Configuring a vendor issued or custom SSL certificate for WebUI/WCC, Autosys Web Server (AEWS), CA Directory (dxserver) and EEM (iGateway)
search cancel

Configuring a vendor issued or custom SSL certificate for WebUI/WCC, Autosys Web Server (AEWS), CA Directory (dxserver) and EEM (iGateway)

book

Article ID: 239585

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

This document offers steps for a vendor or custom SSL certificate for WCC, Autosys Web Server (AEWS), EEM (iGateway) and CA Directory (dxserver).

NOTE: This assumes that all components are installed on the same machine.  Commands are better to be run as the Unix user who owns the AutoSys install directories

Resolution

Start with WCC / WebUI keystore and repurpose it for AEWS and EEM later on:

#1 Change Directory to wcc,  as root user 
cd /opt/CA/WorkloadAutomationAE/wcc/data/config

# below are not needed but might help to set JAVA_HOME and PATH to have Autosys Java stuff:
#Unix
JAVA_HOME=/opt/CA/WorkloadAutomationAE/jre; export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH; export PATH

#Windows
set JAVA_HOME="C:\Program Files\CA\WorkloadAutomationAE\jre"
set PATH=%JAVA_HOME%\bin;%PATH%

#Note: If Autosys installation Drive is not C: drive,   change the drive to that drive in the command prompt,  example:    D:        <hit enter>  to change to that drive


#2 generate a new private key / Self signed cert using a PKCS12 keystore 
#Note: PKCS12 is being used as starting point but later it'll be converted to other formats per need.

#2a) make sure the dname and Subject Alternate Name, both have a value.
keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore.pkcs12 -storetype PKCS12 -storepass changeit -keypass changeit -keysize 2048 -dname cn=MyWcc-Server.example.com -ext san=DNS:MyWcc-Server.example.com -validity 365

#2b) If there are couple of servers under a load balancer, it is preferred to have all the server names and the real URL name to be used too. Take an example where WCC is accessed via wcc.example.com as the URL, but there are 2 underlying servers, wcc-server1 and wcc-server2, so, the request should have -ext san=dns:wcc.example.com,dns:wcc-server1.example.com,dns:wcc-server2.example.com ).
Example:
keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore.pkcs12 -storetype PKCS12 -storepass changeit -keypass changeit -keysize 2048 -dname "cn=wcc.example.com,O=Some Org Inc,L=San Jose,S=California,C=US" -ext "SAN=DNS:wcc.example.com,DNS:wccserver1.example.com,DNS:wccserver2.example.com" -validity 365

#2c) The above command does not return anything to the console unless there is an error of some sort



#3 list out what exists in the keystore now, look for Alias Name and Entry type (should be a PrivateKeyEntry)
keytool -keystore .keystore.pkcs12 -storetype PKCS12 -storepass changeit -list -v

Keystore type: PKCS12
  Your keystore contains 1 entry

  Alias name: tomcat
  Creation date: Apr 12, 2022
  Entry type: PrivateKeyEntry
  Certificate chain length: 1
  Certificate[1]:
  Owner: CN=MyWcc-Server.example.com
  Issuer: CN=MyWcc-Server.example.com
  Serial number: 439ecd7
  Valid from: Tue Apr 12 12:25:46 EDT 2022 until: Wed Apr 12 12:25:46 EDT 2023
  Certificate fingerprints:
     MD5:  <###MD5 checksum>
     SHA1: < ### SHA1 Checksum ## >
     SHA256: < ## SHA256 checksum ## >
  Signature algorithm name: SHA256withRSA
  Subject Public Key Algorithm: 2048-bit RSA key
  Version: 3

  Extensions:

  #1: ObjectId: 2.5.29.17 Criticality=false
  SubjectAlternativeName [
    DNSName: MyWcc-Server.example.com
  ]

  #2: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: XX XX XX XX XX XX   .....i?..Ab.,Xh.
  0010: 94 A5 8B 64                                        ...d
  ]
  ]

 

#4 Create a Certificate Request (CSR) based off the above private key

#8a) If there are couple of servers under a load balancer, it is preferred to have all the server names and the real URL name to be used too. Take an example where WCC is accessed via wcc.example.com as the URL, but there are 2 underlying servers, wcc-server1 and wcc-server2, so, the request should have -ext san=dns:wcc.example.com,dns:wcc-server1.example.com,dns:wcc-server2.example.com )

keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore.pkcs12 -storetype PKCS12 -storepass changeit -file wcc.cert.req.csr -ext san=dns:MyWcc-Server.example.com

# NOTE: 
1) The above command creates a file wcc.cert.req.csr file in the same folder where we are running all the above commands
2) CSR validation can also be done, copy the contents of wcc.cert.req.csr to a website like: https://www.sslshopper.com/csr-decoder.html   
It should show correct Common Name and SAN names used in the above command.
If they are not correct, then the Cert Request or CSR request was made incorrectly. Repeat ALL the steps from step1 again.

