Generating and importing a CA-signed SSL certificate for a remote device agent

Secure Sockets Layer (SSL) is used to keep sensitive information sent across the Internet encrypted. A proper SSL certificate provides authentication, which ensures that you are sending information to the right server and not to an unintended server. It is possible to avoid intermediate computers from pretending to be your agents and trick your users into sending them personal information.

Related topic

Generating-and-importing-a-CA-signed-SSL-certificate-for-the-application-server

TrueSight Network Automation uses the SHA256WithRSA encryption algorithm to generate a self-signed certificate. By default, the size (in bits) for the certificate key is set to 4096. However, you can also generate and import a third-party SSL certificate with a different algorithm or a different key size (greater than or equal to 2048-bits) by modifying the AGENT_CERTIFICATE_ALGORITHM and AGENT_KEY_NUM_BITS parameters in the setenv file.

This topic describes how to generate and import a third-party or self-singed SSL certificate for a remote device agent and how to set various parameters in the setenv file if you want to use different parameter values than the default.


List of editable parameters in the setenv file

In addition to AGENT_CERTIFICATE_ALGORITHM and AGENT_KEY_NUM_BITS, you can modify the following parameters in the setenv file for the SSL certificate that you want to import for a remote device agent:

  • AGENT_CERTIFIER_COMMON_NAME
  • AGENT_CERTIFIER_ORG_UNIT
  • AGENT_CERTIFIER_ORG_NAME
  • AGENT_CERTIFIER_LOCALITY
  • AGENT_CERTIFIER_STATE
  • AGENT_CERTIFIER_COUNTRY
  • AGENT_KEY_ALGORITHM
  • AGENT_KEY_NUM_BITS
  • AGENT_KEY_VALIDITY_DAYS

Important

If you want to change the keystore password, follow step 3 in the following procedures:


Before you begin

To enable the authentication process between the application server and device agents, you need to set the value of the skipAgentAuthenticationByEna parameter to false in the global.properties file. Default value is true.


To re-generate and import a third-party SSL certificate for a remote device agent

  1. Stop the BCA-Networks Web Server service on the application server and BCA-Networks Agent service on the remote device agent.
  2. (Optional) If you want to generate an SSL certificate with the parameter values different than the default values in the setenv file, perform the following steps:
    1. Navigate to the BCAN_HOME\tools directory and open the setenv file with a text editor.
    2. Modify various parameters in the file.
    3. Save the file.

  3. (This step is required only if you have performed step 2 to change parameter values) From the BCAN_HOME\tools directory, run the following command to generate a new self-signed certificate:
    create_keystore

    The following sample messages are displayed:

    Removing old BCAN_HOME-Agent\.keystore file ...
    Generating certified key-pair and storing in
    BCAN_HOME-Agent\.keystore ...
    Success

    Important

    The passwords used to protect a keystore cannot themselves be encrypted or hidden. This is due to a fundamental design principle in keystore management. Since the encryption keys themselves are stored within the keystore, there is a challenge in encrypting the password used to access the keystore. If the password were to be encrypted, the encryption key for that operation would also need to be stored somewhere, creating a potential circular dependency and security vulnerability.

  4. Navigate to the BCAN_HOME\java\bin directory and run the following command to view the keystore with the default self-signed certificate:
    keytool -list -v -keystore "BCAN_HOME-Agent\.keystore"The following sample messages are displayed:

    Enter keystore password: <password>
            Keystore type: JKS
            Keystore provider: SUN
            Your keystore contains 1 entry
            Alias name: agent
            Creation date: Jan 20, 2015
            Entry type: PrivateKeyEntry
            Certificate chain length: 1
            Certificate[1]:
            Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
            Issuer: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
            Serial number: 20b6fde4
            Valid from: Tue Jan 20 11:24:55 CST 2015 until: Thu Dec 27 11:24:55
            CST 2114
            Certificate fingerprints:
                     MD5:  22:55:8B:62:A0:85:6F:B0:82:A2:28:D5:FE:55:90:8A
                     SHA1: 24:17:3B:EB:5D:FF:B4:78:5E:3A:C5:A9:28:C0:0E:64:FB:0B
                     :6A:4A
                     SHA256: F4:5B:E5:0E:74:EB:4B:B1:B2:D2:FA:22:33:CE:D3:5B:6C
                     :24:03:4B:EF:6D:5A:4E:DC:96:92:A0:1E:2B:0C:9C
                     Signature algorithm name: SHA1withRSA
                     Version: 3

    Notice that there is only one alias agent, which has the entry type of PrivateKeyEntry.

  5. Run the following command to generate a certificate signing request (CSR) file, for example, BNA.csr by using the self-signed certificate:
    keytool -certreq -keystore "BCAN_HOME-Agent\.keystore" -alias agent -file "BCAN_HOME-Agent\BNA.csr"

    The following sample message is displayed:

    Enter keystore password: <password>

    The SAN option is mandatory for Chrome, but optional for other browsers. Replace subdomain.example.com and www.example.com with the required host name and its subdomains.

    Important

    Add the -ext options to the above command to use Subject Alternate Names (SAN).

