SSL Certificates Configuration Guide
    • 06 Sep 2023
    • 3 Minutes to read
    • Dark
      Light
    • PDF

    SSL Certificates Configuration Guide

    • Dark
      Light
    • PDF

    Article summary

    Overview

    Nectar Foundation APM by default uses internally generated self-signed Secure Sockets Layer (SSL) certificates. This is for customers who require the use of SSL certificates generated by their secure internal certificate authority (CA), or SSL certificates signed by a public CA.

    This guide provides instructions on setting up the Nectar Foundation APM server to use externally created SSL certificates.

    Audience

    This guide is intended for system administrators or engineers who have system administration access and a familiarity with deploying the Nectar Foundation APM module.

    Supported Software Versions

    • Nectar v2021.1 and above

    Product Documentation

    For additional information, refer to the following document(s):

    Create a New Certificate

    Create Certificate Signing Request (CSR) for RIG

    Follow these steps to create a new certificate and private key stored in PKCS12 keystore:

    1. Use the keytool utility to create your new private key and certificate:
      keytool -genkey -alias [my_alias] -keyalg RSA -keysize 2048 -keystore [my_name.p12] -storetype PKCS12 -dname "cn=[hostname.example.com]"

      NOTE

      The [cip.example.com] is the FQDN of the CIP. The [ws1.example.com], [xxx.xxx.xxx.xxx], and the [ws2.example.com], [yyy.yyy.yyy.yyy] are FQDNs  and  IP addresses  of  hosts that CIP is based on.

    2. Enter and re-enter a keystore password.

    3. Press Enter to use the same password as the keystore password in Step 2.

    4. Use the keytool utility to create the CSR:
      keytool -certreq -alias [my_alias] -file [my_name.csr] -keystore [my_name.p12]

    5. Enter the keystore password created in Step 2.

    6. Submit the CSR to a CA for signing.

    Create CSR for CIP

    Follow these steps to create a new certificate and private key stored in PKCS12 keystore:

    1. Use the keytool utility to create your new private key and certificate:
      keytool -genkey -alias [my_alias] -keyalg RSA -keysize 2048 -keystore [my_name.p12] -storetype PKCS12 -dname "cn=[cip.example.com]" -ext "SAN=DNS:[cip.example.com],DNS:[ws1.example.com],DNS:[ws2.example.com], IP:[xxx.xxx.xxx.xxx],IP:[yyy.yyy.yyy.yyy]"

      NOTE

      The [cip.example.com] is the FQDN of the CIP. The [ws1.example.com], [xxx.xxx.xxx.xxx], and the [ws2.example.com], [yyy.yyy.yyy.yyy] are FQDNs  and  IP addresses  of  hosts that CIP is based on.

    2. Enter and re-enter a keystore password.

    3. Press Enter to use the same password as the keystore password in Step 2.

    4. Use the keytool utility to create a CSR:
      keytool -certreq -alias [my_alias] -keyalg RSA -file [my_name.csr] -keystore [my_name.p12] -ext "SAN=DNS:[cip.example.com],DNS:[ws1.example.com], DNS:[ws2.example.com],IP:[xxx.xxx.xxx.xxx],IP:[yyy.yyy.yyy.yyy]"

    5. Enter the keystore password.

    6. Submit the CSR to a CA for signing.

    Import Signed Certificate into Keystore File

    Follow these steps to import root, intermediate, and signed certificate into keystore:

    1. Import the root certificate or CA bundle (if required) using keytool command as follows:
      keytool -import -trustcacerts -alias root -file [my_root.crt] -keystore [my_name.p12]

    2. Import the intermediate certificate (if required) using keytool command as follows:
      keytool -import -trustcacerts -alias inter -file [my_inter.crt] -keystore [my_name.p12]

    3. Use keytool command to import the signed certificate as follows:
      keytool -import -alias [my_alias] -file [my_name.crt] -keystore [my_name.p12]

    Create Truststore File

    NOTE

    You may configure system-wide CA keystore on workstations that will be used to run RIG Client to include the root certificate as an alternative to the steps below. Reference this article for assistance: https://docs.oracle.com/cd/E19860-01/html/E37451/gskee.html

    1. Import the root certificate (if required) using keytool command as follows:
      keytool -import -trustcacerts -alias root -file [my_root.crt] -keystore [my_name.p12] -storetype PKCS12

    2. Enter and re-enter a truststore password.

    3. For the truststore to be accepted by the RIG Client, send the truststore along with password created in Step 2 to support@nectarcorp.com, and request to update the truststore password.

    4. To install the truststore to be used by the RIG Client, copy the truststore file named nectarclient.trust to user home directory of all users requiring access to the RIG Client.

    Convert SSL Certificate and Private Key into keystore

    1. Separate Privacy Enhanced Mail (PEM) files for private key, signed certificate, and trust chain:

      openssl pkcs12 -export -in [my_name.crt] -inkey [my_name.key] -out [hostname.p12] -name [my_alias] -CAfile [my_ca_bundle.crt] -caname root
    2. PEM bundle containing private key, signed certificate, and trust chain:

      ActionScriptActionScript

      openssl pkcs12 -export -in [my_name.pem] -out [hostname.p12] -name [my_alias]
    3. DER bundle to PEM bundle (convert to keystore using the command #2):

      ActionScriptActionScript

      openssl x509 -inform der -in certificate.cer -out certificate.pem
    4. P7B bundle to PEM bundle (convert to keystore using the command #2):

      ActionScriptActionScript

      openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

    If you have any issues, contact Nectar technical support at: support@nectarcorp.com

    Configure Server to Use Certificates

    Follow these steps to allow the use of the keystore and truststore created above.

    1. Update the etc/server.properties configuration file to include the following parameter values:

      1. keyStorePath - Enter the path to the keystore file.

      2. trustStorePath - Enter the path to the truststore file.

      3. keyStorePassword - Enter the password used to secure keystore.

      4. trustStorePassword - Enter the password used to secure truststore.

      5. sslCertAlias - Enter the alias of the SSL certificate to use.

    NOTE

    • It is not mandatory for truststore to be configured, except if the RIG will establish a home connection to the Enterprise Information Portal (EIP) using a private or public CA signed certificate.

    • Servers that have a private or public CA signed SSL certificates installed, can make the keystore and truststore path and password the same.

    NOTE

    Once the configuration parameters have been configured, it is necessary to restart the RIG service for them to take effect.

    1. To restart the RIG and apply the changes:

      1. Navigate to RIG > Admin > Restart.

      2. The Restart confirmation window appears.


      3. Click Yes.



    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence