Clarity

Hi,

We've production application which has been setup with HTTPS and works fine. The url is https://clarity.corp.com/. Now we are in position to decommission the server holding this application and making another system as Production. We setup NSA in new server similarly to that of Production.We couldn't find any SSL set up for our production and so we didn't do the same for new server. Now when we try to use the new url https://denclarity.corp.com/. It shows the security risk and if we click proceed anyway, the clarity login page appears. This should be avoided

We've checked and compared the properties file and also Tomcat/Conf/server.xml file. Everything looks similar.

FYI, There are 3 application server which has been loadbalanced for both production and new server. Also all machines are Linux system. Version of Clarity is 12.1

Is it SSL issue? How could we check SSL has been enabled in any Clarity system apart from NSA?

If you could help us ASAP, that would be great

Thanks

Sreeram

,

Message was edited by: User 123:  It shows the security risk and if we click proceed anyway, the clarity login page appears. This should be avoided. How could we do it?

Hi Sreeram,

If you are building a complete new box then you need to install your SSL certificate on the app server to have the SSL working. Please try installing the SSL and that should help.

Regards

Suman Pramanik

Thanks Suman for your quick reply.

We are changing our existing Disaster recovery (DR) system as Production. So it was already existing system. We compared in Production, there was no SSL installed in NSA. Will it not be any other reason than SSL?

Could you please tell me how to install SSL in DR if in case I need it?

Thanks

Sreeram

Hi Sreeram,

To make it https you would need to have the certificates installed, there is a brief documentation on how to install certificate in the install guide. By any chance is the http link working?

Regards
Suman Pramanik

Actually HTTPS link works. Initially it shows Security risk and if we click Proceed anyway, the login page appears. We would like to avoid this. How could we do it?

ok, see if the below links helps

http://answers.microsoft.com/en-us/ie/forum/ie8-windows_other/how-to-stop-security-warning-when-visiting-https/7ac31414-804e-4e2f-8841-794ff3aeeb45

Thanks Suman.. But this will work only when we set in our system. How all users can avoid this?

This is all to do with your installed certificates (as has been mentioned several times).

But also because you have changed the URL from clarity to denclarity, the certifcate content probably needs to be different - originally your network "trusted" clarity ok but now your browser is seeing denclarity and not recognising (trusting) it.  (If you reconfigured your network so "clarity" pointed to your new server then this might also just work OK)

Thanks Dave. Is there any particular steps or link where it shows installation of certificates in Linux? Thanks for your help

Sreeram

You need to refer to the "Installation Guide" manual - the "System Administration" / "Manage Security" / "Enable Secure Sockets Layer (SSL) in Apache Tomcat" section.

Dave,

Do you want me to install SSL in new system?

Production NSA doesn't have any SSL fields filled, which means SSL has not been installed in Production. So Why I need to install SSL in new system?

Is there any other way that Production url has been added to trusted in network, so I can follow and add the new URL too?

Thanks

sreeram

Hi Sreeram,

Only quick way is to use the same name as Clarity in URL rather than DenClarity and deploy the existing certificate on the new Servers.

If you want to change to different name .... then new certificate should be generated . So you need to find out what sort of Certificate you are using e.g VeriSign etc.

Secondly you need to contact the Security team (may be different team name) to generate the new Certificate with new name. then deploy the new certificate on new servers.

-Gurjeet

Thanks Gurjeet. Does the certificate has to be installed on Java folder /usr/java/jdk1.6.0_20/jre/lib/security?

Thanks

Sreeram

Sreeram,

Its slightly complex Solution ..... first of all you need to find the old documentation .. how this has been implemented in the past ...

Basically companies Security or messaging team generate these Certificates .... and they will provide you keystore file which you need to replaced ... Clarity Home Directory \ config Folder...

Few more steps to find out the Name of Certificate already deployed.

Open browser and login to clarity :

On the browser there is symbol as Lock (pad lock Icon).

Click Icon and view the certificate.

You will see the Certificate as Name of Clarity ..... You need new certificate as denclarity .

You need to involve you security team to proceed further and read the guide suggested by Dave

-Gurjeet

Unfortunately  we don’t have documentation which goes with it.

Could I just go to new system where Clarity has been installed and run the command to get CSR? I found the site where we could provide our CSR file and validate in our company site and get my CER file and then add it to my new system. Will this work?

Thanks

Sreeram

I am not going to make any statement... we can just direct you towards right direction..... so best is to speak with you Security team regarding the certificates.

You should test these changes on the test system before going to Production .

Now question arises whether you want to stick with clarity URL or denClarity URL (or you want both these URL's working).... If you want to decommission old server why you are looking to change  the URL to different name.

I don't know how you have built the new servers ... Fresh Install or you just copied all the files from old server.

Gurjeet,

How to find which sort of certificate are we using, like Verisign or RSA for this command to work

keytool -certreq -keystore //config/.keystore -keyalg RSA -file CA Clarity PPM.csr

thanks

Sreeram

The list command would tell you which certificates are there and who are the CA's. See

https://communities.ca.com/docs/DOC-100672286

That might help you

I have found this tool to be invaluable when dealing with certificates in the J2EE world:

KeyStore Explorer - Home

V/r,

Gene

Thanks for sharing.

Thanks for all of your valuable replies. After much research we found that SSL certificate has been installed on Loadbalancer of those servers. So we did the similar setup and all worked.

Thanks

Sree