DX NetOps

  • Private Community
 View Only

 How to check the expiration date of a OneClick certificate

Jump to  Best Answer
MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Jul 26, 2024 01:35 AM
Hi Team,
A customer had a question.
[Product]
OS:RHEL7.2
Spectrum 22.2.6 + CABI 7.9.2.1
 
[Question]
How can I check the expiration date of the SSL certificate that the OneClick server uses to communicate with the Java GUI?
The SDM certificate on the SS server is /usr/Spectrum/SDM/cert/SDMCA.pem, and its expiration date has been confirmed to be 2035.
Thanks,
Jose Vicente Espinosa's profile image
Broadcom Employee Jose Vicente Espinosa posted Jul 29, 2024 08:55 AM  Best Answer

Hi,

The Java Console communicates with OneClick Server via HTTPS with the SSL certificate configured in $SPECROOT/tomcat/conf/server.xml file.

There are multiple ways to look at the expiration date:

1) Open a browser, navigate to Oneclick server web page and click on certificate details in the browser

2) From a command line, execute the following command

echo | openssl s_client -connect <oc>:<https port> | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -

3) Go to OneClick server, search the keystoreFile configured in $SPECROOT/tomcat/conf/server.xml, and execute the following command

keytool -keystore <path to keystore file> -list -alias <alias> -v

Note: keystore file is usually a file called cacerts

Note: alias is usually tomcatssl

Regards 

MARUBUN SUPPORT's profile image
MARUBUN SUPPORT posted Aug 01, 2024 01:11 AM
> 1) Open a browser, navigate to Oneclick server web page and click on certificate details in the browser
 
When I access http://[OneClick Server IP]:8080/Spectrum in my browser (Google Chrome) and click to the left of the URL,
it says "Your connection to this site is not secure."
Am I correct in thinking that SSL is not being used?
 
 
> 2) From a command line, execute the following command
 
The following was found in /usr/Spectrum/tomcat/conf/server.xml:
keystoreFile=custom/keystore/cacerts
 
When I ran keytool, the following output was obtained.
 
$ /usr/Spectrum/Java/bin/keytool -keystore /usr/Spectrum
/custom/keystore/cacerts -list -alias tomcatssl -v
Enter your keystore password:
keytool Error: java.lang.Exception: alias <tomcatssl> does not exist
java.lang.Exception:  alias <tomcatssl> does not exist
        at sun.security.tools.keytool.Main.doPrintEntry(Main.java:1895)
        at sun.security.tools.keytool.Main.doCommands(Main.java:1143)
        at sun.security.tools.keytool.Main.run(Main.java:378)
        at sun.security.tools.keytool.Main.main(Main.java:371)
 
Am I correct in understanding that SSL is not being used (i.e. the certificate expiration date does not need to be considered)?
 
Also, if the above does not protect communication between OneClick and JavaConsole, 
please tell me how to protect it using SSL (e.g. a link to a manual page).

Jose Vicente Espinosa's profile image
Broadcom Employee Jose Vicente Espinosa posted Aug 01, 2024 02:39 AM

Hi,

you are right, it seems you have your OneClick using HTTP

Here the link for the documentation to enable HTTPS in the OneClick

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/dx-netops/23-3/securing-dx-netops/securing-fault-monitoring/configure-oneclick-for-secure-sockets-layer.html

Let us know if you further help

Regards