For versions 6.8.x and 6.9.x
- JBoss will load keystores and truststores based on the configuration found in /home/oracle/jboss-4.2.2.GA/server/default/deploy/jboss-web.deployer/server.xml.
- By default, the keystores and truststores are found in /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore.
For version 7.0.x
- WildFly will load keystores and truststores based on the configuration found in /home/oracle/wildfly/standalone/configuration/aveksa-standalone-full.xml.
- By default, the keystores and truststores are found in /home/oracle/keystore
If your goal is to modify the web server certificate that a user sees when connecting to the IMG web console, you will need to edit the keystore called aveksa.keystore. After modification, this keystore should contain the web server's private key, its associated signed certificate, and all CA certificates up to the root CA.
The following commands assume you will be creating a new keystore file called my.keystore which will later be used to replace the existing aveksa.keystore. The example below utilizes a server hostname of via-img.rsa.com.
- Go to the default keystore and truststore location for your version:
- For versions 6.8.x and 6.9.x
- Create a new keystore file and new RSA 2048 bit keypair, using the password Av3k5a15num83r0n3 when prompted. This example creates a certificate valid for the URLs rsa-img.rsa.com and rsa-img. If you are using Java 6, then the -ext will report an "Illegal option" -ext" error, so please see the Notes section below for the work-around.
keytool -genkeypair -keysize 2048 -alias server -keyalg RSA -keystore my.keystore -dname "CN=rsa-img.rsa.com" -ext san=dns:rsa-img.rsa.com,dns:rsa-img
- Generate a certificate request (PKCS#10) from that keypair, use the password Av3k5a15num83r0n3 when prompted:
keytool -certreq -alias server -file rsa-img.rsa.com.csr -keystore my.keystore -ext san=dns:rsa-img.rsa.com,dns:rsa-img
- Submit the certificate request (rsa-img.rsa.com.csr) to your CA for signing. The steps below assume the following:
- cert.pem is the newly signed certificate generated from the certificate request
- sub.pem is the issuing CA of the certificate.
- root.pem is the root CA that signed the issuing CA sub.pem
- Import the root CA in the default truststore (cacerts) as a trusted CA component (The default password is changeit):
keytool -import -v -trustcacerts -alias root -file root.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
- Import the issuing CA in the default truststore (cacerts) as a trusted CA component (The default password is changeit):
keytool -import -v -trustcacerts -alias sub -file sub.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
- Import the root CA in the keystore as a trusted CA component:
keytool -import -v -trustcacerts -alias root -file root.pem -keystore my.keystore
- Import the issuing CA in the keystore as a trusted CA component:
keytool -import -v -trustcacerts -alias sub -file sub.pem -keystore my.keystore
- Import the certificate in the keystore:
keytool -importcert -v -alias server -file cert.pem -keystore my.keystore
- You can review the keystore entries with the following command:
keytool -list -v -keystore my.keystore
- Make a copy of your current keystore file should you need to revert the changes:
cp -fp aveksa.keystore aveksa.keystore.ori
- Make sure the file permissions and ownership of the new my.keystore match that of aveksa.keystore:
- Replace aveksa.keystore with my.keystore and restart the services:
cp my.keystore aveksa.keystore
chown oracle:oinstall aveksa.keystore
- Hit the appliance login page using a browser and verify that the new certificate is being presented by the appliance.
To revert these changes, run the following commands:
mv aveksa.keystore my.keystore
cp aveksa.keystore.ori aveksa.keystore
chown oracle:oinstall aveksa.keystore