Enable secure Corba with CA signed certificates.
search cancel

Enable secure Corba with CA signed certificates.

book

Article ID: 393410

calendar_today

Updated On:

Products

Network Observability Spectrum

Issue/Introduction

How to enable secure Corba with CA signed certificates.

Environment

The following procedure assumes the OneClick is hosted on server <host-oc1> and SpectroServer on <host-ss1>.
 
Replace hostname references as needed.
 

Resolution

Generation of self-signed certificates

  • OneClick side
export SPECROOT=/opt/CA/Spectrum
 
$SPECROOT/Java/bin/keytool -genkeypair -alias <host-oc1> -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "cn=<host-oc1>, o=<org name>, c=<country code>" -validity 730 -keypass <keypass> -keystore $SPECROOT/custom/VBNS/identities/<host-oc1>.p12 -storetype PKCS12 -storepass <storepass>
 
Resulting in:
 
$SPECROOT/custom/VBNS/identities/<host-oc1>.p12
  • SpectroServer side
export SPECROOT=/opt/CA/Spectrum
 
$SPECROOT/Java/bin/keytool -genkeypair -alias <host-ss1> -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "cn=<host-ss1>, o=<org name>, c=<country code>" -validity 730 -keypass <keypass> -keystore $SPECROOT/custom/VBNS/identities/<host-ss1>.p12 -storetype PKCS12 -storepass <storepass>
 
Export the private key
 
mkdir $SPECROOT/custom/VBNS/identities/<host-ss1>
 
openssl pkcs12 -in $SPECROOT/custom/VBNS/identities/<host-ss1>.p12 -out $SPECROOT/custom/VBNS/identities/<host-ss1>/key -nocerts
 
Note: Remove lines before -----BEGIN ENCRYPTED PRIVATE KEY----- on $SPECROOT/custom/VBNS/identities/<host-ss1>/key
 
Resulting in:
 
$SPECROOT/custom/VBNS/identities/<host-ss1>/key
$SPECROOT/custom/VBNS/identities/<host-ss1>.p12
 

Generate CSR files to be signed

  • OneClick side
export SPECROOT=/opt/CA/Spectrum
 
From the self-signed keystore <host-oc1>.p12, generate the CSR and send it to sign by the Certification Authority (CA)
 
$SPECROOT/Java/bin/keytool -certreq -keystore $SPECROOT/custom/VBNS/identities/<host-oc1>.p12 -alias <host-oc1> -file $SPECROOT/custom/VBNS/identities/<host-oc1>.csr -dname "cn=<host-oc1>, o=<org name>, c=<county code>" -storepass <storepass>
 
Resulting In:
 
$SPECROOT/custom/VBNS/identities/<host-oc1>.p12
$SPECROOT/custom/VBNS/identities/<host-oc1>.csr
  • SpectroServer side
export SPECROOT=/opt/CA/Spectrum
 
From the self-signed keystore <host-ss1>.p12, generate the CSR and send it to sign by the Certification Authority (CA)
 
$SPECROOT/Java/bin/keytool -certreq -keystore $SPECROOT/custom/VBNS/identities/<host-ss1>.p12 -alias <host-ss1> -file $SPECROOT/custom/VBNS/identities/<host-ss1>.csr -dname "cn=<host-ss1>, o=<org name>, c=<country code>" -storepass <storepass>
 
Resulting In:
 
$SPECROOT/custom/VBNS/identities/<host-ss1>/key
$SPECROOT/custom/VBNS/identities/<host-ss1>.p12
$SPECROOT/custom/VBNS/identities/<host-ss1>.csr
 
 
Import CA signed certificates
  • OneClick side
export SPECROOT=/opt/CA/Spectrum
 
Import root (rootca.crt) and intermediate (interca.crt) certificates prior to the signed certificate 
 
$SPECROOT/Java/bin/keytool -importcert -keystore $SPECROOT/custom/VBNS/identities/<host-oc1>.p12 -alias rootca -file rootca.crt -storepass <storepass>
$SPECROOT/Java/bin/keytool -importcert -keystore $SPECROOT/custom/VBNS/identities/<host-oc1>.p12 -alias interca -file interca.crt -storepass <storepass>
 
Import the signed certificate in the p12 file
 
$SPECROOT/Java/bin/keytool -importcert -keystore $SPECROOT/custom/VBNS/identities/<host-oc1>.p12 -alias <host-oc1> -file <host-oc1>.crt -storepass <storepass>
 
You can verify the keystore contains the new cert including the Certification Authority (CA) chain
 
$SPECROOT/Java/bin/keytool -keystore $SPECROOT/custom/VBNS/identities/<host-oc1>.p12 -list -alias <host-oc1> -v -storepass <storepass>
 
Concatenate the root and intermediate certificates and place it in a single PEM file under $SPECROOT/custom/VBNS/trustpoints (name is not relevant)