 

#5 The result of the above, wcc.cert.req.csr needs to be provided to Cert Authority. 

#6  Certificate Authority provides a response to the above,  usually in the form of a zip file / .p7b file / or individual files (containing the server certificate and root / intermediate certificates)

# NOTE: Order of the certificates preferred for import is, Root  (root.crt) first,  Intermediate (inter.crt) next,  real server certificate  (MyWcc-Server.example.com.crt) at the end.   These files have to be uploaded to /opt/CA/WorkloadAutomationAE/wcc/data/config  folder 


#7 As we generated CSR using .keystore and alias tomcat with in that, the Reply that Cert Authority sent is only valid for usage in that keystore + alias=tomcat. So, backup of the keystore 
cp -p .keystore.pkcs12 .keystore_pkcs12_before_cert_import

 

#8 Import Root first
keytool -importcert -alias RootCA -file root.crt -keystore .keystore.pkcs12 -storetype PKCS12 -storepass changeit

  Owner: CN=MyCustomROOT-cert, DC=example, DC=com
  Issuer: CN=MyCustomROOT-cert, DC=example, DC=com
  Serial number: 12345XXXXXXXXXXXXXXXXXXXXXX
  Valid from: Fri Mar 06 10:58:36 EST 2020 until: Thu Mar 06 11:08:36 EST 2025
  Certificate fingerprints:
     MD5:  <###MD5 checksum>
     SHA1: < ### SHA1 Checksum ## >
     SHA256: < ## SHA256 checksum ## >
  Signature algorithm name: SHA1withRSA
  Subject Public Key Algorithm: 2048-bit RSA key
  Version: 3

  Extensions:

  #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
  0000: 02 01 00                                           ...


  #2: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
    CA:true
    PathLen:2147483647
  ]

  #3: ObjectId: 2.5.29.15 Criticality=false
  KeyUsage [
    DigitalSignature
    Key_CertSign
    Crl_Sign
  ]

  #4: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: XX XX XX XX XX   ..*.....\.2.....
  0010: 05 C7 40 94                                        ..@.
  ]
  ]

  Trust this certificate? [no]:  yes
  Certificate was added to keystore

 

#9 Import intermediate Cert, the output maybe slightly different from below command, unless there is an error
keytool -importcert -alias intermediateCA -file inter.crt -keystore .keystore.pkcs12 -storetype PKCS12 -storepass changeit

#13a) If there are more certificates, example, additional Issuing certificate etc.,  import them too, we need the full chain and cannot miss any 


#10 Finally, import the server certificate, the response should match what you see highlighted far below
keytool -importcert -trustcacerts -file MyWcc-Server.example.com.crt -alias tomcat -keystore .keystore.pkcs12 -storetype PKCS12 -storepass changeit

 Certificate reply was installed in keystore

#14a) NOTE:  the above line is a response to the keytool command, indicating that the reply from Certificate Authority was installed properly
#14b) If there are any other messages, that could potentially mean that the import was not correct


#11 list again, tomcat alias should still a PrivateKeyEntry and contains additional certificates because of the import above
keytool -keystore .keystore.pkcs12 -storetype PKCS12 -storepass changeit -list -v

Keystore type: PKCS12
Keystore provider: SUN

 Your keystore contains 2 entries

 Alias name: rootca
 Creation date: Apr 12, 2022
 Entry type: trustedCertEntry

 Owner: CN=MyCustomROOT-cert, DC=example, DC=com
 Issuer: CN=MyCustomROOT-cert, DC=example, DC=com
 Serial number: 12345XXXXXXXXXXXXXXXXXXXXXX
 Valid from: Fri Mar 06 10:58:36 EST 2020 until: Thu Mar 06 11:08:36 EST 2025
 Certificate fingerprints:
    MD5:  <###MD5 checksum>
    SHA1: < ### SHA1 Checksum ## >
    SHA256: < ## SHA256 checksum ## >
 Signature algorithm name: SHA1withRSA
 Subject Public Key Algorithm: 2048-bit RSA key
 Version: 3

 Extensions:

 #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
 0000: 02 01 00                                           ...

