Generating and importing an SSL certificate for a remote device agent
Secure Sockets Layer (SSL) is used to keep sensitive information sent across the Internet encrypted. A proper SSL certificate provides authentication, which ensures that you are sending information to the right server and not to an unintended server. Customers most often send information through several computers. It is possible to avoid intermediate computers from pretending to be your website and trick your users into sending them personal information by using a proper Public Key Infrastructure (PKI), and getting an SSL certificate from a trusted SSL provider.
Starting with version 8.7.00, BMC Network Automation uses the SHA256WithRSA encryption algorithm to generate a self-signed certificate. By default, the size (in bits) for the certificate key is set to 4096. However, you can also generate and import a third-party SSL certificate with a different algorithm or a different key size (greater than or equal to 2048-bits) by modifying the {{code language="none"}}
AGENT_CERTIFICATE_ALGORITHM
{{/code}} and AGENT_KEY_NUM_BITS parameters in the setenv file.
This topic describes how to generate and import a third-party or self-singed SSL certificate for a remote device agent and how to set various parameters in the setenv file if you want to use different parameter values than the default.
- List of editable parameters in the setenv file
- Before you begin
- To generate and import a third-party SSL certificate for a remote device agent that is hosted on Windows
List of editable parameters in the setenv file
In addition to AGENT_CERTIFICATE_ALGORITHM and AGENT_KEY_NUM_BITS, you can modify the following parameters in the setenv file for the SSL certificate that you want to import for a remote device agent:
- AGENT_CERTIFIER_COMMON_NAME
- AGENT_CERTIFIER_ORG_UNIT
- AGENT_CERTIFIER_ORG_NAME
- AGENT_CERTIFIER_LOCALITY
- AGENT_CERTIFIER_STATE
- AGENT_CERTIFIER_COUNTRY
- AGENT_KEY_ALGORITHM
- AGENT_KEY_NUM_BITS
- AGENT_KEY_VALIDITY_DAYS
Before you begin
To enable the authentication process between the application server and device agents, you need to set the value of the skipAgentAuthenticationByEna parameter to false in the global.properties file. Default value is true.
To generate and import a third-party SSL certificate for a remote device agent that is hosted on Windows
- Stop the BCA-Networks Web Server service on the application server and BCA-Networks Agent service on the remote device agent.
- (Optional) If you want to generate an SSL certificate with the parameter values (other than the keystore password) different than the default values in the setenv file, perform the following steps:
- Navigate to the BCAN_HOME\tools directory and open the setenv file with a text editor.
- Modify various parameters in the file.
- Save the file.
(This step is required only if you have performed step 2 to change parameter values or if you want to change the keystore password) From the BCAN_HOME\tools directory, run the following command to generate a new self-signed certificate with the required password:
create_keystore.bat <password>The following sample messages are displayed:
Removing old C:\Program Files\BMC Software\BCA-Networks-Agent\.keystore file ...
Generating certified key-pair and storing in
C:\Program Files\BMC Software\BCA-Networks-Agent\.keystore ...
SuccessNavigate to the BCAN_HOME\java\bin directory and run the following command to view the keystore with the default self-signed certificate:
keytool.exe -list -v -keystore "C:\Program Files\BMC Software\BCA-Networks-Agent\.keystore"
The following sample messages are displayed:Enter keystore password: Adm1npaswd
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: agent
Creation date: Jan 20, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
Issuer: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
Serial number: 20b6fde4
Valid from: Tue Jan 20 11:24:55 CST 2015 until: Thu Dec 27 11:24:55
CST 2114
Certificate fingerprints:
MD5: 22:55:8B:62:A0:85:6F:B0:82:A2:28:D5:FE:55:90:8A
SHA1: 24:17:3B:EB:5D:FF:B4:78:5E:3A:C5:A9:28:C0:0E:64:FB:0B
:6A:4A
SHA256: F4:5B:E5:0E:74:EB:4B:B1:B2:D2:FA:22:33:CE:D3:5B:6C
:24:03:4B:EF:6D:5A:4E:DC:96:92:A0:1E:2B:0C:9C
Signature algorithm name: SHA1withRSA
Version: 3Notice that there is only one alias agent, which has the entry type of PrivateKeyEntry.
