search cancel

Simpler steps for a vendor or custom SSL certificate for WCC, Autosys Web Server (AEWS), CA Directory (dxserver) and EEM (iGateway)

book

Article ID: 239585

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

Simpler steps for a vendor or custom SSL certificate for WCC, Autosys Web Server (AEWS) and EEM (iGateway)

NOTE: This assumes that all components are installed on the came machine.

Resolution

Starting with the WCC .keystore.

#1 Change Directory to wcc,  as root user 
cd /opt/CA/WorkloadAutomationAE/wcc/data/config

 

#2 Backup existing keystore
cp -p .keystore .keystore_bkp1

 

#3 List out what you currently have in the keystore
keytool -keystore .keystore -storepass changeit -list -v 

  Keystore type: jks
  Keystore provider: SUN

  Your keystore contains 1 entry

  Alias name: tomcat
  Creation date: Jul 14, 2020
  Entry type: PrivateKeyEntry
  Certificate chain length: 1
  Certificate[1]:
  Owner: CN=$COMPUTER_HOST_FQDN$, OU=WCC, O=CA
  Issuer: CN=$COMPUTER_HOST_FQDN$, OU=WCC, O=CA
  Serial number: 5b0d8902
  Valid from: Tue Jul 14 16:45:56 EDT 2020 until: Sun Jul 14 16:45:56 EDT 2030
  Certificate fingerprints:
     MD5:  E9:16:48:79:42:A9:7F:E8:2D:C2:27:32:31:2F:E2:CE
     SHA1: 85:1E:69:AD:04:00:2B:53:C5:D2:EA:D9:16:A9:7C:59:C3:11:5E:E5
     SHA256: 40:F8:AD:AC:C1:67:5C:0F:8F:8D:20:A8:A9:F2:D5:AC:4C:EB:F6:85:12:0A:52:52:5B:BF:34:80:61:02:77:CD
  Signature algorithm name: SHA256withRSA
  Subject Public Key Algorithm: 1024-bit RSA key
  Version: 3

  Extensions:

  #1: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 3E 7C AE A9 D3 78 15 FC   3E EC 44 CF E2 61 67 7B  >....x..>.D..ag.
  0010: 90 D3 E2 4A                                        ...J
  ]
  ]


  *******************************************
  *******************************************



#4 delete reference to existing private key
keytool -delete -alias tomcat -keystore .keystore -storepass changeit

 


#5 Ensure the alias got deleted by listing out what you have 
keytool -keystore .keystore -storepass changeit -list -v

Keystore type: jks
  Keystore provider: SUN

  Your keystore contains 0 entries

 

 

#6 generate a new private key / Self signed cert. 

#6a) make sure the dname and Subject Alternate Name, both have a value. 

keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -keypass changeit -keysize 2048 -dname cn=MyWcc-Server.Broadcom.com -ext san=DNS:MyWcc-Server.Broadcom.com -validity 365

#6b) If you have couple of servers under a load balancer, it is preferred to have all the server names and the real URL name to be used too. Take an example where WCC is accessed via wcc.company.com  as the URL, but there are 2 underlying servers, wcc-server1 and wcc-server2,   so,  the request should have  -ext san=dns:wcc.company.com,dns:wcc-server1.company.com,dns:wcc-server2.company.com ). Example:

keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -keypass changeit -keysize 2048 -dname "cn=wcc.company.com,O=Your Company Inc,L=San Jose,S=California,C=US" -ext "SAN=DNS:wcc.company.com,DNS:wccserver1.company.com,DNS:wccserver2.company.com" -validity 365

#6c) The above command does not return anything to the console unless there is an error of some sort

 

 

#7) list out what you have
keytool -keystore .keystore -storepass changeit -list -v

Keystore type: jks
  Keystore provider: SUN

  Your keystore contains 1 entry

  Alias name: tomcat
  Creation date: Apr 12, 2022
  Entry type: PrivateKeyEntry
  Certificate chain length: 1
  Certificate[1]:
  Owner: CN=MyWcc-Server.Broadcom.com
  Issuer: CN=MyWcc-Server.Broadcom.com
  Serial number: 439ecd7
  Valid from: Tue Apr 12 12:25:46 EDT 2022 until: Wed Apr 12 12:25:46 EDT 2023
  Certificate fingerprints:
     MD5:  33:78:6A:11:2A:66:A3:FE:C1:13:2C:20:02:44:AD:4B
     SHA1: E0:02:F4:28:AB:C6:35:A1:EC:55:99:BC:88:1F:20:B4:ED:0D:16:36
     SHA256: 40:FC:20:4C:2D:D9:E7:DD:13:BB:2C:F7:CD:CE:E8:47:63:22:71:BB:63:4A:10:58:C3:EB:F7:49:1A:A5:08:A2
  Signature algorithm name: SHA256withRSA
  Subject Public Key Algorithm: 2048-bit RSA key
  Version: 3

