Symantec Access Management

  • Private Community
 View Only

  • 1.  Configure Admin UI (WAM UI) to use a SSL Cert (not self-signed)

    Posted Dec 23, 2014 02:03 PM

    It would be nice to login to the SiteMinder Admin UI without a self-signed SSL error every single time. Is there a way to use a certificate generated by your certificate authority (CA)?



  • 2.  Re: Configure Admin UI (WAM UI) to use a SSL Cert (not self-signed)

    Posted Dec 24, 2014 06:29 PM

    Are you using the standard OOTB jboss installation as your application server? You can deploy the adminui on any eligible app server, I personally like weblogic. Then when you deploy you configuration your encryption and Java key stores on the weblogic admin console. You can then hit the adminui with your preconfigured ssl listen port.



  • 3.  Re: Configure Admin UI (WAM UI) to use a SSL Cert (not self-signed)

    Posted Dec 29, 2014 09:33 AM

    I was hoping we could implement a SSL cert with out current configuration, which is OOTB JBOSS.



  • 4.  Re: Configure Admin UI (WAM UI) to use a SSL Cert (not self-signed)
    Best Answer

    Broadcom Employee
    Posted Jan 05, 2015 05:11 AM

    Here are instructions for SM r12.5. It should be the same on r12.52. JBoss uses the Java key store, so we use the java "keytool" utility to generate keys and cert requests and import certs.

    I'm assuming the company name is "MyCompany". Replace it, and other identifying information as appropriate.

     

     

    Go to D:\Program Files (x86)\CA\SiteMinder\adminui\server\default\conf and back up keyStore.jks

     

    Start a command prompt as administrator and go to D:\Program Files\Java\jdk1.6.0_45\bin

     

    Run the following command to delete the current keypair and certificate.

     

    keytool -delete -alias tomcat -keystore D:\PROGRA~2\CA\SiteMinder\adminui\server\default\conf\keyStore.jks -storepass changeit -v

     

    Then run the following command to create a new key pair and self-signed certificate (ensure that the CN matches the FQDN of the server). The self-signed certificate will be overwritten in a later step.

     

    keytool -genkeypair -alias JBoss_Key -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=server01.mycompany.com,OU=IT Security,O=MyCompany,L=Dublin,S=California,C=US" -keypass changeit -validity 7300 -keystore D:\PROGRA~2\CA\SiteMinder\adminui\server\default\conf\keyStore.jks -storepass changeit -v

     

    Then run the following command to create a PKCS#10 certificate request.

     

    keytool -certreq -alias JBoss_Key -sigalg SHA1withRSA -file D:\PROGRA~2\CA\SiteMinder\adminui\server\default\conf\server01_certreq.p10 -keystore D:\PROGRA~2\CA\SiteMinder\adminui\server\default\conf\keyStore.jks -storepass changeit -v

     

    Ask the PKI Administrator to certify the request. When you’ve received the certificate, run the following command to import it (this overwrites the previously created self-signed certificate with the certificate provided by the PKI administrator)

     

    keytool -importcert -alias JBoss_Key -file D:\PROGRA~2\CA\SiteMinder\adminui\server\default\conf\server01.cer -keystore D:\PROGRA~2\CA\SiteMinder\adminui\server\default\conf\keyStore.jks -storepass changeit -v

     

    Go to D:\Program Files (x86)\CA\SiteMinder\adminui\server\default\deploy\jbossweb.sar and edit server.xml

     

    Change

    keyAlias="tomcat"

    to

    keyAlias="jboss_key"      (all lower case)

     

    Restart the SiteMinder Administrative UI service



  • 5.  Re: Configure Admin UI (WAM UI) to use a SSL Cert (not self-signed)

    Posted Jan 05, 2015 11:29 AM

    Beautiful directions. Thank you so much!