Obtaining and installing an Active Directory server private certificate on a client system

In order for the product to authenticate connections to the domain controllers, the TrueSight Middleware and Transaction Monitor (TMTM) administrator might need Active Directory server private certificates from a certificate authority (CA). The need for a CA certificate is based on configuration settings specified in the securityconfig tool and maintained in the services.cfg file. Administrators can import private certificates during installation or they can manually import them, which is the process described in this procedure.

TMTM can use two SSL security keystores; one for the TMTM Application Service in secure mode, the other when configuring Active Directory. These are different keystores and should not be confused.

Your company can use a pool of domain controllers or an enterprise domain controller.

  • If you use an enterprise domain controller, use the enterprise server CA certificate in this procedure. 
  • If you use a pool of domain controllers, use the server certificates from each domain controller in turn in this procedure. The domain controller that hosts Certificate Services in the Enterprise Root CA role might or might not be the same domain controller that TMTM is being configured to use for authentication.

Before you begin

  • Confirm that certificate services are installed on the domain controllers used to serve TMTM.
  • You must have obtained a valid server private certificate from your network administrator. 
    • If you requested a CA certificate from the cert server via a web browser at http://%hostname%/certsrv, confirm that the Enterprise Certificate Authority domain controller has the IIS virtual root installed.
    • Store the server certificate file in a secure location on the TMTM services computer.

To obtain the correct server CA certificate

The certutil.exe application checks to see if an IIS certsrv virtual root is installed on the domain controller that hosts the Enterprise Root CA. If one is not present, certutil creates it.

On the Domain Controller server that hosts the Enterprise Root Certificate Authority, open a command line and enter the following command: certutil -vroot

To install the server CA certificate

  1. Access the TMTM services directory, and enter the following command:

    jre\bin\keytool -import -alias certificate_alias -file certificate_file_name -keystore keystore_filename


    Where: 
    • certificate_alias is a unique name for this certificate for this keystore. This name is needed to identify the certificate when more than one certificate is used.
    • certificate_file_name is the name of the certificate file.
    • keystore_filename is the name of the keystore file. Include a path, if necessary.
  2. When prompted, provide a new or existing keystore password.
    This password is specified later in services.cfg.

    For details about the keytool command and its options, see the Sun Java documentation.

Was this page helpful? Yes No Submitting... Thank you

Comments