 #2: ObjectId: 2.5.29.19 Criticality=true
 BasicConstraints:[
   CA:true
   PathLen:2147483647
 ]

 #3: ObjectId: 2.5.29.15 Criticality=false
 KeyUsage [
   DigitalSignature
   Key_CertSign
   Crl_Sign
 ]

 #4: ObjectId: 2.5.29.14 Criticality=false
 SubjectKeyIdentifier [
 KeyIdentifier [
 0000: XX XX XX XX XX XX   ..*.....\.2.....
 0010: 05 C7 40 94                                        ..@.
 ]
 ]

 Alias name: tomcat
 Creation date: Apr 12, 2022
 Entry type: PrivateKeyEntry
 Certificate chain length: 2
 Certificate[1]:
 Owner: cn=MyWcc-Server.example.com
 Issuer: CN=MyCustomROOT-cert, DC=example, DC=com
 Serial number: 12345XXXXXXXXXXXXXXXXXXXXXX
 Valid from: Tue Apr 12 12:23:14 EDT 2022 until: Thu Apr 11 12:23:14 EDT 2024
 Certificate fingerprints:
    MD5:  <###MD5 checksum>
    SHA1: < ### SHA1 Checksum ## >
    SHA256: < ## SHA256 checksum ## >
 Signature algorithm name: SHA1withRSA
 Subject Public Key Algorithm: 2048-bit RSA key
 Version: 3

 Extensions:

 #1: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
 0000: 30 0C 30 0A 06 08 2B 06   01 05 05 07 03 01        0.0...+.......

 #2: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
 0000: XXXXXXXXXXXXXXXXXXXXXX -.%+.....7.....
 0010: XXXXXXXXXXXXXXXX   ...s...<.......(
 0020: 6D 83 95 C1 1C 87 ED CA   4D 02 01 64 02 01 06     m.......M..d...

 #3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
 AuthorityInfoAccess [
   [
    accessMethod: caIssuers
    accessLocation: URIName: ldap:///CN=CN=MyCustomROOT-cert, DC=example, DC=com,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=CN=MyCustomROOT-cert, DC=example, DC=com?cACertificate?base?objectClass=certificationAuthority
 ]
 ]

 #4: ObjectId: 2.5.29.35 Criticality=false
 AuthorityKeyIdentifier [
 KeyIdentifier [
 0000: XX XXXXXXXXXXXXX  ..*.....\.2.....
 0010: 05 C7 40 94                                        ..@.
 ]
 ]

 #5: ObjectId: 2.5.29.31 Criticality=false
 CRLDistributionPoints [
   [DistributionPoint:
   [ URIName: ldap:///CN=CN=MyCustomROOT-cert, DC=Example, DC=com,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=CN=MyCustomROOT-cert, DC=Example, DC=com?cACertificate?base?objectClass=certificationAuthority]
 ]]

 #6: ObjectId: 2.5.29.37 Criticality=false
 ExtendedKeyUsages [
   serverAuth
 ]

 #7: ObjectId: 2.5.29.15 Criticality=true
 KeyUsage [
   DigitalSignature
   Key_Encipherment
 ]

 #8: ObjectId: 2.5.29.17 Criticality=false
 SubjectAlternativeName [
   DNSName: MyWcc-Server.example.com
 ]

 #9: ObjectId: 2.5.29.14 Criticality=false
 SubjectKeyIdentifier [
 KeyIdentifier [
 0000: XXXXx XXXXXXXXXXXXX XX  .....i?..Ab.,Xh.
 0010: 94 A5 8B 64                                        ...d
 ]
 ]

 Certificate[2]:
 Owner: CN=MyCustomROOT-cert, DC=example, DC=com
 Issuer: CN=MyCustomROOT-cert, DC=example, DC=com
 Serial number: 12345XXXXXXXXXXXXXXXXXXXXXX
 Valid from: Fri Mar 06 10:58:36 EST 2020 until: Thu Mar 06 11:08:36 EST 2025
 Certificate fingerprints:
    MD5:  <###MD5 checksum>
    SHA1: < ### SHA1 Checksum ## >
    SHA256: < ## SHA256 checksum ## >
 Signature algorithm name: SHA1withRSA
 Subject Public Key Algorithm: 2048-bit RSA key
 Version: 3

 Extensions:

 #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
 0000: 02 01 00                                           ...