Run the following command to generate a certificate signing request (CSR) file, for example, BNA.csr by using the self-signed certificate:{{code language="none" source="string:{{code language=~"none~"~}~}
{{/code~}~}"/}}{{/code}}##keytool.exe -certreq -keystore {{code language="none"}}"C:\Program Files\BMC Software\BCA-Networks-Agent\.keystore"{{/code}} -alias agent -file {{code language="none" source="string:{{code language=~"none~"~}~}
~"C:\Program Files\BMC Software\BCA-Networks-Agent
{{/code~}~}"/}}\BNA.csr##"
\\The following sample message is displayed:
{{code}}
Enter keystore password: Adm1npaswd
{{/code}}
)))
1. Submit the **BNA.csr** file to the certification authority (CA) and get the remote device agent certificate.
1. Obtain the root certificate, and optionally intermediate certificates from the CA if required.
1. Copy the remote device agent, root, and intermediate certificates to the **BCAN_HOME** directory.
1. Import the root CA certificate into the remote device agent, as follows:
11. Run the following command:
##keytool.exe -importcert -keystore {{code language="none" source="string:{{code language=~"none~"~}~}
~"C:\Program Files\BMC Software\BCA-Networks-Agent\.keystore~"
{{/code~}~}"/}} -alias root -file {{code language="none" source="string:{{code language=~"none~"~}~}
~"C:\Program Files\BMC Software\BCA-Networks-Agent\
{{/code~}~}"/}}CA-root.cer"##
11. When prompted for the password, enter the default password (//1emprisa//), or if you have changed the password in [[step 3>>doc:||anchor="GeneratingandimportinganSSLcertificateforaremotedeviceagent-step3"]], enter the changed password.
1. (((
Copy and import the root CA certificate into the application server, if not done already, as follows:
1. Copy the root CA certificate to the **BCAN_DATA** directory.
1. Run the following command: {{code language="none"}}keytool.exe -importcert -keystore "C:\Program Files\BMC Software\BCA-Networks\java\lib\security\cacerts" -alias root -file C:\BCA-Networks-Data\CA-root.cer{{/code}}
1. When prompted for the password, enter //changeit//.
The following sample messages are displayed, when you run the commands in step 9 and 10:
{{code}}
Enter keystore password: <password>
Owner: CN=ca-host-name
Issuer: CN=ca-host-name
Serial number: 2f245324d2723a964f3c1bafcada2bd4
Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
CST 2020
Certificate fingerprints:
MD5: 34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08
:15:63:0D
SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86
:22:ED:DD:
5A:87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
Signature algorithm name: SHA256withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
{{/code}}
)))
1. //(Optional)// Run the following command to import intermediate CA certificates into the remote device agent:
\\##keytool.exe -importcert -keystore {{code language="none" source="string:{{code language=~"none~"~}~}
~"C:\Program Files\BMC Software\BCA-Networks-Agent\.keystore~"
{{/code~}~}"/}} -alias intermediate -file {{code language="none" source="string:{{code language=~"none~"~}~}
~"C:\Program Files\BMC Software\BCA-Networks-Agent\
{{/code~}~}"/}}CA-intermediate.cer"##
1. (((
Run the following command to import the remote device agent certificate:
##keytool.exe -importcert -keystore {{code language="none"}}{{code language="none" source="string:{{code language=~"none~"~}~}
~"C:\Program Files\BMC Software\BCA-Networks-Agent\.keystore~"
{{/code~}~}"/}}{{/code}} -alias agent -file {{code language="none"}}{{code language="none" source="string:{{code language=~"none~"~}~}
~"C:\Program Files\BMC Software\BCA-Networks-Agent\
{{/code~}~}"/}}{{/code}}BNA-Certificate.cer"{{/code}}##
The following messages are displayed:
{{code}}
Enter keystore password: Adm1npaswd
Certificate reply was installed in keystore
{{/code}}
)))
1. (((
Run the following command to view the root and remote device agent certificates in the keystore:
\\##keytool.exe -list -v -keystore {{code language="none"}}{{code language="none" source="string:{{code language=~"none~"~}~}
~"C:\Program Files\BMC Software\BCA-Networks-Agent\.keystore~"
{{/code~}~}"/}}{{/code}}{{/code}}##
\\The following sample messages are displayed:
{{code}}
Enter keystore password: Adm1npaswd
