How to Change the Siteminder AdminUI SSL Certificate in r12.8.x
search cancel

How to Change the Siteminder AdminUI SSL Certificate in r12.8.x

book

Article ID: 258152

calendar_today

Updated On:

Products

SITEMINDER SITEMINDER

Issue/Introduction

After the installation of the Siteminder AdminUI, when you first attempt to connect to the AdminUI, the web browser returns the error "Certificate is Invalid"/"Certificate Invalid".

The AdminUI URL may also get flagged in a security report.

Environment

Release : 12.8.x

Cause

This occurs when you attempt to connect to the Siteminder AdminUI using HTTPS.  When the Administrative UI is accessed over SSL, the server secures the connection using a self-signed certificate by default. The Administrative UI server self-signed certificate can be replaced with a certificate that is signed by a trusted Certificate Authority (CA) or with a custom self-signed certificate. A trusted certificate ensures a secure connection to the Administrative UI and prevents browser security warnings.

Resolution

Follow these steps:

1) Stop the Administrative UI service.

2) Open a command window and navigate to the following directory:

Windows: <AdminUI_Install_Dir>\standalone\configuration
UNIX: <AdminUI_Install_Dir>/standalone/configuration

3) Run one of the following commands to backup the existing keystore file (keyStore.jks) to a secure location:

Windows: copy keyStore.jks keyStore.jks.backup
UNIX: cp keyStore.jks keyStore.jks.backup

4) Open the keytool that is installed by default.

Default paths of the keytool:

<AdminUI_Install_Dir>\adminui\install_config_info\install_config_jre\bin

JAVA_home\jre\bin
JAVA_home\bin

5) Run the following command to list the current entries in the Administrative UI keystore:

keytool -list -keystore keyStore.jks -storepass changeit -v 

NOTE: "changeit" is the default keystore password. If you have changed the password during Administrative UI installation on Windows or UNIX, use that password instead of "changeit."

6) To replace the Administrative UI server self-signed certificate with a certificate that is signed by a trusted Certificate Authority (CA), perform the following steps:

a) Run the following command to delete the current self-signed certificate and key pair from the keystore:

keytool -delete -alias tomcat -keystore keyStore.jks -storepass changeit -v

"tomcat" is the alias for the default self-signed certificate and keypair.

b) Take a backup of the standalone-full.xml file that is located at siteminder_installation_path\adminui\standalone\configuration.

c) Open the standalone-full.xml file in a text editor and change

keystore alias="tomcat" to keystore alias="jboss_key".

d) Create a private key with the name jboss_key:

keytool -genkey -alias jboss_key -keyalg RSA -keystore keyStore.jks -storepass changeit -v

e) Run the following command to generate a PKCS#10 Certificate Signing Request (CSR) file:

keytool -certreq -alias jboss_key -sigalg SHA256withRSA -file adminui_certreq.p10 -keystore keyStore.jks -storepass changeit -v 

A CSR file named adminui_certreq.p10 is generated.

f) Submit the adminui_certreq.p10 file to a trusted Certificate Authority (CA) for signing.

g) Copy the adminui_cert.p7b to siteminder_installation_path\adminui\standalone\configuration or provide full path to the adminui_cert.p7b in the command by indicating spaces in the path using double quotes.

h) When you receive the signed certificate from the CA, run the following command to import it:

keytool -importcert -alias jboss_key -file adminui_cert.p7b -keystore keyStore.jks -storepass changeit -v

Notes:

  • adminui_cert.p7b is the signed certificate request from the CA in PKCS#7 format. PKCS#7 format contains the server certificates, intermediate certificate (if any), and root certificates.
  • If only a server certificate is provided, then you might also need to import the intermediate and root certificate.
  • This command overwrites the previously created self-signed certificate with the certificate that is provided by the CA.

Type yes at the following prompt:

... is not trusted. Install reply anyway? [no]: 

To replace the Administrative UI server self-signed certificate with a custom self-signed certificate, perform the following step:

a) Run the following command to delete the current self-signed certificate and key pair from the keystore:
keytool -delete -alias tomcat -keystore keyStore.jks -storepass changeit -v
"tomcat" is the alias for the default self-signed certificate and keypair.

b) Take a backup of the standalone-full.xml file that is located at siteminder_installation_path\adminui\standalone\configuration.

c) Open the standalone-full.xml file in a text editor and change keystore alias="tomcat" to keystore alias="jboss_key".

d) Run the following command to generate a key pair (public and private keys) and a self-signed certificate and store in the Administrative UI keystore"

keytool -genkeypair -alias jboss_key -keyalg RSA -keysize 1024 -sigalg SHA256withRSA -dname "CN=AdminUI_FQDN" -keypass changeit -validity 7300 -keystore keyStore.jks -storepass changeit -v

Notes:

  • The new self-signed certificate is named jboss_key.
  • AdminUI_FQDN is the fully qualified domain name of the Administrative UI server.
  • The -keypass and -storepass values (both "changeit" here) must be the same as the keystore password. "changeit" is the default keystore password. If you have changed the password during Administrative UI installation on Windows or UNIX, use that password instead of "changeit" in both cases.

A key pair and a self-signed certificate are generated and stored in the keystore.

7) Start the Administrative UI service and verify that the new trusted certificate is in effect. If the trusted certificate is not in effect, look in AdminUI_Install_Directory/standalone/log/server.log for possible errors.

Additional Information

You can find a reference of the keytool at the following location :

http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Powered by Wolken Software