- 06 Sep 2023
- 3 Minutes to read
- Print
- DarkLight
- PDF
SSL Certificates Configuration Guide
- Updated on 06 Sep 2023
- 3 Minutes to read
- Print
- DarkLight
- PDF
Overview
Nectar Foundation APM by default uses internally generated self-signed Secure Sockets Layer (SSL) certificates. This is for customers who require the use of SSL certificates generated by their secure internal certificate authority (CA), or SSL certificates signed by a public CA.
This guide provides instructions on setting up the Nectar Foundation APM server to use externally created SSL certificates.
Audience
This guide is intended for system administrators or engineers who have system administration access and a familiarity with deploying the Nectar Foundation APM module.
Supported Software Versions
Nectar v2021.1 and above
Product Documentation
For additional information, refer to the following document(s):
Create a New Certificate
Create Certificate Signing Request (CSR) for RIG
Follow these steps to create a new certificate and private key stored in PKCS12 keystore:
Use the keytool utility to create your new private key and certificate:
keytool -genkey -alias [my_alias] -keyalg RSA -keysize 2048 -keystore [my_name.p12] -storetype PKCS12 -dname "cn=[hostname.example.com]"NOTE
The [cip.example.com] is the FQDN of the CIP. The [ws1.example.com], [xxx.xxx.xxx.xxx], and the [ws2.example.com], [yyy.yyy.yyy.yyy] are FQDNs and IP addresses of hosts that CIP is based on.
Enter and re-enter a keystore password.
Press Enter to use the same password as the keystore password in Step 2.
Use the keytool utility to create the CSR:
keytool -certreq -alias [my_alias] -file [my_name.csr] -keystore [my_name.p12]Enter the keystore password created in Step 2.
Submit the CSR to a CA for signing.
Create CSR for CIP
Follow these steps to create a new certificate and private key stored in PKCS12 keystore:
Use the keytool utility to create your new private key and certificate:
keytool -genkey -alias [my_alias] -keyalg RSA -keysize 2048 -keystore [my_name.p12] -storetype PKCS12 -dname "cn=[cip.example.com]" -ext "SAN=DNS:[cip.example.com],DNS:[ws1.example.com],DNS:[ws2.example.com], IP:[xxx.xxx.xxx.xxx],IP:[yyy.yyy.yyy.yyy]"NOTE
The [cip.example.com] is the FQDN of the CIP. The [ws1.example.com], [xxx.xxx.xxx.xxx], and the [ws2.example.com], [yyy.yyy.yyy.yyy] are FQDNs and IP addresses of hosts that CIP is based on.
Enter and re-enter a keystore password.
Press Enter to use the same password as the keystore password in Step 2.
Use the keytool utility to create a CSR:
keytool -certreq -alias [my_alias] -keyalg RSA -file [my_name.csr] -keystore [my_name.p12] -ext "SAN=DNS:[cip.example.com],DNS:[ws1.example.com], DNS:[ws2.example.com],IP:[xxx.xxx.xxx.xxx],IP:[yyy.yyy.yyy.yyy]"Enter the keystore password.
Submit the CSR to a CA for signing.
Import Signed Certificate into Keystore File
Follow these steps to import root, intermediate, and signed certificate into keystore:
Import the root certificate or CA bundle (if required) using keytool command as follows:
keytool -import -trustcacerts -alias root -file [my_root.crt] -keystore [my_name.p12]Import the intermediate certificate (if required) using keytool command as follows:
keytool -import -trustcacerts -alias inter -file [my_inter.crt] -keystore [my_name.p12]Use keytool command to import the signed certificate as follows:
keytool -import -alias [my_alias] -file [my_name.crt] -keystore [my_name.p12]
Create Truststore File
NOTE
You may configure system-wide CA keystore on workstations that will be used to run RIG Client to include the root certificate as an alternative to the steps below. Reference this article for assistance: https://docs.oracle.com/cd/E19860-01/html/E37451/gskee.html
Import the root certificate (if required) using keytool command as follows:
keytool -import -trustcacerts -alias root -file [my_root.crt] -keystore [my_name.p12] -storetype PKCS12Enter and re-enter a truststore password.
For the truststore to be accepted by the RIG Client, send the truststore along with password created in Step 2 to support@nectarcorp.com, and request to update the truststore password.
To install the truststore to be used by the RIG Client, copy the truststore file named nectarclient.trust to user home directory of all users requiring access to the RIG Client.
Convert SSL Certificate and Private Key into keystore
Separate Privacy Enhanced Mail (PEM) files for private key, signed certificate, and trust chain:
openssl pkcs12 -export -in [my_name.crt] -inkey [my_name.key] -out [hostname.p12] -name [my_alias] -CAfile [my_ca_bundle.crt] -caname root
PEM bundle containing private key, signed certificate, and trust chain:
ActionScriptActionScript
openssl pkcs12 -export -in [my_name.pem] -out [hostname.p12] -name [my_alias]
DER bundle to PEM bundle (convert to keystore using the command #2):
ActionScriptActionScript
openssl x509 -inform der -in certificate.cer -out certificate.pem
P7B bundle to PEM bundle (convert to keystore using the command #2):
ActionScriptActionScript
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
If you have any issues, contact Nectar technical support at: support@nectarcorp.com
Configure Server to Use Certificates
Follow these steps to allow the use of the keystore and truststore created above.
Update the etc/server.properties configuration file to include the following parameter values:
keyStorePath - Enter the path to the keystore file.
trustStorePath - Enter the path to the truststore file.
keyStorePassword - Enter the password used to secure keystore.
trustStorePassword - Enter the password used to secure truststore.
sslCertAlias - Enter the alias of the SSL certificate to use.
NOTE
It is not mandatory for truststore to be configured, except if the RIG will establish a home connection to the Enterprise Information Portal (EIP) using a private or public CA signed certificate.
Servers that have a private or public CA signed SSL certificates installed, can make the keystore and truststore path and password the same.
NOTE
Once the configuration parameters have been configured, it is necessary to restart the RIG service for them to take effect.
To restart the RIG and apply the changes:
Navigate to RIG > Admin > Restart.
The Restart confirmation window appears.
Click Yes.