Enabling third-party Certification Authority certificates to work with Yellowfin

You can enable third-party certificates with Yellowfin. A certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified.

Note

This example uses Symantec to create certificates. Other vendors offer their certificates in similar fashion. 

In general, perform the following steps for supporting third-party CA certificates:

  1. Use JRE keytool to create a private key and certificate sign-in request (CSR) and send the CSR to the signing authority. The signing authority returns the signed authority, along with the CA certificate. 
  2. Use the keystore during Yellowfin installation and configuration. 
  3. Configure BladeLogic Server Automation with the supporting CA certificates.

This topic contains the following information: 

To create keystores, private and public keys, and certificates

This section creates a third-party certificate to use with Yellowfin

Note

  • Back up your VM or your file system before you start. If you make a mistake, you can revert to a saved snapshot and try again.
  • Copy and paste the SSL commands into a text editor like Notepad, Notepad++, or TextPad, strip out the line breaks, and modify the syntax for your environment. 
  1. Unzip LiveReportingPostInstaller.zip (Window) or LiveReportingPostInstaller.tar (Linux).
    For Linux:
    tar xvf LiveReportingPostInstaller.tar 
  2. From the command prompt, navigate to the directory where keytool is located, for example, C:\LiveReportingPostInstaller\windows_jre\jre1.8.0_71\bin.
  3. Create the keystore and the private key (keystore.jks).
    A keystore holds your private and public keys. When creating a Java keystore, you create the keystore.jks file that at first contains only the private key This example used password as the password.

    keytool -genkey -alias yellowfin-server -keyalg RSA -keystore C:\Keys\keystore.jks -keysize 2048
    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]:  vw-aus-clmidd09.bmc.com
    What is the name of your organizational unit?
      [Unknown]:  IDD
    What is the name of your organization?
      [Unknown]:  BMC Software
    What is the name of your City or Locality?
      [Unknown]:  San Jose
    What is the name of your State or Province?
      [Unknown]:  California
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=vw-aus-clmidd09.bmc.com, OU=BMC Software, 
    O=IDD, L=San Jose, ST=California
    , C=US correct?
      [no]:  yes
    Enter key password for <clmui>
            (RETURN if same as keystore password):
    Re-enter new password:
  4. Create the certificate sign-in request (CSR).
    This example used password as the password.

    keytool -certreq -alias yellowfin-server -file C:\Keys\yellowfin_server.csr -keystore C:\Keys\keystore.jks -sigalg SHA1withRSA
    Enter keystore password:
  5. Send the CSR file to a CA for signing using one of the following methods. CA returns a signed SSL certificate, for example, ssl_cert.cer.
  6. (optional) Download and import the Root CA certificate (for example, RootCA.cer) into the browser's trusted root store certification authorities.
    Trial versions of the Root CA certificate must be installed on each browser where you will test it. This step is not necessary with production certificates. For more information, see the Symantec documentation on using root certificates.   

  7. Download and import the Root CA certificate (for example, RootCA.cer) on the product host.
    Do not mismatch the Root and intermediate CA certificates –  select the appropriate Intermediate CA certificate for your SSL Certificate type.

    keytool -import -trustcacerts -alias root -keystore "C:\Keys\keystore.jks" -file "C:\Keys\RootCA.cer"
    Enter keystore password:
    Owner: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C
    =US
    Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.",
    C=US
    Serial number: 168164a428ca12dfab12f19fb1b93554
    Valid from: Tue Mar 31 19:00:00 CDT 2009 until: Sat Mar 31 18:59:59 CDT 2029
    Certificate fingerprints:
             MD5:  E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
             SHA1: 51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36
             SHA256: 89:DD:5C:3D:FE:28:13:87:45:1F:A3:A0:F7:8C:1A:B6:77:DB:18:63:9E:71:72:AD:B2:52:91:CF:BE:F7:8D:19
             Signature algorithm name: SHA1withRSA
             Version: 3
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    PS C:\LiveReportingPostInstaller\windows_jre\jre1.8.0_102\bin> 
  8. Download and import the intermediate certificate (for example, intermediate.cer) on the product host.
    Do not mismatch the Root and intermediate CA certificates –  select the appropriate Intermediate CA certificate for your SSL Certificate type.

    keytool -import -trustcacerts -alias Intermediate -keystore C:\Keys\keystore.jks -file C:\Keys\intermediate.cer 
    Enter keystore password:
    Certificate was added to keystore
    PS C:\LiveReportingPostInstaller\windows_jre\jre1.8.0_102\bin>

    For more information, see the Symantec documentation on using intermediate certificates

  9. Install the SSL certificate (for example, ssl_cert.cer) on the product host.
    The alias name in this command must be the same as the alias name used during the generation of the private key and CSR, for example, blade.

    keytool -import -trustcacerts -alias yellowfin-server -keystore "C:\Keys\keystore.jks"  -file "C:\Keys\ssl_cert.cer"

    For more information, see the Symantec documentation on installing certificates on Tomcat.  

  10. Verify the contents of the keystore that the SSL certificate is imported into the alias with the "Entry Type" of PrivateKeyEntry or KeyEntry.  
    For example:

    keytool -list -v -keystore "C:\Keys\keystore.jks" > C:\Keys\output_filename.txt

Where to go from here

For complete end-to-end instructions on enabling HTTPS in Yellowfin with a third-party certificate, see:

Installing and configuring Yellowfin to enable Live reporting

Was this page helpful? Yes No Submitting... Thank you

Comments