Importing iDash certificate using Venafi, instead of keytool

Products

iDash Workload Automation

Issue/Introduction

Is there a way to install the iDash certificates using Venafi, instead of keytool?

Resolution

Here are the steps to follow to install the iDash server certificates using Venafi, instead of keytool

Have your Certificate Authority generate the pfx certificate file using Venafi
Go to the <iDash home directory>\config and rename the .keystore file to be .keystore.bkp on the Windows or Linux machine
Copy the pfx file the was generated in Step 1 into the <iDash home directory>\config directory on the machine
Go to the <iDash home directory>\jre\bin on a command prompt and run the following command to list the certificates
keytool -list -keystore ..\..\data\config\<name of the pfx file used in Step 3> -storetype PKCS12 -v
Add the certificate of the root certificate authority to the keystore. Run the following commands in a shell window (on Linux) or from a command prompt (on Windows):

Linux:
$IDASH_HOME/jre/bin/keytool -importcert -alias <hostname> -file

$IDASH_HOME/contrib/<hostname>.cer -keystore

$IDASH_HOME/contrib/<idash_hostname.domain.com>.pfx -storepass <password>

Windows:
%IDASH_HOME%\jre\bin\keytool -importcert -alias <hostname> -file

%IDASH_HOME%\contrib\<hostname>.cer -keystore

%IDASH_HOME%\contrib\<idash_hostname.domain.com>.pfx -storepass <password>
Go to the <iDash jome directory>\tomcat\conf and make a backup of the server.xml file
Edit the server.xml file and make the following changes below, to disallow non-secure access to the iDash server. Surround the existing Connector statement with this comment block notation:
Now replace the existing Connector statement with the following, making sure to update the information based on your environment:
<Connector
compressableMimeType="text/html,text/xml,text/plain,text/css,application/javascript,application/json"
compression="on"
connectionTimeout="130000"
keepAliveTimeout="130000"
asyncTimeout="130000"
maxExtensionSize="-1"
socket.rxBufSize="131070"
socket.performanceConnectionTime="1"
socket.performanceLatency="2"
socket.performanceBandwidth="3"
socket.appReadBufSize="131070"
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="full\path\to\IDASH_HOME\contrib\<idash_hostname.domain.com>.pfx"
keyAlias=" "<name of the alias specified in your .pfx file>"
keystoreType="PKCS12"
keystorePass=" <password used for the certificate that was generated>/>

Save the server.xml file
Configure the CATALINA_OPTS for your Tomcat.
For Linux installations, edit IDASH_HOME/bin/idash_server to add the following between JAVA_OPTS and PATH:

CATALINA_OPTS=$CATALINA_OPTS "-Djavax.net.ssl.keyStore=<full path to keystore> -Djavax.net.ssl.keyStorePassword=<keystore password> -Djavax.net.ssl.trustStore=<full path to keystore> -Djavax.net.ssl.trustStorePassword=<keystore password>"; export CATALINA_OPTS.

For Windows installations, navigate to IDASH_HOME/tomcat8/bin and locate and run an executable file named after your installed iDash service, with the letter “w” appended. For example, if your service is named “iDash”, you would find an executable file named “iDashw.exe”. In the control panel that opens, select the Java tab, then add the following lines to the Java Options. Click OK to save the changes.

-Djavax.net.ssl.keyStore=<full path to keystore>
-Djavax.net.ssl.keyStorePassword=<keystore password>
-Djavax.net.ssl.trustStore=<full path to keystore>
-Djavax.net.ssl.trustStorePassword=<keystore password>
Restart the iDash service
Test the HTTPS connection by browsing to the Web UI login page over a secure connection using the URL https://<hostname>:8443/idash/ui

Importing iDash certificate using Venafi, instead of keytool

Article ID: 392886

Updated On:

Products

Issue/Introduction

Resolution

Feedback