Symantec Identity Suite - Virtual Appliance replacing self-signed certs
Article ID: 93224
Updated On:
Products
Issue/Introduction
We would like to replace the self-signed certificates for Identity Manager on the Virtual Appliance. When replacing the certificate and private key in the suggested folder
/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/
we receive the following error
2018-02-02 19:30:06,222 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Fai
led to start service jboss.server.controller.management.security_realm.WebSslRealm.key-manager: or
g.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.WebSslRealm.key-manager: JBAS015229: Unable to start service
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:154)
at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_71]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_71]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_71]
Caused by: java.io.IOException: Invalid keystore format
Environment
CA Identity Suite 14.1 CP2 (minimum)
Cause
The problem is that the Virtual Appliance is expecting a java keystore instead of a certificate and a private key placed in the location of the OOTB self signed certs.
Resolution
To resolve this, you need to import the certificate and the private key into a java keystore. Once this is done place this inside the following location /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/ and restart the service. On restart this time you should notice the service will start without error.
The service is looking for a JKS once this is created with the signed cert and the private key you should not experience any issues.
Additional Information
You can reference the below steps for creating and implementing a self-signed certificate for VAPP:
Backing up current certs:
cd /home/config
mkdir certs
cd certs
mkdir orig
mkdir new
cp /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/* /home/config/certs/orig
cp /home/config/certs/orig/caim-srv /home/config/certs/new
cd /home/config/certs/new
Create a self-signed certificate with a password. This sample uses P@ssw0rd
openssl req -x509 -newkey rsa:4096 -keyout myPrivateKey.pem -out myCertificate.crt -days 3650 -nodes
openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in myCertificate.crt
Run keytool commands copy the newly created self-signed certificate into a keystone:
keytool -list -v -keystore caim-srv -storepass changeit
Look for the alias-name - copy it
keytool -delete -alias <existing alias-name> -keystore caim-srv -storepass changeit
keytool -list -v -keystore caim-srv -storepass changeit -------- File will be empty
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore caim-srv -srckeystore keyStore.p12 -srcstoretype PKCS12 -srcstorepass P@ssw0rd
keytool -list -v -keystore caim-srv -storepass changeit
Finally create the IG and IP certs for all other machines for successful communication between the components:
cp caim-srv caip-srv
cp caim-srv caig-srv
rm /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/*
cp ca* /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates
reboot
The application will only be able to be accessed through the below URLS and no longer through the imbedded apache load balancer:
https://VAPP_HOST:8443/iam/im/identityEnv
https://VAPP_HOST:8445/eurekify/portal/login
https://VAPP_HOST:8444/sigma/admin
Feedback
