search cancel

Spectrum - Using Subject Alternative Names (SAN) when enabling SSL for OneClick seems not to be picked up by the CA Authority

book

Article ID: 216236

calendar_today

Updated On:

Products

DX NetOps

Issue/Introduction

Following the  Configure OneClick for Secure Sockets Layer section in product documentation, I'm not able to get the SAN options I set using keytool (-ext SAN) being picked up by our internal CA.

I have tried reducing the number of SANs defined but this makes no difference.

 

Environment

Release : 20.2

Component : Spectrum Core / SpectroSERVER

Cause

The SAN options must be included when the private self-signed certificate is generated, but also when the certificate request is generated.

Otherwise the certificate created by the CA will not include the Subject Alternative Names

Resolution

1. Move to $SPECROOT/Java/bin 

2. run:
    keytool -genkey -alias tomcatssl -keyalg RSA -keystore c:/win32app/Spectrum/custom/keystore/cacerts -ext "SAN=IP:xxx.xxx.xxx.xxx,DNS:myserver.mydomain.com"
    In the above line, replace SAN=IP:xxx.xxx.xxx.xxx,DNS:myserver.mydomain.com by the SAN applies to your environment. For instance, SAN=IP:192.168.1.140,DNS:spectrum104

3. Then to confirm the SAN was added, execute next:
    keytool -list -v -keystore c:/win32app/Spectrum/custom/keystore/cacerts > C:\keystorelist.txt
    Reviewing the C:\keystorelist.txt you should see that the extensions were added
...

Alias name: tomcatssl
Creation date: May 28, 2021
...
Extensions: 

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  IPAddress: 192.168.1.140
  DNSName: spectrum104
]
...

4. Then create the certificate request:
    keytool -certreq -alias tomcatssl -keystore c:/win32app/Spectrum/custom/keystore/cacerts -ext "SAN=IP:xxx.xxx.xxx.xxx,DNS:myserver.mydomain.com" -file C:\cert-req.csr
    In the above line, replace SAN=IP:xxx.xxx.xxx.xxx,DNS:myserver.mydomain.com by the SAN applies to your environment. For instance, SAN=IP:192.168.1.140,DNS:spectrum104 

5. Check the certificate requested included the SAN extension, with next command line
    openssl req -in C:\cert-req.csr -noout -text
    Usually Linux include the openssl, or you can install it from repositories. For Windows, if not installed, you can download the GNUwin32 version
...
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                IP Address:192.168.1.140, DNS:spectrum104

6. Import the certificate following the steps described in the documentation.

7. The certificate returned by the CA should include the SAN, and you can check it from the browser when you first load the Oneclick Home page, after the OneClick is configured to use SSL.

 

Additional Information

Configure OneClick for Secure Socket Layer
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-3/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/configure-oneclick-for-secure-sockets-layer.html

Attachments