Detailed steps to import SSL certificates into SOI for the manager and UI?

Detailed steps to create CSR certificate used by SOI manager and UI?

Release : 4.2

Component : SOI ONE CLICK UI

The default keystore and truststore used in SOI are the same file.

Manager

C:\Program Files (x86)\CA\SOI\tomcat\conf\ssa.jks

UI

C:\Program Files (x86)\CA\SOI\SamUI\conf\ssa.jks

Reference file: C:\Program Files (x86)\CA\SOI\jsw\conf\soi-manager.properties

Always backup the existing keystore before making any changes.

1- To update an existing certificate, you will need to delete the existing tomcat cert from the keystore before you import the new one.

because you cannot have 2 certs with the same alias in the same keystore.

For the SOI manager, the keystore is located in C:\Program Files (x86)\CA\SOI\tomcat\conf\ssa.jks

Open a cmd prompt

cd C:\Program Files (x86)\CA\SOI\jre-64\bin

keytool -delete -alias tomcat -keystore "C:\Program Files (x86)\CA\SOI\tomcat\conf\ssa.jks" -storepass catalyst

For the SOI UI, the keystore is located in C:\Program Files (x86)\CA\SOI\SamUI\conf\ssa.jks

Open a cmd prompt

cd C:\Program Files (x86)\CA\SOI\jre-64\bin

keytool -delete -alias tomcat -keystore "C:\Program Files (x86)\CA\SOI\SamUI\conf\ssa.jks" -storepass catalyst

2- Import signed certification

For the SOI manager:

On the same command prompt

keytool -import -alias tomcat -file your-certs.p7b -keystore "C:\Program Files (x86)\CA\SOI\tomcat\conf\ssa.jks" -storepass catalyst

 
For the SOI UI:

On the same command prompt

keytool -import -alias tomcat -file your-certs.p7b -keystore "C:\Program Files (x86)\CA\SOI\SamUI\conf\ssa.jks" -storepass catalyst

3- Restart all SOI services to read and load the new SSL certificates.

• The only alias allowed for the SOI SSL certs is tomcat
• To view the contents of the keystore:

keytool -list -keystore "C:\Program Files (x86)\CA\SOI\tomcat\conf\ssa.jks" -storepass catalyst

• To see the complete chain of trust, add -v

keytool -list -v -keystore "C:\Program Files (x86)\CA\SOI\tomcat\conf\ssa.jks" -storepass catalyst

• To generate a CSR request:

keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore "C:\Program Files (x86)\CA\SOI\SamUI\conf\ssa.jks" && keytool -certreq -alias tomcat -file CSR_name.csr -keystore "C:\Program Files (x86)\CA\SOI\SamUI\conf\ssa.jks" -storepass catalyst

The CSR created in C:\Program Files (x86)\CA\SOI\jre-64\bin 
The command above will prompt you to create a new keystore password.
After the csr is created, sign it by your root CA then import root CA, intermediate ( if any), and the signed certificate using the import commands above.

• If you want to Force SSL Connection for All Interface Access

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/service-operations-insight/4-2/installing/ssl-implementation/force-ssl-connection-for-all-interface-access.html