search cancel

REST API - Certificate Problems

book

Article ID: 226882

calendar_today

Updated On:

Products

SYSVIEW Performance Management

Issue/Introduction

Currently large companies implement the standard security controls for the SYSVIEW REST API, using the keystore as per the config instructions in TechDocs, however this causes a problem as documented below when rolling out across a large number of LPARs:

It's needed to update each single certificate in our system to be able to connect to the API’s on every LPAR.

15 LPARS means 15 certificates to add into servers doing the calls.

When a certificate gets updated by Mainframe, the server needs to be updated too. If not done, then it's not possible to connect to the API.

The appropriate way is to request certificates from the certificate center by creating a key on the server, generating a certificate request from that key, and send this certificate request to the certification center.

Returning the certificate in PEM format. As these are signed by the root.

For every added LPAR or renewal of the certificate, the Mainframe teams requests the certificate from the certification center and those will be trusted by the server using the certificate chain already installed.

How to address this?

Environment

Release : 16.0

Component : SYSVIEW

Resolution

Check this page in the manual, step 7 !! 

Configure and Deploy the SYSVIEW Application Server

It says : Generate KeyStores. Use the following steps to generate KeyStores with self-signed certificates. 

If your organization has its own process for generating KeyStore Certificates, it's recommend to refer to your internal procedures to create the KeyStore Certificates.

Additional comment :

The 'keytool' genkey commands creates a self-signed certificate. The 'keytool' utility cannot be used to sign a certificate, so if a site does not want to use self-signed certificates they would need to use the 'keytool' certreq command to create a certificate request that can be sent to a CA(certificate authority) for signing, and then use the 'keytool' importcert to import the certificate that was signed by the CA. For example:
 
• Keytool Create Certificate:

  keytool-genkey -alias "mykey3" -keysize 2048 -dname "CN=SYSVIEW-SERVER-ACF-CERT" \
  -
ext san=dns:SYSTEST.BBC.CORPACOM.NET-validity 120 -keystore /u/mykeys/keystore.jks\
  -
storepass test01           
• Keytool List keystore:

  keytool-list -v -keystore /u/mykeys/keystore.jks -storepass test01
• Keytool certreq create CSR

  keytool-certreq -alias "mykey3" -keystore /u/mykeys/keystore.jks -storepass test01 \
  -
file /u/mykeys//mycertreq2.csr
• Submit the CSR file to a CA. The CA will return with signed certificate with the signing chain of certificates.
• Keytool importcert import signed certificate:

  keytool-importcert -alias "mykey3" -trustcacerts -file signedcert.cer -keystore /u/mykeys//keystore.jks