Note: Verify that each unique Certification Authority (CA) certificate placed in  '$SPECROOT/custom/VBNS/trustpoints/ca' is correctly separated from other certificates with proper line endings:

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

cat rootca.crt interca.crt > $SPECROOT/custom/VBNS/trustpoints/ca
 
Expected files:
 
$SPECROOT/custom/VBNS/identities/<host-oc1>.p12
$SPECROOT/custom/VBNS/trustpoints/ca
 
File $SPECROOT/tomcat/webapps/spectrum/META-INF/context.xml
 
useSSL="true"
vbroker.security.requireAuthentication=true 
vbroker.security.peerAuthenticationMode=REQUIRE_AND_TRUST 
vbroker.security.wallet.identity=<host-oc1>
vbroker.security.wallet.password=<keypass> 
vbroker.security.alwaysSecure=true
vbroker.security.trustpointsRepository=Directory:/opt/CA/OneClick/custom/VBNS/trustpoints 
vbroker.security.wallet.type=PKCS12:/opt/CA/OneClick/custom/VBNS/identities
 
Restart the OneClick Tomcat
  • SpectroServer side
export SPECROOT=/opt/CA/Spectrum
 
Import root (rootca.crt) and intermediate (interca.crt) certificates prior to the signed certificate 
 
$SPECROOT/Java/bin/keytool -importcert -keystore $SPECROOT/custom/VBNS/identities/<host-ss1>.p12 -alias rootca -file rootca.crt -storepass <storepass>
$SPECROOT/Java/bin/keytool -importcert -keystore $SPECROOT/custom/VBNS/identities/<host-ss1>.p12 -alias interca -file interca.crt -storepass <storepass>
 
Import the signed certificate in the p12 file
 
$SPECROOT/Java/bin/keytool -importcert -keystore $SPECROOT/custom/VBNS/identities/<host-ss1>.p12 -alias <host-ss1> -file <host-ss1>.crt -storepass <storepass>
 
You can verify the keystore contains the new cert including the Certification Authority (CA) chain
 
$SPECROOT/Java/bin/keytool -keystore $SPECROOT/custom/VBNS/identities/<host-ss1>.p12 -list -alias <host-ss1> -v -storepass <storepass>
 
Concatenate the root and intermediate certificates and place it in a single PEM file under $SPECROOT/custom/VBNS/trustpoints (name is not relevant)

Note: Verify that each unique Certification Authority (CA) certificate placed in  '$SPECROOT/custom/VBNS/trustpoints/ca' is correctly separated from other certificates with proper line endings:

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

cat rootca.crt interca.crt > $SPECROOT/custom/VBNS/trustpoints/ca
 
Copy the certificates to the identities folder
 
cp <host-ss1>.crt $SPECROOT/custom/VBNS/identities/<host-ss1>/cert0
cp interca.crt $SPECROOT/custom/VBNS/identities/<host-ss1>/cert1
cp rootca.crt $SPECROOT/custom/VBNS/identities/<host-ss1>/cert2
 
Note: in case the Certification Authority (CA) chain contains more than one certificate, you must name it in ascending order cert1, cert2, ..., certN (cert0 is the server certificate)
 
Expected files:
 
$SPECROOT/custom/VBNS/identities/<host-ss1>.p12
$SPECROOT/custom/VBNS/identities/<host-ss1>/cert0
$SPECROOT/custom/VBNS/identities/<host-ss1>/cert1
$SPECROOT/custom/VBNS/identities/<host-ss1>/cert2
$SPECROOT/custom/VBNS/identities/<host-ss1>/key
$SPECROOT/custom/VBNS/trustpoints/ca
 
File $SPECROOT/.jcorbarc
 
vbroker.security.disable=false
vbroker.naming.security.disable=false
vbroker.security.secureTransport=true
vbroker.security.trustpointsRepository=Directory:/opt/CA/Spectrum/custom/VBNS/trustpoints
vbroker.security.wallet.type=PKCS12:/opt/CA/Spectrum/custom/VBNS/identities
vbroker.security.wallet.identity=<host-ss1>
vbroker.security.wallet.password=<keypass>
vbroker.security.alwaysSecure=true
vbroker.security.peerAuthenticationMode=REQUIRE_AND_TRUST
vbroker.security.requireAuthentication=true
 
File $SPECROOT/.corbarc
 
vbroker.security.disable=false
vbroker.security.secureTransport=true
vbroker.security.trustpointsRepository=Directory:/opt/CA/Spectrum/custom/VBNS/trustpoints
vbroker.security.wallet.type=Directory:/opt/CA/Spectrum/custom/VBNS/identities
vbroker.security.wallet.identity=<host-ss1>
vbroker.security.wallet.password=<keypass>
vbroker.security.alwaysSecure=true
vbroker.security.peerAuthenticationMode=REQUIRE_AND_TRUST
vbroker.security.requireAuthentication=true
 
Restart the SpectroServer and processd
 
Powered by Wolken Software