Login
      Contents x
      SSL Certificates Configuration Guide
      • 06 Sep 2023
      • 3 Minutes to read
      • Contributors
      • Print
      • Dark
        Light
      • PDF
      Contents

      SSL Certificates Configuration Guide

      • Updated on 06 Sep 2023
      • 3 Minutes to read
      • Contributors
      • Print
      • Dark
        Light
      • PDF
      Article Summary

      Overview

      Nectar Foundation APM by default uses internally generated self-signed Secure Sockets Layer (SSL) certificates. This is for customers who require the use of SSL certificates generated by their secure internal certificate authority (CA), or SSL certificates signed by a public CA.

      This guide provides instructions on setting up the Nectar Foundation APM server to use externally created SSL certificates.

      Audience

      This guide is intended for system administrators or engineers who have system administration access and a familiarity with deploying the Nectar Foundation APM module.

      Supported Software Versions

      • Nectar v2021.1 and above

      Product Documentation

      For additional information, refer to the following document(s):

      Create a New Certificate

      Create Certificate Signing Request (CSR) for RIG

      Follow these steps to create a new certificate and private key stored in PKCS12 keystore:

      1. Use the keytool utility to create your new private key and certificate:
        keytool -genkey -alias [my_alias] -keyalg RSA -keysize 2048 -keystore [my_name.p12] -storetype PKCS12 -dname "cn=[hostname.example.com]"

        NOTE

        The [cip.example.com] is the FQDN of the CIP. The [ws1.example.com], [xxx.xxx.xxx.xxx], and the [ws2.example.com], [yyy.yyy.yyy.yyy] are FQDNs  and  IP addresses  of  hosts that CIP is based on.

      2. Enter and re-enter a keystore password.

      3. Press Enter to use the same password as the keystore password in Step 2.

      4. Use the keytool utility to create the CSR:
        keytool -certreq -alias [my_alias] -file [my_name.csr] -keystore [my_name.p12]

      5. Enter the keystore password created in Step 2.

      6. Submit the CSR to a CA for signing.

      Create CSR for CIP

      Follow these steps to create a new certificate and private key stored in PKCS12 keystore:

      1. Use the keytool utility to create your new private key and certificate:
        keytool -genkey -alias [my_alias] -keyalg RSA -keysize 2048 -keystore [my_name.p12] -storetype PKCS12 -dname "cn=[cip.example.com]" -ext "SAN=DNS:[cip.example.com],DNS:[ws1.example.com],DNS:[ws2.example.com], IP:[xxx.xxx.xxx.xxx],IP:[yyy.yyy.yyy.yyy]"

        NOTE

        The [cip.example.com] is the FQDN of the CIP. The [ws1.example.com], [xxx.xxx.xxx.xxx], and the [ws2.example.com], [yyy.yyy.yyy.yyy] are FQDNs  and  IP addresses  of  hosts that CIP is based on.

      2. Enter and re-enter a keystore password.

      3. Press Enter to use the same password as the keystore password in Step 2.

      4. Use the keytool utility to create a CSR:
        keytool -certreq -alias [my_alias] -keyalg RSA -file [my_name.csr] -keystore [my_name.p12] -ext "SAN=DNS:[cip.example.com],DNS:[ws1.example.com], DNS:[ws2.example.com],IP:[xxx.xxx.xxx.xxx],IP:[yyy.yyy.yyy.yyy]"

      5. Enter the keystore password.

      6. Submit the CSR to a CA for signing.

      Import Signed Certificate into Keystore File

      Follow these steps to import root, intermediate, and signed certificate into keystore:

      1. Import the root certificate or CA bundle (if required) using keytool command as follows:
        keytool -import -trustcacerts -alias root -file [my_root.crt] -keystore [my_name.p12]

      2. Import the intermediate certificate (if required) using keytool command as follows:
        keytool -import -trustcacerts -alias inter -file [my_inter.crt] -keystore [my_name.p12]

      3. Use keytool command to import the signed certificate as follows:
        keytool -import -alias [my_alias] -file [my_name.crt] -keystore [my_name.p12]

      Create Truststore File

      NOTE

      You may configure system-wide CA keystore on workstations that will be used to run RIG Client to include the root certificate as an alternative to the steps below. Reference this article for assistance: https://docs.oracle.com/cd/E19860-01/html/E37451/gskee.html

      1. Import the root certificate (if required) using keytool command as follows:
        keytool -import -trustcacerts -alias root -file [my_root.crt] -keystore [my_name.p12] -storetype PKCS12

      2. Enter and re-enter a truststore password.

      3. For the truststore to be accepted by the RIG Client, send the truststore along with password created in Step 2 to support@nectarcorp.com, and request to update the truststore password.

      4. To install the truststore to be used by the RIG Client, copy the truststore file named nectarclient.trust to user home directory of all users requiring access to the RIG Client.

      Convert SSL Certificate and Private Key into keystore

      1. Separate Privacy Enhanced Mail (PEM) files for private key, signed certificate, and trust chain:

        openssl pkcs12 -export -in [my_name.crt] -inkey [my_name.key] -out [hostname.p12] -name [my_alias] -CAfile [my_ca_bundle.crt] -caname root

      2. PEM bundle containing private key, signed certificate, and trust chain:

        ActionScriptActionScript

        openssl pkcs12 -export -in [my_name.pem] -out [hostname.p12] -name [my_alias]

      3. DER bundle to PEM bundle (convert to keystore using the command #2):

        ActionScriptActionScript

        openssl x509 -inform der -in certificate.cer -out certificate.pem

      4. P7B bundle to PEM bundle (convert to keystore using the command #2):

        ActionScriptActionScript

        openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

      If you have any issues, contact Nectar technical support at: support@nectarcorp.com

      Configure Server to Use Certificates

      Follow these steps to allow the use of the keystore and truststore created above.

      1. Update the etc/server.properties configuration file to include the following parameter values:

        1. keyStorePath - Enter the path to the keystore file.

        2. trustStorePath - Enter the path to the truststore file.

        3. keyStorePassword - Enter the password used to secure keystore.

        4. trustStorePassword - Enter the password used to secure truststore.

        5. sslCertAlias - Enter the alias of the SSL certificate to use.

      NOTE

      • It is not mandatory for truststore to be configured, except if the RIG will establish a home connection to the Enterprise Information Portal (EIP) using a private or public CA signed certificate.

      • Servers that have a private or public CA signed SSL certificates installed, can make the keystore and truststore path and password the same.

      NOTE

      Once the configuration parameters have been configured, it is necessary to restart the RIG service for them to take effect.

      1. To restart the RIG and apply the changes:

        1. Navigate to RIG > Admin > Restart.

        2. The Restart confirmation window appears.


        3. Click Yes.


      Was this article helpful?
      What's Next
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout
      ESC

      Eddy, a super-smart generative AI, opening up ways to have tailored queries and responses