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: root
Creation date: Jan 20, 2015
Entry type: trustedCertEntry
Owner: CN=ca-host-name
Issuer: CN=ca-host-name
Serial number: 2f245324d2723a964f3c1bafcada2bd4
Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
CST 2020
Certificate fingerprints:
MD5: 34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08:15
:63:0D
SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86:22:ED
:DD:5A
:87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
Signature algorithm name: SHA256withRSA
Version: 3
*******************************************
*******************************************
Alias name: agent
Creation date: Jan 20, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
Issuer: CN=ca-host-name
Serial number: 3a0000000c0afa89bc8714632500000000000c
Valid from: Tue Jan 20 11:20:05 CST 2015 until: Wed Jan 20 11:30:05
CST 2016
Certificate fingerprints:
MD5: C3:1C:22:08:A6:21:B9:FF:D1:73:29:F6:8C:75:E4:DF
SHA1: 3D:08:7C:45:6B:B4:7E:65:BD:7C:E7:F8:4C:1F:6E:9B:05:75
:5F:27
SHA256: 5A:49:2E:82:53:DD:40:78:E9:D5:68:15:28:38:07:6E:D3
:7E:8C:9E
:A4:1E:DF:D8:6C:27:9E:8F:FA:E2:15:5F
Signature algorithm name: SHA256withRSA
Version: 3
Certificate[2]:
Owner: CN=ca-host-name
Issuer: CN=ca-host-name
Serial number: 2f245324d2723a964f3c1bafcada2bd4
Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
CST 2020
Certificate fingerprints:
MD5: 34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08:15
:63:0D
SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86:22
:ED:DD:5A
:87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
Signature algorithm name: SHA256withRSA
Version: 3
*******************************************
*******************************************
{{/code}}
Notice that there are two aliases, **root** and **agent**. The **root** alias is a self-signed **trustedCertEntry** with only one certificate. However, the **agent** alias is still a **PrivateKeyEntry**. Now **tomcat** has two certificates:
* One for itself: **Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US**
* One for its root: **Owner: CN=ca-host-name**
)))
1. If you have changed the keystore password in [[step 3>>doc:||anchor="GeneratingandimportinganSSLcertificateforaremotedeviceagent-step3"]], follow these steps: \\
11. Navigate to the **BCAN_HOME**\**utility** directory and run **BcanMaintenanceTool.cmd**. Encrypt the changed keystore password by selecting **Encrypt Product Password** as the encryption method.
11. Navigate to the **BCAN_HOME\wrapper** directory and update the {{code language="none"}}Dcom.bmc.bcan.ssl.keyStorePassword {{/code}}and {{code language="none"}}Dcom.bmc.bcan.ssl.trustStorePassword{{/code}} properties in the **BcanDeviceAgentWrapper.conf** file with the encrypted keystore password generated in the preceding step.
1. Start the **BCA-Networks Web Server **service on the application server and **BCA-Networks Agent **service on the remote device agent.
,,[[Back to top>>doc:||anchor="GeneratingandimportinganSSLcertificateforaremotedeviceagent-top"]],,
== {{id name="GeneratingandimportinganSSLcertificateforaremotedeviceagent-Togenerateandimportaself-signedSSLcertificateforaremotedeviceagentthatishostedonWindows"/}}To generate and import a self-signed SSL certificate for a remote device agent that is hosted on Windows ==
1. Follow steps 1 to 4 as described in [[To generate and import a third-party SSL certificate for a remote device agent that is hosted on Windows>>doc:||anchor="GeneratingandimportinganSSLcertificateforaremotedeviceagent-Togenerateandimportathird-partySSLcertificateforaremotedeviceagentthatishostedonWindows"]].
1. Export the self-signed certificate as follows:
11. Run the following command to export the certificate from the **.keystore** file with a new name for the exported file:
\\{{code language="none"}}keytool.exe -exportcert -keystore "C:\Program Files\BMC Software\BCA-Networks-Agent\.keystore" -alias agent -file agentcert.cer{{/code}}
11. (((
When prompted for the password, enter the default password (//1emprisa//), or if you have changed the password, enter the changed password.
The following sample messages are displayed:
{{code}}
Enter keystore password: Adm1npaswd
Certificate stored in file agentcert.cer.
