Symantec IGA

  • Private Community
 View Only
Back to Library

Copying Apache certificates into Wildfly in Virtual Appliance (Vapp) 

Sep 19, 2018 09:07 AM

In order to access directly to the Wildfly servers on a secure connection, it is necessary to set a valid certificate in the Wildfly keystore. This procedure explains how to copy the certificates from Apache into Wildfly (it is trivial to modify in case you need to use some other certificate and private key).

 

 

Log into each of the Virtual Appliances as user config and follow these steps:

 

 

Backup current Wildfly keystore

  cp /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv ./caim-srv.old

 

 

Backup current Wildfly certificate

  cp /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv.cer ./caim-srv.cer.old

 

 

Find keystore and current key password. I'll call it <password>

  cat /opt/CA/wildfly-idm/standalone/configuration/ca-standalone-full-ha.xml|grep keystore

 

 

Get alias of current key. I'll call it <alias>

  keytool -list -v -keystore /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv|grep "Alias name: "

  Introduce <password>

 

 

Delete current key

  keytool -delete -alias <alias> -keystore /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv

  Introduce <password>

 

<hostname> is a new alias for the certificate. The hostname of the service to be exposed should do fine.

 

 

Create PKCS12 file with the certificate and the private key

  openssl pkcs12 -export -in /opt/CA/VirtualAppliance/custom/apache-ssl-certificates/localhost.crt -inkey /opt/CA/VirtualAppliance/custom/apache-ssl-certificates/localhost.key -name <hostname> -out localhost.p12

  Set <password>

  Re-enter <password>

 

 

Introduce contents from PKCS12

  keytool -importkeystore -destkeystore /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv -srckeystore localhost.p12 -srcstoretype PKCS12

  Introduce <password> (for keystore)

  Introduce <password> (for PKCS12)

 

 

Copy current Apache certificate into Wildfly

  cp /opt/CA/VirtualAppliance/custom/apache-ssl-certificates/localhost.crt /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv.cer

 

 

Restart IM

  restart_im

Base information obtained from: https://comm.support.ca.com/kb/ca-identity-suite-virtual-appliance-replacing-self-signed-certs/kb000093224

Statistics
0 Favorited
9 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

rosme02
Feb 15, 2019 11:08 AM

I used the above instructions for Identity Governance, and they worked well.  A couple of items to note:

  • If you are using a third party or customer cert, when you create the .key and .crt files, make sure you use the default output form of PEM, not DER.  Some commands out on the web on how to convert from .pem to .key or .crt use the openssl switch -outform with the DER option - DO NOT USE THIS! - the default is PEM, so you don't need to specify -outform at all.
  • Make sure you use the same password for your keystore and key.  Wildfly will not start if they are not the same.  

 

You can use the command below to change the key password to match the keystore password.

 

keytool -keypasswd -new <keystorepassword> -keystore /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caig-srv -storepass <keystorepassword> -alias <alias> -keypass <currentkeypassword>

 

As an example, if the old key password was password (<currentkeypassword> in the example above), this will change it to <keystorepassword>, typically changeit, but it could be something else.  If it succeeds, it means the password was changed, and they should now match.  

Related Entries and Links

No Related Resource entered.