Steps to import a 3rd party signed SSL certificate for the Veritas Operations Manager 6.x, 7.x, 8.x and 9.x

book

Article ID: 100026835

calendar_today

Updated On:

Description

Error Message from web browser

Your connection is not private

You will also receive Not secure in the url bar.

Solution

Sign the Tomcat web certificate with a Certificate Authority (CA)

Steps for Unix/Linux console server:

  1. Prepare environment

# mkdir -p /root/viom_certificates/{certs,keys,csr,config,tomcat}

# cd /root/viom_certificates

  1. Backup existing KeyStore

# cp /opt/VRTSsfmcs/webgui/tomcat/cert/.keystore /root/viom_certificates/tomcat/keystore-`date "+%s"`

Note: The backup file will be useful to get ViOM MS functional with the old keystore.

  1. Create a 2048 bit keystore using with the keytool utility

# /opt/VRTSsfmcs/webgui/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -validity 3650 -keypass changeit -keystore /root/viom_certificates/tomcat/new_keystore -storepass changeit -dname "C=US, ST=CA, L=Mountain View, O=Veritas, CN=192.168.10.110, CN=viom, CN=viom.arctera.net" -keysize 2048

Notes: Update the CommonName to match your environment.

            Keystore password changeit should be unique to your environment

 

  1. Create the certificate signing request (CSR).

# /opt/VRTSsfmcs/webgui/jre/bin/keytool -certreq -keyalg RSA -alias tomcat -file csr/viom.csr -keystore /root/viom_certificates/tomcat/new_keystore

Enter keystore password:
 

  1. The Certificate Sign Request (CSR) must be sent to the Certificate Authority to be signed.

The following steps can be used to create a locale Certificate Authority (CA)

5.a Create CA private key

# openssl genrsa -aes256 -out keys/ca.key 4096

Enter PEM pass phrase:                                                                                                                                                              

Verifying - Enter PEM pass phrase:

5.b Create CA certificate

 # openssl req -x509 -new -nodes -key keys/ca.key  -sha256 -days 1826 -out certs/ca.crt -subj '/CN=Local CA/C=US/ST=Mass/L=Boston/O=Support'

Enter pass phrase for keys/ca.key:

Note: Update the Subject for your environment

                5.c Sign Certificate using CA cert and key

# echo "subjectAltName=DNS:viom.arctera.net,IP:192.168.10.110" >> config/viom.ext

Note: DNS and IP must match the ViOM server.

# openssl x509 -req -days 3650 -sha256 -in csr/viom.csr -CA certs/ca.crt -CAkey keys/ca.key -out certs/viom.crt -set_serial 01 -extfile config/viom.ext

                              Certificate request self-signature ok

subject=CN=viom.arctera.net, CN=viom, CN=192.168.10.110, O=Veritas, L=Mountain View, ST=CA, C=US

Enter pass phrase for keys/ca.key:

             

                ── certs

│   ── ca.crt                               Certificate Authority

│   └── viom.crt                             Server Certificate

── config

│   └── viom.ext                           Configuration file for signing

── csr

│   └── viom.csr                            Certificate Sign Request

── keys

│   └── ca.key                                Certificate Authority Private Key

└── tomcat

    ── keystore-1743775298     Original Tomcat KeyStore

    └── new_keystore                       Updated Tomcat KeyStore

  1. At this point, the tomcat webserver (ViOM web server) is still running with the old/original certificates.
  2.  Import Certificate Authority (CA) certificates.

# /opt/VRTSsfmcs/webgui/jre/bin/keytool -import -trustcacerts -alias intermediate -keystore /root/viom_certificates/tomcat/new_keystore -file certs/ca.crt
Enter keystore password:

Trust this certificate? [no]:  yes

Certificate was added to keystore

8.Import the Server certificate

# /opt/VRTSsfmcs/webgui/jre/bin/keytool -import -alias tomcat -keystore /root/viom_certificates/tomcat/new_keystore -trustcacerts -file certs/viom.crt

Enter keystore password: 

Certificate reply was installed in keystore

9. Stop the VOM UI Web server process.

# /opt/VRTSsfmcs/bin/vomsc --stop web

Veritas Operations Manager Services:
Web Server.................................................................................................................[STOPPED]

10. Replace the original key store with the one which contains the newly obtained certificates from the certificate issuing authority.
      
# cp /root/viom_certificates/tomcat/new_keystore /opt/VRTSsfmcs/webgui/tomcat/cert/.keystore

cp: overwrite '/opt/VRTSsfmcs/webgui/tomcat/cert/.keystore'? y

11. Start the VOM UI WebServer

# /opt/VRTSsfmcs/bin/vomsc --start web
Veritas Operations Manager Services:
Web Server.................................................................................................................[RUNNING]

12. If ViOM is configured as a cluster using VCS HA then perform following on the passive node.

# cp /opt/VRTSsfmcs/webgui/tomcat/cert/.new_keystore  /opt/VRTSsfmcs/webgui/tomcat/cert/.keystore

 

Verify communication is now secure.

 

Note: You will need to import the Root CA along with any Intermediate CA on the host being used to access the ViOM server console.

 

Keep copies of the new Tomcat keystore along with the Certificate Authority (CA). They will be required when the ViOM server is upgraded. 

 

Applies To

Veritas Operations Manager 6.x, 7.x and 8.x

 

Issue/Introduction

Steps to import a 3rd party signed SSL certificate for the Veritas Operations Manager 6.x, 7.x and 8.x
Powered by Wolken Software