This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Importing a certificate into the keystore

After generating a new certificate and getting it signed by a Certificate Authority (CA), you must import the certificate into the keystore. The certificate must be in

  • Printable DER format (file extension .pem)
  • Binary DER format (file extensions .cer.crt, or .der)
  • PKCS#12 format.

Note

You can now import the complete chain of certificates and all the intermediate certificates from your CA by using the Certificates tab in the Server Configuration Editor.

You can also delete the self-signed certificate prior to importing the CA signed certificate.

To import the certificate

  1. On the BMC Atrium SSO Admin Console, click Edit Server Configuration. The Server Configuration Editor is displayed.
  2. On the Certificates tab, select KeyStore from the Certificate Store list.

  3. Click Import. The Upload Certificate dialog box is displayed. You can upload the certificate by using one of the following options:

    • PEM Encoded Certificate — Use this option to copy the certificate details.

    • HTTPS URL — Enter the host and port from which to capture a certificate.
    • DER/PEM/PKCS12 Encoded File — To import a key pair, upload the PEM-encoded PEM or DER files. To import a chain of certificates, upload the PKCS#12 file. When you select PKCS#12, an additional password field is provided, allowing you to enter the password for the keystore. This password is used for decrypting the private key of the signed certificate.



  4. Click Upload. After the file is uploaded, the Import Certificate Editor is displayed. This editor displays all the information about the imported certificate. If the certificate that you have imported is a chained certificate, the hierarchy of the certificate chain is displayed in the Import Certificate Editor.

  5. Enter the alias (tomcat) for each certificate or key pair that you are uploading to the KeyStore.

  6. Click OK to close the Import Certificate Editor. You are prompted to confirm whether you want to copy the same certificate in the TrustStore. Based on your confirmation, the certificate is created, and it appears in the list of TrustStore certificates as well.

    Recommendation

    You must choose to copy the certificate while creating a new key pair. You must also copy the same the certificate to the TrustStore on other nodes when BMC Atrium Single Sign-On is deployed in HA mode.

    To verify whether the certificate has been imported into the truststore, see Checking the truststore for certificates.

  7. Click Save to close the Server Configuration Editor.
  8. Stop and restart the BMC Atrium Single Sign-On server.

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Ivan Pirishanchin

    Should the Alias of the imported certificate be equal to 'tomcat' in keystore?

    Should the default self-signed certificate with alias 'tomcat' be removed when importing a new certificate signed by trusted CA? 

    Jul 29, 2015 08:53
    1. Kamalakannan Srinivasan

      Hi Ivan,

      Thank you for your comment. I will check with the concerned SME and get back to you.

      Regards,

      Kamal

      Jul 29, 2015 09:15
      1. Kamalakannan Srinivasan

        Hi Ivan,

        Thank you for your comment.

        The alias is the tomcat alias and the user can delete the self-signed certificate prior to importing the CA signed certificate.

        Regards,

        Kamal

        Jul 31, 2015 12:51
  2. Ivan Pirishanchin

    Ok,

    In HA cluster, when importing the signed certificate into keystore, I see the following in the catalina logs during re-start of services:

    Caused by: java.io.IOException: Alias name tomcat does not identify a key entry

    I think the procedure for generating CSR and importing the signed certificates must be revised for HA. So far I haven't succeeded in setting up the cluster to work correctly.

    Aug 03, 2015 03:41
  3. Ivan Pirishanchin

    Hi again,

    I have finally succeeded setting up the certificates on my SSO nodes in the HA cluster. The steps I followed were the below ones:

