The purpose of this KB is to show in simple terms what is needed to apply a CA certificate chain into the wasp.keystore on an Operator Console (OC) machine.
Release: 20.3
Component: UIM - OPERATOR CONSOLE
- Guidance
1. Deactivate wasp
2. Delete D:\Program Files x86)\Nimsoft\probes\service\wasp\conf\wasp.keystore
3. Activate wasp
4. Reset the keystore password (using the probe callback)
a. Open Infrastructure Manager.
b. Navigate to the server running the wasp probe.
c. Click on the wasp probe to highlight it.
d. Press Ctrl+<P> to open the probe utility.
e. In the drop-down list under Probe commandset, select ssl_reinitialize_keystore.
f. Enter a new password as an argument. Use a password that is at least six characters long. The wasp probe utility will not prevent you from using a shorter password, but you will be unable to make changes to the wasp.keystore file as described later.
g. Click the green play button to run the callback.The Command status bar displays the text OK.
h. Securely record the password you set for future use.
5. Login to the OC machine that is being configured for HTTPS
6. Delete the wasp self cert that is created by default during the previous callback procedure.
D:\Program Files (x86)\Nimsoft\jre\jre8u###b##\bin>keytool -delete -alias wasp -keystore "D:\Program Files (x86)\Nimsoft\probes\service\wasp\conf\wasp.keystore" -storepass password
7. Create a new 2048 wasp cert (this is needed to create the .csr file that needs to be given to your security team)
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize 2048 -dname "[email protected], cn=MACHINE.domain.com, ou=IT, o=COMPANY, l=CITY, s=STATE, c=US" -ext SAN=dns:MACHINE.domain.com,ip:##.##.##.## -validity 730 -keystore "D:\Program Files (x86)\Nimsoft\probes\service\wasp\conf\wasp.keystore" -storepass <password>
8. Create the .csr (this will get created in the same directory you are running the command) to give to the security team to have the .cer file(s) created. They should send you back 3 certificate files (one root, one intermediate and one final)
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -certreq -alias wasp -ext SAN=dns:MACHINE.domain.com,ip:##.##.##.## -validity 730 -keystore "D:\Program Files (x86)\Nimsoft\probes\service\wasp\conf\wasp.keystore" -storepass <password> -file domain.com.csr
9. Run the following to verify that the SubjectAlternativeName is listed:
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -list -v -keystore "D:\Program Files (x86)\Nimsoft\probes\service\wasp\conf\wasp.keystore" -storepass <password>
10. Once you have the .cer (the final, the root and the intermediate .cer files) file import the the root and the intermediate first with its own alias, and the final with the wasp alias
(root, intermediate and final example)
11. Import the root cert
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -import -trustcacerts -alias root -file "c:\root.cer" -keystore "C:\Program Files (x86)\Nimsoft\probes\service\wasp\conf\wasp.keystore" -storepass <password>
12. Import the intermediate cert
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -import -trustcacerts -alias intermediate -file "c:\intermediate.cer" -keystore "C:\Program Files (x86)\Nimsoft\probes\service\wasp\conf\wasp.keystore" -storepass <password>
13. Import the final cert file with ‘wasp’ as the alias
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -import -trustcacerts -alias wasp -file "c:\final.cer" -keystore "C:\Program Files (x86)\Nimsoft\probes\service\wasp\conf\wasp.keystore" -storepass <password>
14. Deactivate wasp
15. Activate wasp