How to obtain and import a Trusted Certificate into the CA Single Sign-On Administrative UI
search cancel

How to obtain and import a Trusted Certificate into the CA Single Sign-On Administrative UI

book

Article ID: 43736

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Introduction

This scenario helps the CA Single Sign-On security Administrator to replace Administrative UI server self-signed certificate with a certificate signed by a trusted Certificate Authority (CA). A trusted certificate ensures a secure connection to the Administrative UI .

 

Environment:

Product: CA Single Sign-On Administrative UI

Release: r12.0, r12.5, r12.51,r12.52SP1,r12.52SP2(special instructions at the end)

OS: All supported operating systems

 

Instructions:

1.  Stop Administrative UI service.

2.  Backup existing Key Store

CA Single Sign-On Administrative UI stores it's certificate in keyStore.jks file located at $AdminUI_Install_Directory$\server\default\conf folder.

Before proceeding with replacing the self-signed certificate with the trusted certificate, backup this keyStore.jks file.

3.  List current entries from the keystore

Start a command prompt as Administrator and go to following folder:

$AdminUI_Install_Directory$\server\default\conf

Then, execute following command to list current entries from the keystore

keytool -list -keystore keyStore.jks -storepass changeit -v

Note:

  • The default keystore password is "changeit"
  • The alias for the default self-signed certificate and keypair is "tomcat"

<Please see attached file for image>

list1

4.  Delete current self-signed certificate and key pair from the keystore

Run the following command to delete the current self-signed certificate and keypair
keytool -delete -alias tomcat -keystore keyStore.jks -storepass changeit -v

<Please see attached file for image>

del

5.  Generate a Key Pair and a Self-Signed Certificate

Generate a key pair (public and private keys) and a self-signed certificate and store in the CA Single Sign-On Administrative UI keystore using the following keytool command.

keytool -genkeypair -alias JBoss_Key -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=vm1.ca.com" -keypass changeit -validity 7300 -keystore keyStore.jks -storepass changeit -v

Note:

  • We changed the alias for the new self-signed certificate to "JBoss_Key".
  • Keypass (-keypass) must be same as the key store (-storepass) password
  • Ensure that hostname (-dname) matches the FQDN of your Administrative UI server

<Please see attached file for image>

genkeypari

A key pair and a self-signed certificate are generated and stored in the keystore.

6.  Go to $AdminUI_Install_Directory$\server\default\default\deploy\jbossweb.sar and edit server.xml

Change

keyAlias="tomcat"

to

keyAlias="jboss_key" (all lower case)

7.  Start the SiteMinder Administrative UI service and verify if the new self-signed certificate is into effect.

Now, if you want to replace the self-signed certificate just created with the trusted certificate signed by Certificate Authority then proceed with the below steps.

8.  Stop Administrative UI.

9.  Generate and Submit a Certificate Signing Request to a Certificate Authority

Generate a PKCS#10 Certificate Signing Request file using the following keytool command and submit to a trusted CA. CA uses the CSR file to generate a signed certificate identifying your server as secure.

keytool -certreq -alias JBoss_Key -sigalg SHA1withRSA -file adminui_certreq.p10 -keystore keyStore.jks -storepass changeit -v

<Please see attached file for image>

2016-06-02_10-17-26

A CSR file "adminui_certreq.p10"? is generated.

10. Submit the "adminui_certreq.p10"? CSR file to a trusted CA for signing.

11. When you receive the signed certificate from CA, run the following command to import it.

keytool -importcert -alias JBoss_Key -file adminui_cert.p7b -keystore keyStore.jks -storepass changeit -v

Note:

  • adminui_cert.p7b is the signed certificate request from CA in PKCS#7 format. PKCS#7 format contains the server certificates, intermediate certificate (if any) and root certificates.
  • If only server certificate is provided, then you might need to separately import the intermediate and root certificate as well.
  • This overwrites the previously created self-signed certificate with the certificate provided by the CA.

12. Start Administrative UI service and verify if the new trusted certificate is into effect.

 

Additional Note (for r12.52 SP2)

From r12.52 SP2 onward, the embedded JBoss server used by Administrative UI has been upgraded to JBoss 8 WildFly due to which the folder layout has changed significantly. Please consider following if you are performing the above changes for releases after r12.52SP2 

JBoss configuration folder is now moved to : $AdminUI_Install_Directory$\standalone\configuration.

You will find the keystore file keyStore.jks here.

The server.xml related configuration for the alias name is now moved to standalone-full.xml file which can be found at $AdminUI_Install_Directory$\standalone\configuration folder.

<Please see attached file for image>

vmware_2016-06-02_11-16-01.png

 

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Attachments

1558722885737000043736_sktwi1f5rjvs16wmo.png get_app
1558722883230000043736_sktwi1f5rjvs16wmn.jpeg get_app
1558722881418000043736_sktwi1f5rjvs16wmm.jpeg get_app
1558722879455000043736_sktwi1f5rjvs16wml.jpeg get_app
1558722877345000043736_sktwi1f5rjvs16wmk.jpeg get_app