  Extensions:

  #1: ObjectId: 2.5.29.17 Criticality=false
  SubjectAlternativeName [
    DNSName: MyWcc-Server.Broadcom.com
  ]

  #2: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 09 D9 EF 8B 8F 69 3F 83   A4 41 62 F9 2C 58 68 08  .....i?..Ab.,Xh.
  0010: 94 A5 8B 64                                        ...d
  ]
  ]

  *******************************************
  *******************************************

 

#8 Create a Certificate Request (CSR) based off the above private key

#8a) If you have couple of servers under a load balancer, it is preferred to have all the server names and the real URL name to be used too. Take an example where WCC is accessed via wcc.company.com  as the URL, but there are 2 underlying servers, wcc-server1 and wcc-server2,   so,  the request should have  -ext san=dns:wcc.company.com,dns:wcc-server1.company.com,dns:wcc-server2.company.com )

keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -file wcc.cert.req.csr -ext san=dns:MyWcc-Server.Broadcom.com

# NOTE: The above command creates a file wcc.cert.req.csr  file in the same folder where we are running all the above commands

# NOTE: CSR validation can also be done,  copy the contents of wcc.cert.req.csr  to a website like : https://www.sslshopper.com/csr-decoder.html   It should show correct Common Name and SAN names used in the above command.  If they are not correct, then the Cert Request or CSR request was made incorrectly.  Repeat ALL the steps from step1 again.

 

 

 

#9 The result of the above, wcc.cert.req.csr needs to be provided to Cert Authority. 

 

 

#10  Certificate Authority provides a response to the above,  usually in the form of a zip file / .p7b file / or individual files (containing the server certificate and root / intermediate certificates)

# NOTE: Order of the certificates preferred for import is, Root  (root.crt) first,  Intermediate (inter.crt) next,  real server certificate  (MyWcc-Server.Broadcom.com.crt) at the end.   These files have to be uploaded to /opt/CA/WorkloadAutomationAE/wcc/data/config  folder 

 

 

#11) As we generated CSR using .keystore and alias tomcat with in that,  the Reply that Cert Authority sent is only valid for usage in that keystore + alias=tomcat.  So, backup of the keystore 
cp -p .keystore .keystore_before_cert_import

 

 

#12) Import Root first

keytool -importcert -alias RootCA -file root.crt -keystore .keystore -storepass changeit
  Owner: CN=MyCustomROOT-cert, DC=Broadcom, DC=com
  Issuer: CN=MyCustomROOT-cert, DC=Broadcom, DC=com
  Serial number: 189d4abb13f758b44822d50c69614240
  Valid from: Fri Mar 06 10:58:36 EST 2020 until: Thu Mar 06 11:08:36 EST 2025
  Certificate fingerprints:
     MD5:  56:A5:74:87:5A:AE:6B:BB:B2:CE:80:4A:8D:71:68:5D
     SHA1: D0:7D:C5:1F:85:BA:FB:64:6D:8C:55:92:60:20:D3:7D:1A:C9:A6:E6
     SHA256: 42:5C:42:08:07:C1:74:17:80:0A:04:ED:A3:01:F8:83:57:85:74:47:B1:2F:86:98:CB:C9:92:F0:0F:A6:76:E3
  Signature algorithm name: SHA1withRSA
  Subject Public Key Algorithm: 2048-bit RSA key
  Version: 3

  Extensions:

  #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
  0000: 02 01 00                                           ...


