Installing a CA-signed certificate into the embedded web server
When you install TrueSight Capacity Optimization, an Apache web server is automatically installed, and a private key with a self-signed certificate is generated during installation. The Apache Web Server is a part of all Application Server installations.
To prevent certificate-related warnings while accessing the TrueSight Capacity Optimization from a browser, install a certificate that is signed by a Certification Authority (CA) and trusted by the browser into the web server. The certificate can be signed by an enterprise CA or a third-party CA.
After you install the CA-signed certificate, a trusted TLS communication is established between the browser and the web server.
- To request for a CA-signed certificate, see Creating a request for a CA-signed certificate.
- To install the certificate into the web server, see To install the signed certificate.
- To validate a trusted connection with the web server, see To validate a trusted connection.
Before you begin
Ensure that you have the CA-signed certificates and the private key. These files must be saved to the server directory where all the certificate and key files are available.
If you receive the domain-specific certificate (for example, myserver.crt) and intermediate certificate chain (for example, intermediate.crt) from a CA, concatenate the intermediate.crt to myserver.crt. For example, use the following command on a Linux system for concatenating certificates:
cat intermediate.crt >> myserver.crt
For more information about concatenating certificates, see the SSLCertificateFile directive at the Apache website.
$BCO_HOME represents the TrueSight Capacity Optimization Installation Directory.
If you are updating a new certificate that is signed by a different intermediate and root certificate within the TrueSight Capacity Optimization web console, complete these steps:
- Import the updated intermediate and root certificate into cotruststore.ts.
- Copy the truststore to any of the machines that are configured to enable TLS server certificate validation.
For more information, see Securing communication between product components.
To install the signed certificate
- Log in to the host where the Application Server is installed.
In the $BCO_HOME/secure directory, create the 'httpd/keys' and 'conf' subdirectories:
cd $BCO_HOME/secure mkdir -p httpd/keys mkdir -p httpd/conf
- Copy the new certificate and key files to this directory: $BCO_HOME/secure/httpd/keys
- To configure the TrueSight Capacity Optimization embedded Apache web server to read the certificates in the $BCO_HOME/secure/httpd/keys directory:
- Create the following directory: $BCO_HOME/secure/httpd/conf
- Create a file named custom_ssl.conf in the directory: $BCO_HOME/secure/httpd/conf
In the custom_ssl.conf file, specify the location of the site-signed certificate file and key:
For example,
SSLCertificateFile ../../secure/httpd/keys/certificate.cer
SSLCertificateKeyFile ../../secure/httpd/keys/certkey.key
where,certificate.cer
indicates the name of the certificate file andcertkey.key
indicates the name of the key fileThe file location path is relative to the Apache web server working directory so '../../secure/httpd/keys' is the $BCO_HOME/secure/httpd/keys directory.
When you upgrade TrueSight Capacity Optimization, these customized settings are retained.
The extension of the certificate file can be .cer or .crt. Set the correct extension of the file that is defined at SSLCertificateFile.
Run the following command to restart the Apache web server.
./cpit restart httpd
The changes allows the Apache httpd server to read the custom_ssl.conf file, which contains the SSLCertificateFile and SSLCertificateKeyFile properties that point to your site-signed SSL certificate and key.
The new URL to connect to TrueSight Capacity Optimization will be https://<host_name>.<domain.com>:<port>/console.
To validate a trusted connection
To verify that a trusted connection is established with the web server, complete the following steps:
- Close all browser windows.
Open a new browser window, and type the URL to access the TrueSight Capacity Optimization console.
If the certificate is correctly applied, the secure symbol is displayed besides the https:// URL as shown in the following image:If the browser still shows a warning about an insecure connection, verify that the trusted root certificate from CA is available in the certificate store or the keystore of your browser.
Comments
Log in or register to comment.