Up to you but they should match the existing cert that you already have.  
 
 Once you have this CSR you will need to take it to your Certificate Authority to request a re-keyed or re-issued certificate based on this CSR and your existing signed certificate.

 

The following URLs describe this process for DigiCert (a common certificate authority) but your own Authority will have similar steps -- all CA's that we are aware of provide this at no cost.
 
 https://docs.digicert.com/manage-certificates/reissue-ssltls-certificate/
 
 https://www.digicert.com/clients/rest/docs/retail/order/reissue-ssl-certificate
 
 
 Once you have received the reissued certificate you will then import it using the following process, again from wasp/conf:
 
 
If your certificate authority provided a root certificate, import the root certificate:

(PATH_TO_KEYTOOL)/keytool -import -trustcacerts -alias root -file  <root_certificate>.cer -keystore wasp.keystore

Import the intermediate certificate:
(PATH_TO_KEYTOOL)/keytool -import -trustcacerts -alias intermediate -file <first_intermediate_certificate>.cer -keystore wasp.keystore

Repeat the previous step as needed for additional intermediate certificates.
Give them aliases like intermediate1, intermediate2, etc.  (It is highly unusual to have more than one intermediate.)

Import the signed certificate. (Sometimes this is all you get, and will be all you need in that case.)

(PATH_TO_KEYTOOL)/keytool  -import  -trustcacerts  -alias wasp  -file <your_cert>.crt  -keystore wasp.keystore

Click yes at the prompt Existing entry alias wasp exists, overwrite?

At this point, bounce wasp and you are done - it should come up with the new cert.