  #2: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
    CA:true
    PathLen:2147483647
  ]

  #3: ObjectId: 2.5.29.15 Criticality=false
  KeyUsage [
    DigitalSignature
    Key_CertSign
    Crl_Sign
  ]

  #4: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 1F 88 2A 8C A9 8E B9 06   5C 9E 32 9B A2 02 DB EB  ..*.....\.2.....
  0010: 05 C7 40 94                                        [email protected]
  ]
  ]

  Trust this certificate? [no]:  yes
  Certificate was added to keystore

 


#13) Import intermediate Cert, you may not get any output from below command, unless there is an error
keytool -importcert -alias intermediateCA -file inter.crt -keystore .keystore -storepass changeit

#13a) If there are more certificates, example, Issuing certificate etc.,  import them too, we need the full chain and cannot miss any 

 

 

 

#14) Finally, import the server certificate
keytool -importcert -trustcacerts -file MyWcc-Server.Broadcom.com.crt -alias tomcat -keystore .keystore -storepass changeit

 Certificate reply was installed in keystore

#14a) NOTE:  the above line is a response to the keytool command, indicating that the reply from Certificate Authority was installed properly
#14b) If you get any other messages, that could potentially mean that the import was not correct

 

 


#15) list again, this time we should see that the tomcat alias is still a PrivateKeyEntry and contains additional certificates because of the import above
keytool -keystore .keystore -storepass changeit -list -v


 Keystore type: jks
 Keystore provider: SUN

 Your keystore contains 2 entries

 Alias name: rootca
 Creation date: Apr 12, 2022
 Entry type: trustedCertEntry

 Owner: CN=MyCustomROOT-cert, DC=Broadcom, DC=com
 Issuer: CN=MyCustomROOT-cert, DC=Broadcom, DC=com
 Serial number: 189d4abb13f758b44822d50c69614240
 Valid from: Fri Mar 06 10:58:36 EST 2020 until: Thu Mar 06 11:08:36 EST 2025
 Certificate fingerprints:
    MD5:  56:A5:74:87:5A:AE:6B:BB:B2:CE:80:4A:8D:71:68:5D
    SHA1: D0:7D:C5:1F:85:BA:FB:64:6D:8C:55:92:60:20:D3:7D:1A:C9:A6:E6
    SHA256: 42:5C:42:08:07:C1:74:17:80:0A:04:ED:A3:01:F8:83:57:85:74:47:B1:2F:86:98:CB:C9:92:F0:0F:A6:76:E3
 Signature algorithm name: SHA1withRSA
 Subject Public Key Algorithm: 2048-bit RSA key
 Version: 3

 Extensions:

 #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
 0000: 02 01 00                                           ...


 #2: ObjectId: 2.5.29.19 Criticality=true
 BasicConstraints:[
   CA:true
   PathLen:2147483647
 ]

 #3: ObjectId: 2.5.29.15 Criticality=false
 KeyUsage [
   DigitalSignature
   Key_CertSign
   Crl_Sign
 ]

 #4: ObjectId: 2.5.29.14 Criticality=false
 SubjectKeyIdentifier [
 KeyIdentifier [
 0000: 1F 88 2A 8C A9 8E B9 06   5C 9E 32 9B A2 02 DB EB  ..*.....\.2.....
 0010: 05 C7 40 94                                        [email protected]
 ]
 ]

 *******************************************
 *******************************************


 Alias name: tomcat
 Creation date: Apr 12, 2022
 Entry type: PrivateKeyEntry
 Certificate chain length: 2
 Certificate[1]:
 Owner: cn=MyWcc-Server.Broadcom.com
 Issuer: CN=MyCustomROOT-cert, DC=Broadcom, DC=com
 Serial number: 6b0000001a7c3cda51b19606cb00000000001a
 Valid from: Tue Apr 12 12:23:14 EDT 2022 until: Thu Apr 11 12:23:14 EDT 2024
 Certificate fingerprints:
    MD5:  FB:FB:DA:0A:63:8B:90:E6:45:EB:46:0C:D4:0E:50:B1
    SHA1: 64:50:81:52:B1:52:C0:EC:87:46:4B:DC:1C:5C:69:B4:48:CC:F1:EB
    SHA256: 23:3A:B5:04:47:E4:CD:45:37:1D:B8:5E:30:12:88:9D:09:FF:E8:59:D8:D7:56:2E:6C:1D:BF:2C:4F:3A:AC:A2
 Signature algorithm name: SHA1withRSA
 Subject Public Key Algorithm: 2048-bit RSA key
 Version: 3

 Extensions:

 #1: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
 0000: 30 0C 30 0A 06 08 2B 06   01 05 05 07 03 01        0.0...+.......