    1. Do not use the GUI to generate CSR. Instead, use the following command (I ran it from the primary node):
      keytool -v -certreq -alias tomcat -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -dname "CN=SSOLB.corp.org,OU=AtriumSSO Server,O=BMC Software,L=Austin,ST=Texas,C=US" -ext san=dns:ssolb.corp.org,dns:ssonode1.corp.org,dns:ssonode2.corp.org,dns:ssolb,dns:ssonode1,dns:ssonode2 -file CLI.csr
      The above will generate a CSR with SAN extension for the SSO loadbalancer, SSO node 1 and SSO node 2, using their FQDNs and short names.
    2. Send the generated CSR "CLI.csr" to your CA for signature. Ask the CA to use base64 encoding and also to send you the file in "*.cer" format (can be opened with notepad).
    3. Once you get the certificate back from the CA, e.g. "CLI.cer", you must open the file in notepad and add all intermediate certificates after the new signed certificate. I.e. you should have the other certificates in the chain in the same base64 format, so that you can copy and paste them in the new file. The order of certificates in the file should be "bottom-to-top", which means, you start with the tomcat certificate (you already have it), then the intermediate CAs (in my case there was one intermediate) and finally you should add the top domain-wide or company-wide CA certificate (also called "root"). Basically you must end with a file, that contains two or more sections begining with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----", one right after the other. Save the file as "CLI-all.cer"
    4. You use this file to import into both, keystore.p12 and cacerts.p12. Go to the primary node again, copy the file locally and import it into keystore.p12 with the following command:
      keytool -importcert -alias tomcat -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providername JsafeJCE -file CLI-all.cer -trustcacerts
      The tool will probably ask you if you would like to trust the CA certificates. Answer with "yes" and continue with a return on your keyboard.
    5. Import the certificate in cacerts.p12 with the following commands:
      keytool -delete -alias tomcat -keystore cacerts.p12 -storepass changeit -storetype PKCS12 -providername JsafeJCE
      This will remove the old certificate with alias "tomcat" from cacerts. Continue with the next command:
      keytool -importcert -alias tomcat -keystore cacerts.p12 -storepass changeit -storetype PKCS12 -providername JsafeJCE -file CLI-all.cer -trustcacerts
      Again, answer "yes" if the tool asks you if you would like to trust the CA certificates.
    6. Check the contents of keystore.p12 and cacerts.p12, and make sure that the "tomcat" entry is available in both of them:
      keytool -list -v -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providername JsafeJCE
      ...and...
      keytool -list -v -keystore cacerts.p12 -storepass changeit -storetype PKCS12 -providername JsafeJCE
      One very important thing you need to check is if the "tomcat" entry in the keystore.p12 is having the following attribute:
      Entry type: PrivateKeyEntry
      If you see this after the list command on keystore.p12, plus the certificates you imported from "CLI-all.cer" in the entry, then you are good to go.
    7. Copy the keystore.p12 and cacerts.p12, and paste them on the secondary node(s) you have in the cluster.
    8. Start the Primary node and wait until you see the "INFO: Server startup in xxxxx ms" event in the Catalina log file.
    9. Start the Secondary node(s) and wait for the same event as above in the Catalina log file.
    10. Test the certificate by accessing the Atrium SSO console. For me, these steps produced a successfull certificate configuration in my HA cluster.
    Aug 03, 2015 05:27
    1. Kamalakannan Srinivasan

      Hi Ivan,

      Thank you for your comment and procedures. I will discuss with the concerned SME and edit the topic.

      Regards,

      Kamal

      Aug 03, 2015 05:35
      1. Ivan Pirishanchin

        Hi,

        If you allow, I would suggest to raise the following two things to the SMEs:

        1. The CSR generation tool in the GUI currently does not include the SAN extension in the request. This is a MUST HAVE and at the moment the GUI cannot be used for HA mode CSRs.
        2. The import funcion in the GUI for the keystore should be able to "add" the imported certificates to the current "tomcat" entry. At the moment the only option is "replace" and this is not good because it deletes the current "tomcat" entry and the Private Key with it. You end up with certificates and without a private key, which does not allow the Tomcat SSL connector to start. 

        Kind Regards,

        Ivan

        Aug 03, 2015 05:41
        1. Kamalakannan Srinivasan

          Hi Ivan,

          Ok.

          Regards,

          Kamal

          Aug 03, 2015 05:45