How to update the Performance Center SSL/TLS certificate

book

Article ID: 37756

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

By using the existing keystore/private certificate, we maintain the private key/keystore passwords so these do not need to be changed in the ssl.ini files.

How to update the Performance Center SSL / TLS / HTTPS certificate

How to convert the Performance Center SSL / TLS / HTTPS certificate from a Self-Signed Certificate to a CA-Signed Certificate

HTTPP Status 500 - Internal Server Error

The server encountered an unexpected condition that prevented it from fulfilling the request. 

Environment

CAPM 3.7.x and later

Resolution

To update the CA Performance Center (CAPC)  SSL certificates

  1. List the alias of the existing keypair in the jetty keystore:

    /opt/CA/jre/bin/keytool -list -keystore <installDirectory>/PerformanceCenter/jetty/etc/keystore -storepass <keystorePassword>


    The keystore password is in the field:


    jetty.sslContext.keyStorePassword=PASSWORD


    This is in the file:

    /opt/CA/PerformanceCenter/PC/start.d/ssl.ini 

    PASSWORD will be the actual keystore password in your files. The <installDirectory> is /opt/CA by default, but may be different in your install. For Example:

    /opt/CA/jre/bin/keytool -list -keystore /opt/CA/PerformanceCenter/jetty/etc/keystore -storepass changeit

    Keystore type: JKS
            Keystore provider: SUN

            Your keystore contains 1 entry

            myaliasname, Feb 4, 2016, PrivateKeyEntry,
            Certificate fingerprint (SHA1): AB:CD:EF:D0:A1:B2:C3:D4:E5:F6:AB:CD:EF:A1:B2:C3:D4:E5:F6:D0

    In the example above "myaliasname" woudl be the alias to use when exporting the certificate signing request (CSR) in step 2.      

  2. Generate the CSR from the private certificate in the existing jetty keystore:  
    a. Change to the directory containing the jetty keystore

    cd <installDirectory>/PerformanceCenter/jetty/etc

    b. Generate the CSR:

    /opt/CA/jre/bin/keytool -certreq -keystore keystore -storepass <keystorePassword>  -ext SAN=dns:[FQHN] -alias <aliasFromStep1>  -file <requestfileName>

    The keystore password can be obtained from:

    i. For CAPC 2.6 and earlier, the <installDirectory>/PerformanceCenter/PC/etc/jetty-ssl.xml XML field:

    <Set name="KeyPassword">PASSWORD</Set>

    ii. For CAPC 2.7 and later, the /opt/CA/PerformanceCenter/PC/start.d/ssl.ini file  field:


    jetty.sslContext.keyManagerPassword=PASSWORD


    PASSWORD will be the actual private keys password in your files. For Example:

    /opt/CA/jre/bin/keytool -certreq -keystore keystore -storepass changeit -alias myaliasname -keypass changeit -file myaliasname.csr

    In the example above myaliasname.csr would be the CSR file to present to your CA for signing. 

  3. Have your Certificate Authority (CA) provide a signed certificate from this CSR.

  4. If a new Root CA or Intermediate CA is used to sign the certificate, you must import the new Root CA and Intermediate CA files into the Java keystore before importing the new jetty certificate if the certificates do not already exist in the Java keystore:
    a. To list the existing keys in the Java keystore:

    /opt/CA/jre/bin/keytool -list -v -keystore /opt/CA/jre/lib/security/cacerts -storepass <cacertsPassword>

    In the example above <cacertsPassword> would the password of the Java keystore. The default password is changeit.

    b. Import the certificate(s) if needed:

    /opt/CA/jre/bin/keytool -importcert -keystore /opt/CA/jre/lib/security/cacerts -storepass <cacertspasswd> -alias <alias> -file <certificateFile>


    NOTE: If you are using a different Root/Intermedate certificate, use different aliases than the original certificates. 
    When importing the new Root/Intermedate certificates into the cacerts keystore. This way the original certificates are retained and the old jetty keystore put back in place should something not work correctly.

  5. Back up the jetty keystore:
    a. Change to the directory containing the jetty keystore

    cd <installDirectory>/PerformanceCenter/jetty/etc


    b. Back up the keystore

    cp keystore keystore.orig

  6. Import the new certificate:

    /opt/CA/jre/bin/keytool -importcert -trustcacerts -keystore <installDirectory>/PerformanceCenter/jetty/etc/keystore -storepass <storepasswd> -alias <alias_name>  -file <certificateFile>

    NOTE: The alias used when importing MUST match the exsiting alias as noted in step 1. For Example:

    /opt/CA/jre/bin/keytool -importcert -trustcacerts -keystore keystore -storepass changeit -alias myaliasname -keypass changeit -file myaliasname.crt

  7. Restart the CAPC processes:

    /sbin/service caperfcenter_console stop
    /sbin/service caperfcenter_devicemanager stop
    /sbin/service caperfcenter_sso stop

    /sbin/service caperfcenter_sso start
    /sbin/service caperfcenter_devicemanager start
    /sbin/service caperfcenter_console start