 #2: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
 0000: 30 2D 06 25 2B 06 01 04   01 82 37 15 08 D5 CE 11  0-.%+.....7.....
 0010: 84 EB CD 73 83 F9 8B 3C   85 EF AB 01 83 C8 C8 28  ...s...<.......(
 0020: 6D 83 95 C1 1C 87 ED CA   4D 02 01 64 02 01 06     m.......M..d...


 #3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
 AuthorityInfoAccess [
   [
    accessMethod: caIssuers
    accessLocation: URIName: ldap:///CN=CN=MyCustomROOT-cert, DC=Broadcom, DC=com,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=CN=MyCustomROOT-cert, DC=Broadcom, DC=com?cACertificate?base?objectClass=certificationAuthority
 ]
 ]

 #4: ObjectId: 2.5.29.35 Criticality=false
 AuthorityKeyIdentifier [
 KeyIdentifier [
 0000: 1F 88 2A 8C A9 8E B9 06   5C 9E 32 9B A2 02 DB EB  ..*.....\.2.....
 0010: 05 C7 40 94                                        [email protected]
 ]
 ]

 #5: ObjectId: 2.5.29.31 Criticality=false
 CRLDistributionPoints [
   [DistributionPoint:
   [ URIName: ldap:///CN=CN=MyCustomROOT-cert, DC=Broadcom, DC=com,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=CN=MyCustomROOT-cert, DC=Broadcom, DC=com?cACertificate?base?objectClass=certificationAuthority]
 ]]

 #6: ObjectId: 2.5.29.37 Criticality=false
 ExtendedKeyUsages [
   serverAuth
 ]

 #7: ObjectId: 2.5.29.15 Criticality=true
 KeyUsage [
   DigitalSignature
   Key_Encipherment
 ]

 #8: ObjectId: 2.5.29.17 Criticality=false
 SubjectAlternativeName [
   DNSName: MyWcc-Server.Broadcom.com
 ]

 #9: ObjectId: 2.5.29.14 Criticality=false
 SubjectKeyIdentifier [
 KeyIdentifier [
 0000: 09 D9 EF 8B 8F 69 3F 83   A4 41 62 F9 2C 58 68 08  .....i?..Ab.,Xh.
 0010: 94 A5 8B 64                                        ...d
 ]
 ]

 Certificate[2]:
 Owner: CN=MyCustomROOT-cert, DC=Broadcom, DC=com
 Issuer: CN=MyCustomROOT-cert, DC=Broadcom, DC=com
 Serial number: 189d4abb13f758b44822d50c69614240
 Valid from: Fri Mar 06 10:58:36 EST 2020 until: Thu Mar 06 11:08:36 EST 2025
 Certificate fingerprints:
    MD5:  56:A5:74:87:5A:AE:6B:BB:B2:CE:80:4A:8D:71:68:5D
    SHA1: D0:7D:C5:1F:85:BA:FB:64:6D:8C:55:92:60:20:D3:7D:1A:C9:A6:E6
    SHA256: 42:5C:42:08:07:C1:74:17:80:0A:04:ED:A3:01:F8:83:57:85:74:47:B1:2F:86:98:CB:C9:92:F0:0F:A6:76:E3
 Signature algorithm name: SHA1withRSA
 Subject Public Key Algorithm: 2048-bit RSA key
 Version: 3

 Extensions:

 #1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
 0000: 02 01 00                                           ...


 #2: ObjectId: 2.5.29.19 Criticality=true
 BasicConstraints:[
   CA:true
   PathLen:2147483647
 ]

 #3: ObjectId: 2.5.29.15 Criticality=false
 KeyUsage [
   DigitalSignature
   Key_CertSign
   Crl_Sign
 ]

 #4: ObjectId: 2.5.29.14 Criticality=false
 SubjectKeyIdentifier [
 KeyIdentifier [
 0000: 1F 88 2A 8C A9 8E B9 06   5C 9E 32 9B A2 02 DB EB  ..*.....\.2.....
 0010: 05 C7 40 94                                        [email protected]
 ]
 ]

 *******************************************
 *******************************************

 

#15a) NOTE: The imported server certificate somehow does not associate properly to the tomcat alias, as PrivateKeyEntry, the certificate cannot be used by Tomcat. 
You may end up getting errors like  a) Alias name tomcat does not identify a key entry,   b)  No private key    

 

#16) Now this keystore can be used by WCC, restart WCC to see it function. Make sure the .keystore file is read-permitted to the operating system user under which WCC runs

 

#17) This same keystore can be used for EEM or AEWS too (if these modules are on the same server), if not similar process can be followed and then below steps can help convert the result that is suitable to EEM and AEWS.

