Importing component custom certificates in TrueSight Smart Reporting - Platform
If the component uses custom certificates, as a component administrator, you must import them in TrueSight Smart Reporting - Platform.
Do the following:
- Stop the TrueSight Smart Reporting - Platform service.
- Obtain the custom certificate from the component.
- Take a backup of the tsr.keystore file outside the TrueSight Smart Reporting - Platform installation directory.
Import it in a keystore file by using the following command:
keytool -importcert -file <certificate file> -keystore tsr.keystore -alias "newtsrkey"
where
"newtsrkey"
is the new alias that you create.Note: Import all certificates according to their hierarchy
Ensure that you import all certificates in the order of their hierarchy. Import the parent first, followed by subsequent children.
- Start the TrueSight Smart Reporting - Platform service.
Was this page helpful? Yes No
Submitting...
Thank you
Comments
Following are the steps to export certificate from TrueSight Smart Reporting server in x509 format and import it into TSSA-DW host:
Step#1 - Export the certificate from TSSR host.
[root@TSSA-DW-HOST bin]# ./keytool -export -alias smartreporting -file /TrueSightSmartReporting/appserver/conf/tsr.cert -keystore /TrueSightSmartReporting/appserver/conf/tsr.keystore -keypass Pa$$w0rd Enter keystore password: changeit Certificate stored in file <TSSR-INSTALL-DIR/TrueSightSmartReporting/appserver/conf/tsr.cert>
Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore //TrueSightSmartReporting/appserver/conf/tsr.keystore -destkeystore /TrueSightSmartReporting/appserver/conf/tsr.keystore -deststoretype pkcs12".
Step#2 - Copy the certificate into TSSA-DW host.
Step#3 - Import the certificate into TSSA-DW java ca-certs:
[root@TSSA-DW bin]# ./keytool -import -v -trustcacerts -alias tsr -file </LOCAL/PATH/TO/EXPORTED/CERTIFICATE/tsr.cert -keystore /jre/lib/security/cacerts -keypass Pa$$w0rd -storepass changeit Owner: CN=clm-host.bmc.com, OU=OrganizationUnit, O=Organization, L=Locality, ST=State, C=Country Issuer: CN=clm-host.bmc.com, OU=OrganizationUnit, O=Organization, L=Locality, ST=State, C=Country Serial number: 1827bea1 Valid from: Thu Nov 12 07:46:23 CST 2020 until: Sun Nov 12 07:46:23 CST 2023 Certificate fingerprints: MD5: 78:A2:89:6F:27:A0:3C:EF:D7:1F:FE:93:93:9A:CB:A6 SHA1: 23:83:E0:63:DD:64:C3:51:98:1E:8F:0F:31:DD:54:72:79:AB:72:DE SHA256: 50:B3:58:1D:0B:1B:1B:2C:FD:6E:40:FE:7C:E5:E9:57:9A:E3:D1:D0:AC:C7:DF:54:16:CB:1E:29:DD:28:00:7B Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore [Storing /jre/lib/security/cacerts]
Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /jre/lib/security/cacerts -destkeystore /jre/lib/security/cacerts -deststoretype pkcs12".
Thanks, Isaac. Moving this comment to the internal space.
I don't know if the comment ever was made "private" because I can still see it.
Also, it's worth noting that because the cacerts file "can be overwritten" during an upgrade, it's safer to use a custom trust store file that is outside the installation path. We use a custom trust store and it is referenced in the server.xml file using these Tomcat directives: truststoreFile, truststorePass
The same process applies when importing certificates from component servers (TSSR-SA Data Warehouse and TSSR-NA Data Warehouse) to the TSSR-P server.
There should be links to this page from here: https://docs.bmc.com/docs/tssr2002/implementing-private-certificates-in-truesight-smart-reporting-platform-905422520.html# as well as from that page to this page.
Log in or register to comment.