Enabling third-party Certification Authority certificates to work with Yellowfin
You can enable third-party certificates with Yellowfin. A certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified.
Note
In general, perform the following steps for supporting third-party CA certificates:
- Use JRE keytool to create a private key and certificate sign-in request (CSR) and send the CSR to the signing authority. The signing authority returns the signed authority, along with the CA certificate.
- Use the keystore during Yellowfin installation and configuration.
- Configure TrueSight Server Automation with the supporting CA certificates.
This topic contains the following information:
To create keystores, private and public keys, and certificates
This section creates a third-party certificate to use with Yellowfin.
Note
- Back up your VM or your file system before you start. If you make a mistake, you can revert to a saved snapshot and try again.
- Copy and paste the SSL commands into a text editor like Notepad, Notepad++, or TextPad, strip out the line breaks, and modify the syntax for your environment.
- Unzip LiveReportingPostInstaller.zip (Window) or LiveReportingPostInstaller.tar (Linux).
For Linux:
tar xvf LiveReportingPostInstaller.tar - From the command prompt, navigate to the directory where keytool is located, for example, C:\LiveReportingPostInstaller\windows_jre\jre1.8.0_71\bin.
Create the keystore and the private key (keystore.jks).
A keystore holds your private and public keys. When creating a Java keystore, you create the keystore.jks file that at first contains only the private key This example used password as the password.keytool -genkey -alias yellowfin-server -keyalg RSA -keystore C:\Keys\keystore.jks -keysize 2048 Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: vw-aus-clmidd09.bmc.com What is the name of your organizational unit? [Unknown]: IDD What is the name of your organization? [Unknown]: BMC Software What is the name of your City or Locality? [Unknown]: San Jose What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is CN=vw-aus-clmidd09.bmc.com, OU=BMC Software, O=IDD, L=San Jose, ST=California , C=US correct? [no]: yes Enter key password for <clmui> (RETURN if same as keystore password): Re-enter new password:
Create the certificate sign-in request (CSR).
This example used password as the password.keytool -certreq -alias yellowfin-server -ext SAN=DNS:appserver1.example.com, DNS:appserver2.example.com,DNS:appserver3.example.com -file C:\Keys\yellowfin_server.csr -keystore C:\Keys\keystore.jks -sigalg SHA1withRSA
where,
SAN= contains the host name used in the CN at minimum, and all the Application Server names and any VIP name.- Send the CSR file to a CA for signing using one of the following methods. CA returns a signed SSL certificate, for example, ssl_cert.cer.
- Have the CSR be signed by a commercial CA like Symantec. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed SSL certificate. For more information about commercial CAs, see:
- Symantec: http://digitalid.verisign.com/server
- CertiSign Certificadora Digital Ltd: http://www.certisign.com.br
- Uptime Commerce Ltd: http://www.uptimecommerce.com
- BelSign NV/SA: http://www.belsign.be
- Symantec: http://digitalid.verisign.com/server
- Use your own CA and get the CSR signed by this CA.
- Have the CSR be signed by a commercial CA like Symantec. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed SSL certificate. For more information about commercial CAs, see:
(optional) Download and import the Root CA certificate (for example, RootCA.cer) into the browser's trusted root store certification authorities.
Trial versions of the Root CA certificate must be installed on each browser where you will test it. This step is not necessary with production certificates. For more information, see the Symantec documentation on using root certificates.Download and import the Root CA certificate (for example, RootCA.cer) on the product host.
Do not mismatch the Root and intermediate CA certificates – select the appropriate Intermediate CA certificate for your SSL Certificate type.keytool -import -trustcacerts -alias root -keystore "C:\Keys\keystore.jks" -file "C:\Keys\RootCA.cer" Enter keystore password: Owner: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C =US Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US Serial number: 168164a428ca12dfab12f19fb1b93554 Valid from: Tue Mar 31 19:00:00 CDT 2009 until: Sat Mar 31 18:59:59 CDT 2029 Certificate fingerprints: MD5: E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2 SHA1: 51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36 SHA256: 89:DD:5C:3D:FE:28:13:87:45:1F:A3:A0:F7:8C:1A:B6:77:DB:18:63:9E:71:72:AD:B2:52:91:CF:BE:F7:8D:19 Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore PS C:\LiveReportingPostInstaller\windows_jre\jre1.8.0_102\bin>
Download and import the intermediate certificate (for example, intermediate.cer) on the product host.
Do not mismatch the Root and intermediate CA certificates – select the appropriate Intermediate CA certificate for your SSL Certificate type.keytool -import -trustcacerts -alias Intermediate -keystore C:\Keys\keystore.jks -file C:\Keys\intermediate.cer Enter keystore password: Certificate was added to keystore PS C:\LiveReportingPostInstaller\windows_jre\jre1.8.0_102\bin>
For more information, see the Symantec documentation on using intermediate certificates.
Install the SSL certificate (for example, ssl_cert.cer) on the product host.
The alias name in this command must be the same as the alias name used during the generation of the private key and CSR, for example, blade.keytool -import -trustcacerts -alias yellowfin-server -keystore "C:\Keys\keystore.jks" -file "C:\Keys\ssl_cert.cer"
For more information, see the Symantec documentation on installing certificates on Tomcat.
Verify the contents of the keystore that the SSL certificate is imported into the alias with the "Entry Type" of PrivateKeyEntry or KeyEntry.
For example:keytool -list -v -keystore "C:\Keys\keystore.jks" > C:\Keys\output_filename.txt
Where to go from here
For complete end-to-end instructions on enabling HTTPS in Yellowfin with a third-party certificate, see:
Installing and configuring Yellowfin to enable Live reporting
Comments