The following sections provide information about configuring SSL:
Configuring Keystore and Trust Store Files
Creating a Certificate
Trusting Certificates
Importing the Response to a Certificate Signing Request
Performing Advanced Key Management Tasks
Configuring Keystore and Trust Store Files
The runtime keystore file is normally called keystore and is created using Key Manager as described in Creating a Certificate. The default password for the keystore file is formula. The keystore file on an Operations Center server should always contain exactly one entry of type PrivateKeyEntry.
The trust store file is called cacerts. This file is included with your JRE (or JDK) installation and comes prepopulated with the certificates of most common Certificate Authorities (CAs). The cacerts file normally contains many entries that should all be of type trustedCertEntry. The default password for this file is changeit.
The runtime location of these files varies by server type. Table 5-4 lists the default runtime location of keystore and trust store files by server type.
Table 5-4 Default Runtime Location of Keystore and Trust Store Files by Server Type
Server Type | Keystore Location | Trust Store Location |
---|---|---|
Operations Center | Operations Center_install_path\config\secure\keystore | JRE_home\lib\security\cacerts |
Operations Center Dashboard | Dashboard_install_path\server\conf\keystore | JDK_home\jre\lib\security\cacerts |
Operations Center CMS | CMS_install_path\conf\keystore | JRE_home\lib\security\cacerts |
Creating a Certificate
The Operations Center Configuration Manager and the dashboard Configuration Manager include a utility, Key Manager, that guides you through the process of generating a self-signed certificate and establishing trust or, if you choose to use a CA certificate, creating a certificate signing request that you can submit to your CA.
If you are creating a self-signed certificate, the server name that you specify in Key Manager becomes the CN in the certificate. Key Manager uses the fully-qualified domain name (for example, test_server_1.domain.com) to populate the CN, but also allows you to specify alternative server names (for example, test_server_1) by which clients can connect to the server.
Key Manager produces the following files:
keystore: a JKS file containing a self-signed certificate with the CN equal to the name of the host. In the case of the example, test_server_1. This keystore file includes both the public and private key. If you have multiple Operations Center servers running on one host, it is acceptable and often more convenient to copy the same keystore into each server configuration.
keystore.cer: contains an exported form of the certificate in keystore that is appropriate for importing into a trust store.
To create a self-signed certificate:
In Congifuration Manager, click Security, and then click Explore next to Key Manager.
Select the option to have the Key Manager Startup Wizard guide you through the process, and then click Next.
Provide the requested information, and then click Finish to generate the certificate.
After the wizard generates the certificate, you can use Key Manager to complete certificate trust tasks. For more information, see Trusting Certificates.
Trusting Certificates
After you generate a self-signed certificate, applications that connect to the server must trust the certificate in order to prevent security warnings or failures. You can have a trusted certificate authority sign the certificate, or you can individually configure the application to trust a self-signed certificate.
If you want a CA to sign a certificate, use Key Manager to create a certificate signing request, and then use Key Manager to import the response file from the CA to the trust store.
If you are using a self-signed certificate, use Key Manager to add the certificate to the trust store.
To create a certificate signing request:
On the Server SSL Key Pair tab of Key Manager, click Manage Trust.
Select the option to use a CA, and then click Next.
Select to create a request, and then click Next.
Provide the requested information, save the request or copy it to the clipboard, and then click Finish.
After you send the request to your CA and receive a response, use Key Manager to import the response file to the trust store. For more information, see Importing the Response to a Certificate Signing Request.
To add self-signed certificates to the trust store:
On the Server SSL Key Pair tab of Key Manager, click Manage Trust.
Select the option to add certificates to the trust store, and then click Next.
Provide the requested information, and then click Finish.
Importing the Response to a Certificate Signing Request
After you receive the response file to a certificate signing request, use Key Manager to import the response file to the trust store.
To import a CA response file to the trust store:
On the Server SSL Key Pair tab of Key Manager, click Manage Trust.
Select the option to use a CA, and then click Next.
Select the option to import a response file, and then click Next.
Select the response file, and then click Finish.
Performing Advanced Key Management Tasks
After you establish a keystore and trust store, you can use Key Manager to perform the following additional key management tasks:
Generate a new key pair and certificate to replace the existing key pair and certificate
On the Server SSL Key Pair tab, click Regenerate. The procedure is similar to the procedure that is described in Creating a Certificate, with additional attributes that you can specify, if desired.
View or modify the contents of a JVM trust store
On the Advanced tab, click Explore Trust Store. This option is useful when migrating certificates between trust stores or upgrading your JRE. You can view certificate details, import certificates, copy entries from another keystore, or delete entries from the keystore.
Change the trust store to which Key Manager reads and writes trusted certificates
On the Advanced tab, click Switch Trust Store and then follow the prompts.
Copy a private key from another keystore
On the Advanced tab, click Copy Keys and then follow the prompts.
Change the keystore password
On the Advanced tab, click Change Password and then follow the prompts.