 

#18) for EEM (igateway), we need to convert the .keystore to PKCS12
keytool -importkeystore -srckeystore .keystore -srcstorepass changeit  -destkeystore .keystore.PKCS12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass changeit

 Importing keystore .keystore to .keytore.PKCS12...
 Entry for alias intermediateca successfully imported.
 Entry for alias rootca successfully imported.
 Entry for alias tomcat successfully imported.
 Import command completed:  3 entries successfully imported, 0 entries failed or cancelled

#18a) NOTE: list to make sure it is valid:

keytool -keystore .keystore.PKCS12 -storepass changeit -list -v -storetype PKCS12

 

 

#19) for AEWS, we need to convert the .keystore to BCKFS 
NOTE: This assumes you have used the above steps starting with the WCC .keystore to create your they keystore with all of the cerst required for AEWS.
You can NOT start this process using the AWES .keystore as it is already in BCFKS format.


#19a) make sure $AUTOSYS is set properly first
echo $AUTOSYS
keytool -importkeystore -srckeystore .keystore -srcstorepass changeit -destkeystore .keystore.bcfks -srcstoretype JKS -deststoretype BCFKS -deststorepass changeit -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $AUTOSYS/lib/bc-fips.jar

 Importing keystore .keystore to .keytore.bcfks...
 Entry for alias intermediateca successfully imported.
 Entry for alias rootca successfully imported.
 Entry for alias tomcat successfully imported.
 Import command completed:  3 entries successfully imported, 0 entries failed or cancelled

 

 

#20) list the keystore to make sure
keytool -keystore .keystore.bcfks -storepass changeit -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider  -providerpath $AUTOSYS/lib/bc-fips.jar  -list -v

#20a) you can now use this file .keytore.bcfks  as  $AUTOUSER/webserver/conf/.keystore file for AEWS

 

Restart WCC / Restart AEWS for the above changes to be effective.

 

#IF the same WCC server also hosts EEM server, then we can use the above keystore and use it for EEM using below steps

#21) Stop iGateway:
 /etc/init.d/igatewayd stop

 

#22) Stop dxserver
 su - dsa
 dxserver stop all

exit

 

#23) Backup stuff first, as ROOT

 cp -rp /opt/CA/SharedComponents/CADirectory  /opt/CA/SharedComponents/CADirectory_backup
 cp -rp /opt/CA/SharedComponents/iTechnology  /opt/CA/SharedComponents/iTechnology_backup
 cp -rp /opt/CA/SharedComponents/EmbeddedEntitlementsManager /opt/CA/SharedComponents/EmbeddedEntitlementsManager_backup

 

#24) Step#18 already converted JKS to PKCS12, so no need to do conversion,  we will just list PKCS12, as ROOT
cd /opt/CA/WorkloadAutomationAE/wcc/data/config
keytool -keystore .keystore.PKCS12 -storepass changeit -list -v -storetype PKCS12

 

#25) extract the private key,  because we used changeit as the password for the keystore through out in the above commands, provide changeit as the password for the next 3 commands (including the passphrases for the keys)

 openssl pkcs12 -in .keystore.PKCS12 -nocerts -out encrypted-private.key
 ls -al encrypted-private.key
 cat encrypted-private.key

 openssl pkcs12 -in .keystore.PKCS12 -clcerts -nokeys -out server-cert.pem
 ls -al server-cert.pem
 cat server-cert.pem

 openssl rsa -in encrypted-private.key -out itechpoz.key
 ls -al itechpoz.key
 cat itechpoz.key

 

#26) It is OK to see the warning about not being able to copy folders,  we do not need folders
(also make sure you have the intermediate and rootca cert files if you require them for your environment)

cp -p /opt/CA/WorkloadAutomationAE/wcc/data/config/* /opt/CA/SharedComponents/CADirectory/dxserver

chown dsa /opt/CA/SharedComponents/CADirectory/dxserver/*

#26a) we do NOT need recursive chown in dxserver,  just the few files we copied from the above step. 
That's why -r is not present.   dxserver/bin/dxadmind  and dxserver/bin/dxserver have a sticky bit and have to be owned by root.
Or else CA Directory won't start. Don't change this.

