|Applies To||RSA Product Set: enVision|
RSA Product/Service Type: enVision
RSA Version/Condition: 3.7.x, 4.x
|Issue||How to Install a Third Party Certificate into enVision|
|Cause||Secure administration of enVision can be achieved by using HTTPS to connect to the administration GUI (by default this will be https://server:8443/login.jsp ) and the system uses a default keypair preconfigured. It is possible to replace the pre-supplied keypair with a unique keypair which is then site specific.|
If the default keypair is used then when you connect with a browser to the admin GUI you will get a certificate error as a warning. You may still proceed to the admin GUI remembering that the default key is being used.
|Resolution||To install your own, site specific, keypair you should carry out the following steps:|
1. Backup the existing keystore file.
Login to the enVision server (A-Srv for LS, or ES) using the master account.
cd /d %_envision%\conf
2. Generate a keystore certificate file.
..\jdk\jre\bin\keytool -genkey -keyalg RSA -keystore .keystore -validity 365 -alias tomcat -storepass enVision -keypass enVision
The -keypass and -storepass passwords are both “enVision”, and must not be changed.
The example shows a certificate -validity of 365 days (1 year), this value can be changed to something appropriate for your environment.
The first and last name is the machines hostname (without spaces and is case-sensitive). See the hostname from the output of the command, ipconfig /all |findstr Host
3. Create a certificate signing request (csr) file.
..\jdk\jre\bin\keytool -certreq -keyalg RSA -file certreq.csr -keystore .keystore -alias tomcat -keypass enVision -storepass enVision
4. (Optional) You can look at the content of the created certificate signing request (csr) text file, certreq.csr
5. Send the certreq.csr file to the third party you have chosen to sign the certificate, this may be an external company, or an internal certificate authority (CA).
In return, you will receive a number of certificates either as files or sometimes as an email listing with the locations to download the certificates.
Be sure to ask for a server certificate (at least TLS web server authentication, and SSL server extensions enabled). You should have at least two certificates files, often three or more.
6. The CA signs your request, encrypts it with a private key, and sends you a validated certificate.
The CA also sends you a root CA certificate and, if applicable, an intermediate CA certificate.
Copy all the CA certificate files to the enVision server %_envision%\conf directory.
7. Install the root certificate first, using the password of “enVision”, and answering yes when the certificate details are displayed, and when asked to add the certificate to the keystore.
..\jdk\jre\bin\keytool -import -trustcacerts -alias root -keystore .keystore -file location_of_root_cert.crt -storepass enVision
Any intermediate certificate must be installed next, using password of “enVision”, for example here are two intermediate certificates, and different alias names are invented for each one (the actual alias name for these is unimportant).
..\jdk\jre\bin\keytool -import -alias inter1 -keystore .keystore -file intermediate1.crt -storepass enVision
8. Install the signed server certificate, using password of “enVision”, and answering yes when asked to add the certificate to the keystore.
..\jdk\jre\bin\keytool -import -alias tomcat -keystore .keystore -file server.crt -storepass enVision -keypass enVision
9. Copy \jdk\jre\bin\.keystore to the %_envision%\conf directory.
copy %_envision%\jdk\jre\bin\.keystore %_envision%\conf
10. The root Certification Authority (and also the intermediate, if present) certificate has to be uploaded in the Microsoft computer trust store.
In Windows select, Start -> Run -> enter mmc -> OK
11. Stop and restart the NIC Web Server service.
Note: Stopping the NIC Web Server service will result in the NIC Alerter service been stopped.
So after the NIC Web Server service returns to a “Started” state, restart the NIC Alerter service.
The installation is complete.
|Legacy Article ID||a36779|