{{/code}}
)))
1. Copy and import the self-signed certificate into the application server, as follows:
11. Copy the certificate to the **BCAN_DATA** directory.
11. Run the following command:
{{code language="none"}}keytool.exe -importcert -keystore "C:\Program Files\BMC Software\BCA-Networks\java\lib\security\cacerts" -alias agent -file C:\BCA-Networks-Data\agentcert.cer {{/code}}
11. When prompted for the password, enter //changeit//.
1. If you have changed the keystore password, follow these steps: \\
11. Navigate to the **BCAN_HOME**\**utility** directory and run **BcanMaintenanceTool.cmd**. Encrypt the changed keystore password by selecting **Encrypt Product Password** as the encryption method.
11. Navigate to the **BCAN_HOME\wrapper** directory and update the {{code language="none"}}Dcom.bmc.bcan.ssl.keyStorePassword {{/code}}and {{code language="none"}}Dcom.bmc.bcan.ssl.trustStorePassword{{/code}} properties in the **BcanDeviceAgentWrapper.conf** file with the encrypted keystore password generated in the preceding step.
1. Start the **BCA-Networks Web Server** service on the application server and **BCA-Networks Agent **service on the remote device agent.
[[Back to top>>doc:||anchor="GeneratingandimportinganSSLcertificateforaremotedeviceagent-top"]]
== {{id name="GeneratingandimportinganSSLcertificateforaremotedeviceagent-Togenerateandimportathird-partySSLcertificateforaremotedeviceagentthatishostedonLinux"/}}To generate and import a third-party SSL certificate for a remote device agent that is hosted on Linux ==
1. Stop the **enatomcat**(% style="color: rgb(0,0,0);" %) service (%%)on the application server and **bcanagent** service on the remote device agent.
1. //(Optional)// If you want to generate an SSL certificate with the parameter values (other than the keystore password) different than the default values in the **setenv** file, perform the following steps: \\
11. Navigate to the **BCAN_HOME\tools** directory and open the **setenv **file with a text editor.
11. Modify various [[parameters>>doc:||anchor="GeneratingandimportinganSSLcertificateforaremotedeviceagent-Listofeditableparametersinthesetenvfile"]] in the file.
11. Save the file.
1. (((
//{{id name="GeneratingandimportinganSSLcertificateforaremotedeviceagent-step_3"/}}(This step is required only if you have performed step 2 to change parameter values or if you want to change the keystore password)// From the **BCAN_HOME\tools** directory, run the following command to generate a new self-signed certificate with the required password:
\\{{code language="none"}}./create_keystore.sh <password>
{{/code}}
{{confluence_note title="Note"}}
During installation, BMC Network Automation creates the self-signed certificate with a default password, //1emprisa//. If you want to change this password, provide the required password; else, provide the default password.
{{/confluence_note}}
The following sample messages are displayed:
{{code}}
removing old /opt/bmc/bca-networks-agent/.keystore file ...
generating certified key-pair and storing in /opt/bmc/bca-networks-agent/.keystore ..
{{/code}}
)))
1. (((
Navigate to the **BCAN_HOME/java/bin** directory and run the following command to view the keystore with the default self-signed certificate:
\\{{code language="none"}}./keytool -list -v -keystore /opt/bmc/bca-networks-agent/.keystore{{/code}}
\\The following sample messages are displayed:
{{code}}
Enter keystore password: Adm1npaswd
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: agent
Creation date: Jan 20, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
Issuer: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
Serial number: 20b6fde4
Valid from: Tue Jan 20 11:24:55 CST 2015 until: Thu Dec 27 11:24:55
CST 2114
Certificate fingerprints:
MD5: 22:55:8B:62:A0:85:6F:B0:82:A2:28:D5:FE:55:90:8A
SHA1: 24:17:3B:EB:5D:FF:B4:78:5E:3A:C5:A9:28:C0:0E:64:FB:0B
:6A:4A
SHA256: F4:5B:E5:0E:74:EB:4B:B1:B2:D2:FA:22:33:CE:D3:5B:6C
:24:03:4B:EF:6D:5A:4E:DC:96:92:A0:1E:2B:0C:9C
Signature algorithm name: SHA1withRSA
Version: 3
{{/code}}
Notice that there is only one alias **agent,** which has the entry type of **PrivateKeyEntry**.