 

#27) change to dsa user 

 su - dsa
 cd $DXHOME
 pwd
 /opt/CA/SharedComponents/CADirectory/dxserver

 

#28) start the steps now
 cd /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld

 

#29) list all certs
 dxcertgen listca


# remove the default rootca
# in my case the certnumber was 0
# dxcertgen -r 0 removeca
# dxcertgen -r 1 removeca
# dxcertgen -r 2 removeca

 # list all 
 dxcertgen report

 

#30) Copy the itechpoz.key to the ssld folder first
 cp -p /opt/CA/SharedComponents/CADirectory/dxserver/itechpoz.key /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/itechpoz.key

 

 
#31) Import the server cert now
 dxcertgen -D itechpoz -n /opt/CA/SharedComponents/CADirectory/dxserver/server-cert.pem certmerge

Example output from a successful run looks like:

! Loading certificate key from /opt/CA/SharedComponents/CADirectory/dxserver/server-cert.pem ...
! Loading private key from /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/itechpoz.key ...
! Private key matches supplied certificate
! Creating Personality ...

Done.

 

#32) Import root now
 dxcertgen -n /opt/CA/SharedComponents/CADirectory/dxserver/root.crt importca


Example output from successful run of the above command:

! Loading certificate from /opt/CA/SharedComponents/CADirectory/dxserver/root.crt ...
! Writing certificate to trusted.pem /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/ ...
Writing root certificate to trusted.pem...

Done.

 

#33) import intermediate
 dxcertgen -n /opt/CA/SharedComponents/CADirectory/dxserver/inter.crt importca

Example output from successful run of the above command:

! Loading certificate from /opt/CA/SharedComponents/CADirectory/dxserver/inter.crt ...
! Writing certificate to trusted.pem /opt/CA/SharedComponents/CADirectory/dxserver/config/ssld/ ...
Writing root certificate to trusted.pem...

Done.

 

34) Start Directory 

dxserver start all

 


#35) test using openssl verify the correct certificate is in place now
openssl s_client -connect servername:509

 

#36) as root user now,  copy the keystore.PKCS12  as keystore.p12 into iTechnology folder 
https://knowledge.broadcom.com/external/article?articleId=10727

 #as root
 cd /opt/CA/SharedComponents/iTechnology
 cp -p /opt/CA/WorkloadAutomationAE/wcc/data/config/.keystore.PKCS12 keystore.p12
 cp -p igateway.conf igateway.conf.bkp
 vi igateway.conf

 <Connector name="defaultport">
 <port>5250</port>
 <mustlisten>true</mustlisten>
 <conntype/>
 <conntimeout>120</conntimeout>
 <peektimeout>30</peektimeout>
 <maxconnections>1000</maxconnections>
 <maxrequestbytes>10000000</maxrequestbytes>
 <maxpiperequests>10</maxpiperequests>
 <maxAcceptRate/>
 <certType/>
 <certURI/>
 <certPW/>
 <keyURI/>
 <keyPW/>
 <secureProtocol/>
 <cipherlist/>
 </Connector>

 

#37) Set certType to p12
Add pr update the below to the <Connector name="defaultport"> section

 <certType>p12</certType>

 

#38) Set certURI to your .p12 certificate filename
Add pr update the below to the <Connector name="defaultport"> section

 <certURI>keystore.p12</certURI>

 

#39) Save the file and existing

#39a) run configtool to encrypt the keystore password into igateway.conf 
./ConfigTool -munge -version 4.7.6.1 -comp igateway -conf igateway.conf -tag "TransportReceiver=HTTP;Connector=defaultport;certPW;" -passwd changeit

Example output from successful run from above command:


Operation Successful!!

 

#40) Start iGateway 
 /etc/init.d/igatewayd start
 #40a) check the EEM URL now and verify the certificate is correct

### Repeat the above on EEM node 2

### Remove and Re-establish EEM HA

### Rengerate Autosys and WCC certs with EEM again https://knowledge.broadcom.com/external/article?articleId=9957

 

 

#41) Restart WCC services 

 

Additional Information

To troubleshoot SSL certificate errors on browser, best approach is to use Chrome -> Developer Tools -> Security tab  and look at why the errors are happening? 

- Is it because the certificate name is incorrect?
- Subject Alternate Names is missing?
- Older ciphers being used?
- Is it just a self signed certificate that is showing up?

Below is a link to Keystore explore that lets you use a Graphical tool to review your keystore:
https://keystore-explorer.org/downloads.html