Blog Viewer

Tech Tip - CA Single Sign-On: Admin UI ::How to obtain and import a Trusted Certificate

By Ujwol posted 06-01-2016 09:35 PM

  
Introduction

This scenario helps the CA Single Sign-On security Administrator to replace Administrative UI server self-signed certificate with a certificate signed by a trusted Certificate Authority (CA). A trusted certificate ensures a secure connection to the Administrative UI .

 

Environment:

Product: CA Single Sign-On Administrative UI

Release: r12.0, r12.5, r12.51,r12.52SP1,r12.52SP2(special instructions at the end)

OS: All supported operating systems

 

Instructions:

1.  Stop Administrative UI service.

2.  Backup existing Key Store

CA Single Sign-On Administrative UI stores it's certificate in keyStore.jks file located at $AdminUI_Install_Directory$\server\default\conf folder.

Before proceeding with replacing the self-signed certificate with the trusted certificate, backup this keyStore.jks file.

3.  List current entries from the keystore

Start a command prompt as Administrator and go to following folder:

$AdminUI_Install_Directory$\server\default\conf

Then, execute following command to list current entries from the keystore

keytool -list -keystore keyStore.jks -storepass changeit -v

Note:

  • The default keystore password is "changeit"
  • The alias for the default self-signed certificate and keypair is "tomcat"

list1

4.  Delete current self-signed certificate and key pair from the keystore

Run the following command to delete the current self-signed certificate and keypair
keytool -delete -alias tomcat -keystore keyStore.jks -storepass changeit -v

del

5.  Generate a Key Pair and a Self-Signed Certificate

Generate a key pair (public and private keys) and a self-signed certificate and store in the CA Single Sign-On Administrative UI keystore using the following keytool command.

keytool -genkeypair -alias JBoss_Key -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=vm1.ca.com" -keypass changeit -validity 7300 -keystore keyStore.jks -storepass changeit -v

Note:

  • We changed the alias for the new self-signed certificate to "JBoss_Key".
  • Keypass (-keypass) must be same as the key store (-storepass) password
  • Ensure that hostname (-dname) matches the FQDN of your Administrative UI server

genkeypari

A key pair and a self-signed certificate are generated and stored in the keystore.

6.  Go to $AdminUI_Install_Directory$\server\default\default\deploy\jbossweb.sar and edit server.xml

Change

keyAlias="tomcat"

to

keyAlias="jboss_key" (all lower case)

7.  Start the SiteMinder Administrative UI service and verify if the new self-signed certificate is into effect.

Now, if you want to replace the self-signed certificate just created with the trusted certificate signed by Certificate Authority then proceed with the below steps.

8.  Stop Administrative UI.

9.  Generate and Submit a Certificate Signing Request to a Certificate Authority

Generate a PKCS#10 Certificate Signing Request file using the following keytool command and submit to a trusted CA. CA uses the CSR file to generate a signed certificate identifying your server as secure.

keytool -certreq -alias JBoss_Key -sigalg SHA1withRSA -file adminui_certreq.p10 -keystore keyStore.jks -storepass changeit -v

2016-06-02_10-17-26

A CSR file "adminui_certreq.p10"� is generated.

10. Submit the "adminui_certreq.p10"� CSR file to a trusted CA for signing.

11. When you receive the signed certificate from CA, run the following command to import it.

keytool -importcert -alias JBoss_Key -file adminui_cert.p7b -keystore keyStore.jks -storepass changeit -v

Note:

  • adminui_cert.p7b is the signed certificate request from CA in PKCS#7 format. PKCS#7 format contains the server certificates, intermediate certificate (if any) and root certificates.
  • If only server certificate is provided, then you might need to separately import the intermediate and root certificate as well.
  • This overwrites the previously created self-signed certificate with the certificate provided by the CA.

12. Start Administrative UI service and verify if the new trusted certificate is into effect.

 

Additional Note (for r12.52 SP2)

From r12.52 SP2 onward, the embedded JBoss server used by Administrative UI has been upgraded to JBoss 8 WildFly due to which the folder layout has changed significantly. Please consider following if you are performing the above changes for releases after r12.52SP2 

JBoss configuration folder is now moved to : $AdminUI_Install_Directory$\standalone\configuration.

You will find the keystore file keyStore.jks here.

The server.xml related configuration for the alias name is now moved to standalone-full.xml file which can be found at $AdminUI_Install_Directory$\standalone\configuration folder.

vmware_2016-06-02_11-16-01.png