 #2: ObjectId: 2.5.29.19 Criticality=true
 BasicConstraints:[
   CA:true
   PathLen:2147483647
 ]

 #3: ObjectId: 2.5.29.15 Criticality=false
 KeyUsage [
   DigitalSignature
   Key_CertSign
   Crl_Sign
 ]

 #4: ObjectId: 2.5.29.14 Criticality=false
 SubjectKeyIdentifier [
 KeyIdentifier [
 0000:  XX XXXXXXXXXXX XX  ..*.....\.2.....
 0010: 05 C7 40 94                                        ..@.
 ]
 ]

 

#11a NOTE: The imported server certificate somehow does not associate properly to the tomcat alias, as PrivateKeyEntry, the certificate cannot be used by Tomcat. 
Errors seen would be something like  "Alias name tomcat does not identify a key entry"  or "No private key"

 

#12 Now this keystore (.keystore.PKCS12) can be repurposed for different areas of AutoSys

#12a  Convert it to a Java keystore (JKS)

keytool -importkeystore -srckeystore .keystore.pkcs12 -storetype PKCS12 -srcstorepass changeit -destkeystore .keystore.jks -srcstoretype PKCS12 -deststoretype JKS -deststorepass changeit

Importing keystore .keystore.pkcs12 to .keytore.jks...
Entry for alias intermediateca successfully imported.
Entry for alias rootca successfully imported.
Entry for alias tomcat successfully imported.
Import command completed:  3 entries successfully imported, 0 entries failed or cancelled

keytool -keystore .keystore.jks -storepass changeit -storetype JKS  -list -v

 

 

#12b  Convert it to a Bouncy Castle keystore (BCFKS)


keytool -importkeystore -srckeystore .keystore.pkcs12 -storetype PKCS12 -srcstorepass changeit -destkeystore .keystore.bcfks -srcstoretype JKS -deststoretype BCFKS -deststorepass changeit -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $CA_WCC_INSTALL_LOCATION/bin/lib/bc-fips.jar

Importing keystore .keystore.pkcs12 to .keytore.bcfks...
Entry for alias intermediateca successfully imported.
Entry for alias rootca successfully imported.
Entry for alias tomcat successfully imported.
Import command completed:  3 entries successfully imported, 0 entries failed or cancelled

keytool -keystore .keystore.bcfks -storepass changeit -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider  -providerpath $AUTOSYS/lib/bc-fips.jar  -list -v

 

#13 These keystores can now be repurposed for different areas of AutoSys

#13a) This file .keytore.bcfks  can now be used as  $AUTOUSER/webserver/conf/.keystore file for AEWS
cp -p $AUTOUSER/webserver/conf/.keystore $AUTOUSER/webserver/conf/.keystore.bkp
cp -p .keystore.bcfks $AUTOUSER/webserver/conf/.keystore

#13b) If you are using WCC 12.x/24.0.x,  WCC uses Java keystore, so we need .keytore.jks  can now be used as  $CA_WCC_INSTALL_LOCATION/tomcat/conf/.keystore file for AEWS
cp -p $CA_WCC_INSTALL_LOCATION/tomcat/conf/.keystore $AUTOUSER/webserver/conf/.keystore.bkp
cp -p .keystore.jks $CA_WCC_INSTALL_LOCATION/data/config/.keystore

#13c) If you are using WCC 24.1.x or above, WCC uses BCFKS keystore, so we need .keytore.bcfks  can now be used as  $CA_WCC_INSTALL_LOCATION/tomcat/conf/.keystore file for AEWS
cp -p $CA_WCC_INSTALL_LOCATION/tomcat/conf/.keystore $AUTOUSER/webserver/conf/.keystore.bkp
cp -p .keystore.bcfks $CA_WCC_INSTALL_LOCATION/data/config/.keystore

 

#14 Check $CA_WCC_INSTALL_LOCATION/tomcat/conf/server.xml to make sure the reference to the keystore is $CA_WCC_INSTALL_LOCATION/data/config/.keystore and not something else, and the keyAlias (certificateKeyAlias if its WCC 24.1 or higher)  is tomcat (which is what we generated in step#2 above).

#NOTE:  password changeit for the keystore was used as an example here throughout. You can use any other password for the keystore, make sure the server.xml has the same password too.

 

 

#15 Restart WCC (unisrvcntr restart CA-wcc-services) / Restart AEWS (unisrvcntr restart waae_webserver.$AUTOSERV ) for the above changes to be effective and retest the URL. Emptying browser cache might be needed to see correct SSL certificate as the browser might have cached old SSL info.

 

 

Now that you have a Keystore in PKCS12 format, we can use this keystore for the EEM component on the same server. Steps to be followed are in KD 406444

 

 

Additional Information

  • To troubleshoot SSL certificate errors on the browser, the best approach is to use Chrome -> Developer Tools -> Security tab and look at why the errors are happening:
    • Is it because the certificate name is incorrect?
    • Subject Alternate Names is missing?
    • Older ciphers being used?
    • Is it just a self-signed certificate that is showing up?
  • Tip: Keystore explorer lets you use a Graphical tool to review your keystore

  • Make sure that if you set a password for the Private Key that it matches the Keystore. These can not be different.
Powered by Wolken Software