)))
1. (((
Run the following command to generate a certificate signing request (CSR) file, for example, **bna.csr** by using the self-signed certificate:{{code language="none"}}{{code language="none" source="string:{{code language=~"none~"~}~}
{{/code~}~}"/}}{{/code}}{{code language="none"}}./keytool -certreq -keystore /opt/bmc/bca-networks-agent/.keystore -alias agent -file /opt/bmc/bca-networks-agent/bna.csr{{/code}}
\\The following sample message is displayed:
{{code}}
Enter keystore password: Adm1npaswd
{{/code}}
)))
1. Submit the **bna.csr** file to the certification authority (CA) and get the remote device agent certificate.
1. Obtain the root certificate, and optionally intermediate certificates from the CA if required.
1. Copy the remote device agent, root, and intermediate certificates to the **BCAN_HOME** directory.
1. Import the root CA certificate, as follows:
11. Run the following command:{{code language="none"}}./keytool -importcert -keystore /opt/bmc/bca-networks-agent/.keystore -alias root -file /opt/bmc/bca-networks-agent/ca-root.cer{{/code}}
11. When prompted for the password, enter the default password (//1emprisa//), or if you have changed the password in [[step 3>>doc:||anchor="GeneratingandimportinganSSLcertificateforaremotedeviceagent-step_3"]], enter the changed password.
1. Copy and import the root CA certificate into the application server, if not done already, as follows:
11. Copy the root certificate to the **BCAN_DATA** directory.
11. Run the following command:
{{code language="none"}}./keytool -importcert -keystore /opt/bmc/bca-networks/java/lib/security/cacerts -alias root -file /var/bca-networks-data/ca-root.cer{{/code}}
11. (((
When prompted for the password, enter //changeit//.
The following sample messages are displayed, when you execute the commands in step 9 and 10:
{{code}}
Enter keystore password: <password>
Owner: CN=ca-ost-name
Issuer: CN=ca-host-name
Serial number: 2f245324d2723a964f3c1bafcada2bd4
Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
CST 2020
Certificate fingerprints:
MD5: 34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08
:15:63:0D
SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86
:22:ED:DD:
5A:87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
Signature algorithm name: SHA256withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
{{/code}}
)))
1. //(Optional)// Run the following command to import intermediate CA certificates into the remote device agent:
##./keytool -importcert -keystore /opt/bmc/bca-networks-agent/.keystore -alias {{code language="none"}}intermediate {{/code}}-file /opt/bmc/bca-networks-agent/{{code language="none"}}ca-intermediate{{/code}}.cer##
1. (((
Run the following command to import the remote device agent certificate:
{{code language="none"}}./keytool -importcert -keystore /opt/bmc/bca-networks-agent/.keystore -alias agent -file /opt/bmc/bca-networks-agent/bna-certificate.cer{{/code}}
The following messages are displayed:
{{code}}
Enter keystore password: Adm1npaswd
Certificate reply was installed in keystore
{{/code}}
)))
1. (((
Run the following command to view the root and the remote device agent certificates in the keystore:
\\{{code language="none"}}./keytool -list -v -keystore /opt/bmc/bca-networks-agent/.keystore{{/code}}
\\The following sample messages are displayed:
{{code}}
Enter keystore password: Adm1npaswd
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: root
Creation date: Jan 20, 2015
Entry type: trustedCertEntry
Owner: CN=ca-host-name
Issuer: CN=ca-host-name
Serial number: 2f245324d2723a964f3c1bafcada2bd4
Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
CST 2020
Certificate fingerprints:
MD5: 34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08:15
:63:0D
SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86:22:ED
:DD:5A
:87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
Signature algorithm name: SHA256withRSA
Version: 3
*******************************************
*******************************************
Alias name: agent
Creation date: Jan 20, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
Issuer: CN=ca-host-name
Serial number: 3a0000000c0afa89bc8714632500000000000c
Valid from: Tue Jan 20 11:20:05 CST 2015 until: Wed Jan 20 11:30:05
CST 2016
Certificate fingerprints:
MD5: C3:1C:22:08:A6:21:B9:FF:D1:73:29:F6:8C:75:E4:DF
SHA1: 3D:08:7C:45:6B:B4:7E:65:BD:7C:E7:F8:4C:1F:6E:9B:05:75
:5F:27
SHA256: 5A:49:2E:82:53:DD:40:78:E9:D5:68:15:28:38:07:6E:D3
:7E:8C:9E
:A4:1E:DF:D8:6C:27:9E:8F:FA:E2:15:5F
Signature algorithm name: SHA256withRSA
Version: 3
Certificate[2]:
Owner: CN=ca-host-name
Issuer: CN=ca-host-name
Serial number: 2f245324d2723a964f3c1bafcada2bd4
Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
CST 2020
Certificate fingerprints:
MD5: 34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08:15
:63:0D
SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86:22
:ED:DD:5A
:87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
Signature algorithm name: SHA256withRSA
Version: 3
*******************************************
*******************************************
{{/code}}
Notice that there are two aliases, **root** and **agent**. The **root** alias is a self-signed **trustedCertEntry** with only one certificate. However, the **agent** alias is still a **PrivateKeyEntry**. Now, **tomcat** has two certificates:
* One for itself: **Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US**
* One for its root: **Owner: CN=ca-host-name**
)))
1. If you have changed the keystore password in [[step 3>>doc:||anchor="GeneratingandimportinganSSLcertificateforaremotedeviceagent-step_3"]], follow these steps:
11. Navigate to the **BCAN_HOME/utility** directory and run **BcanMaintenanceTool.sh**. Encrypt the keystore password by selecting **Encrypt Product Password** as the encryption method.
