All supoprted releases of Smart

Smarts apps will by default on startup auto create a self signed ssl cert.

To create and implement self signed certificate

Note: CERTNAME will be the instance name ie  INCHARGE-SA-PRES as displayed in brcontrol
Exception: The broker, it will be named dmbroker

1). Create tls directory if it isnt present
     mkdir <smarts_home>/SAM/smarts/local/conf/tls
 
2). Generate key file
   cd to <smarts_home>/SAM/smarts/local/conf/tls
   openssl genrsa 2048 > INCHARGE-OI.key
    
 
3). Generate crt file
     openssl req -new -x509 -nodes -sha256 -days 365 -key localhost.key > CERTNAME.crt
    

4). Verify the cert and key
     openssl x509 -noout -modulus -in  INCHARGE-OI.crt | openssl md5
     openssl rsa -noout -modulus -in  INCHARGE-OI.key | openssl md5
    
     Note that the outputs match.

5). Restart the domain and find the port number the service is running on. Run brcontrol to find the port number of the instance you installed the ssl cert for.
     <smarts_home>/SAM/smarts/bin/brcontrol |grep <domain name>

6). Test of see if the ssl cert has been installed properly. Verify that the able info matches the info in your ssl cert.
 
      openssl s_client -no_tls1 -no_ssl3 -connect localhost:<domain port no from the above output>
      
 
7) Check your instance log file and make sure that generating self-signed certificate isnt present.
     grep "generating self-signed certificate" INCHARGE-OI_en_US_UTF-8.log

     If the self-signed certificate endtry is not present in the logs and the openssl returns the correct cert info, the cert is installed and working properly.

To install a signed SSL Certificate

1) Create a Certificate Signing Request (CSR) and Private key

• Run the following command on the smarts server, replace server with the fqdn name of your server.
• openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

2) Enter your CSR details

Enter the following CSR details when prompted:

• Common Name: The FQDN (fully-qualified domain name) you want to secure with the certificate such as www.google.com, secure.website.org, *.domain.net, etc.
• Organization: The full legal name of your organization including the corporate identifier.
• Organization Unit (OU): Your department such as ‘Information Technology’ or ‘Website Security.’
• City or Locality: The locality or city where your organization is legally incorporated. Do not abbreviate.
• State or Province: The state or province where your organization is legally incorporated. Do not abbreviate.
• Country: The official two-letter country code (i.e. US, CH) where your organization is legally incorporated.

3) Submit the newly created CSR to your ssl certificate issuer.

• Note: the certificate needs to be in x509 format.

4) After the issuer has issued the domain certificate, copy the cert and key to the smarts/local/conf/tls directory and name the certificate and key to match your domain name, ie: INCHARGE-SA-PRES as displayed in brcontrol

• Exception: The broker, it will be named dmbroker
• Create tls directory if it isnt present
  • mkdir <smarts_home>/SAM/smarts/local/conf/tls

 5) After the certificate is in place, you will need to restart your domain.
 
6) Copy the supplied intermediate certificate to the following directory

• /etc/ssl/certs

7) Copy the supplied root certificate to the following directory

• /etc/pki/ca-trust/source/anchors

8) Update the openssl certificate db

• run the following command: 
  • update-ca-trust extract

9) Verify that the installed domain certificate chain is valid

• run the following command and verify that the return code is 0
  • openssl s_client -showcerts -connect smartshost:domain_port_number
  • Verify that the last return code is 0 (ok)

10) The ssl cert has been install properly and verified

NOTE:  Smarts does not currently support intermediate and root certificates. The system querying smarts must provide those certificates, ie security scanners, etc. Support for these certificates is planned in a future release.