11. Navigate to the **/opt/bmc/bca-networks-agent/tools** directory and update the {{code language="none"}}AGENT_KEYSTORE_PASSWORD{{/code}} property in the **setenv.sh** file with the encrypted keystore password generated in the preceding step.
1. Start the **enatomcat**(% style="color: rgb(0,0,0);" %) service (%%)on the application server and **bcanagent** service on the remote device agent.
[[Back to top>>doc:||anchor="GeneratingandimportinganSSLcertificateforaremotedeviceagent-top"]]
== {{id name="GeneratingandimportinganSSLcertificateforaremotedeviceagent-Togenerateandimportaself-signedSSLcertificateforaremotedeviceagentthatishostedonLinux"/}}To generate and import a self-signed SSL certificate for a remote device agent that is hosted on Linux ==
1. Follow steps 1 to 4 as described in [[To generate and import a third-party SSL certificate for a remote device agent that is hosted on Linux>>doc:||anchor="GeneratingandimportinganSSLcertificateforaremotedeviceagent-Togenerateandimportathird-partySSLcertificateforaremotedeviceagentthatishostedonLinux"]].
1. Export the self-signed certificate as follows:
11. Run the following command to export the certificate from the **.keystore** file with a new name for the exported file:
\\{{code language="none"}}./keytool -exportcert -keystore /opt/bmc/bca-networks-agent/.keystore -alias agent -file agentcert.cer{{/code}}
11. (((
When prompted for the password, enter the default password (//1emprisa//), or if you have changed the password, enter the changed password.
The following sample messages are displayed:
{{code}}
Enter keystore password: Adm1npaswd
Certificate stored in file agentcert.cer.
{{/code}}
)))
1. Copy and import the self-signed certificate into the application server, as follows:
11. Copy the certificate to the **BCAN_DATA** directory.
11. Run the following command:
{{code language="none"}}./keytool -importcert -keystore /opt/bmc/bca-networks/java/lib/security/cacerts -alias agent -file /var/bca-networks-data/agentcert.cer
{{/code}}
11. When prompted for the password, enter //changeit//.
1. If you have changed the keystore password, follow these steps:
11. Navigate to the **BCAN_HOME/utility** directory and run **BcanMaintenanceTool.sh**. Encrypt the keystore password by selecting **Encrypt Product Password** as the encryption method.
11. Navigate to the **/opt/bmc/bca-networks-agent/tools** directory and update the {{code language="none"}}AGENT_KEYSTORE_PASSWORD{{/code}} property in the **setenv.sh** file with the encrypted keystore password generated in the preceding step.
1. Start the **enatomcat** service on the application server and **bcanagent** service on the remote device agent.
[[Back to top>>doc:||anchor="GeneratingandimportinganSSLcertificateforaremotedeviceagent-top"]]
== {{id name="GeneratingandimportinganSSLcertificateforaremotedeviceagent-Relatedtopic"/}}Related topic ==
[[doc:Automation-DevSecOps.Network-Automation.BMC-Network-Automation.bna88.Installing.Generating-and-importing-an-SSL-certificate-for-the-application-server.WebHome]]