    Example

    keytool -certreq -keystore "BCAN_HOME-Agent\.keystore" -alias agent -ext SAN=dns:subdomian.example.com,dns:www.example.com -file "BCAN_HOME-Agent\BNA.csr

  6. Submit the BNA.csr file to the certification authority (CA) and get the remote device agent certificate.
  7. Obtain the root certificate, and optionally intermediate certificates from the CA if required.
  8. Copy the remote device agent, root, and intermediate certificates to the BCAN_HOME directory.
  9. Import the root CA certificate into the remote device agent, as follows:
    1. Run the following command:
      keytool -importcert -keystore "BCAN_HOME-Agent\.keystore" -alias root -file "BCAN_HOME-Agent\CA-root.cer"
    2. When prompted for the password, enter the password.
    3. (Optional) Run the following command to import intermediate CA certificates into the remote device agent:
      keytool -importcert -keystore "BCAN_HOME-Agent\.keystore" -alias intermediate -file "BCAN_HOME-Agent\CA-intermediate.cer"

    4. Run the following command to import the remote device agent certificate:

      keytool -importcert -keystore "BCAN_HOME-Agent\.keystore" -alias agent -file "BCAN_HOME-Agent\BNA-Certificate.cer"

  10. Copy and import the root CA certificate into the application server, if not done already, as follows:

    1. Copy the root CA certificate to the BCAN_DATA directory.
    2. Run the following command: keytool -importcert -keystore "BCAN_HOME\java\lib\security\cacerts" -alias root -file BCAN_DATA\CA-root.cer
    3. When prompted for the password, enter changeit.

    4. (Optional) Run the following command to import intermediate CA certificates into the remote device agent:
      keytool -importcert -keystore "BCAN_HOME\java\lib\security\cacerts" -alias intermediate -file "BCAN_DATA\CA-intermediate.cer"

      Important

      When a prompt appears asking if you trust the certificate, make sure that you click Yes.

      The following sample messages are displayed, when you run the commands in step 9 and 10:

    Enter keystore password:  <password>
            Owner: CN=ca-host-name
            Issuer: CN=ca-host-name
            Serial number: 2f245324d2723a964f3c1bafcada2bd4
            Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
            CST 2020
            Certificate fingerprints:
                     MD5:  34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
                     SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08
                     :15:63:0D
                     SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86
                     :22:ED:DD:
                     5A:87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
                     Signature algorithm name: SHA256withRSA
                     Version: 3
            Trust this certificate? [no]:  yes
            Certificate was added to keystore

  11. Run the following command to view the root and remote device agent certificates in the keystore:
    keytool -list -v -keystore "BCAN_HOME-Agent\.keystore"
    The following sample messages are displayed:

    Enter keystore password: <password>
            Keystore type: JKS
            Keystore provider: SUN
            Your keystore contains 2 entries
            Alias name: root
            Creation date: Jan 20, 2015
            Entry type: trustedCertEntry
            Owner: CN=ca-host-name
            Issuer: CN=ca-host-name
            Serial number: 2f245324d2723a964f3c1bafcada2bd4
            Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
            CST 2020
            Certificate fingerprints:
                     MD5:  34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
                     SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08:15
                     :63:0D
                     SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86:22:ED
                     :DD:5A
                     :87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
                     Signature algorithm name: SHA256withRSA
                     Version: 3
            *******************************************
            *******************************************
            Alias name: agent
            Creation date: Jan 20, 2015
            Entry type: PrivateKeyEntry
            Certificate chain length: 2
            Certificate[1]:
            Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
            Issuer: CN=ca-host-name
            Serial number: 3a0000000c0afa89bc8714632500000000000c
            Valid from: Tue Jan 20 11:20:05 CST 2015 until: Wed Jan 20 11:30:05
            CST 2016
            Certificate fingerprints:
                     MD5:  C3:1C:22:08:A6:21:B9:FF:D1:73:29:F6:8C:75:E4:DF
                     SHA1: 3D:08:7C:45:6B:B4:7E:65:BD:7C:E7:F8:4C:1F:6E:9B:05:75
                     :5F:27
                     SHA256: 5A:49:2E:82:53:DD:40:78:E9:D5:68:15:28:38:07:6E:D3
                     :7E:8C:9E
                     :A4:1E:DF:D8:6C:27:9E:8F:FA:E2:15:5F
                     Signature algorithm name: SHA256withRSA
                     Version: 3
            Certificate[2]:
            Owner: CN=ca-host-name
            Issuer: CN=ca-host-name
            Serial number: 2f245324d2723a964f3c1bafcada2bd4
            Valid from: Sat Jan 17 21:35:15 CST 2015 until: Fri Jan 17 21:45:14
            CST 2020
            Certificate fingerprints:
                     MD5:  34:89:6E:21:E7:16:18:6A:C4:45:F3:87:80:27:2C:64
                     SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08:15
                     :63:0D
                     SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86:22
                     :ED:DD:5A
                     :87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B
                     Signature algorithm name: SHA256withRSA
                     Version: 3
      *******************************************
      *******************************************

    Notice that there are two aliases, root and agent. The root alias is a self-signed trustedCertEntry with only one certificate. However, the agent alias is still a PrivateKeyEntry. Now tomcat has two certificates:

    • One for itself: Owner: CN=host-name, OU=BNA, O=BMC, L=McLean, ST=VA, C=US
    • One for its root: Owner: CN=ca-host-name
  12. Start the BCA-Networks Web Server service on the application server and BCA-Networks Agent service on the remote device agent.

Back to top


To re-generate and import a self-signed SSL certificate for a remote device agent

If you have enabled the authentication process between the application server and device agents, the do to following to import the self-signed certificate:

  1. (Optional) Follow steps 1 to 4 as described in To re-generate and import a third-party SSL certificate for a remote device agent.
  2. Export the self-signed certificate as follows:
    1. Run the following command to export the certificate from the .keystore file with a new name for the exported file:
      keytool -exportcert -keystore "BCAN_HOME-Agent\.keystore" -alias agent -file agentcert.cer

    2. When prompted for the password, enter the password. 
      The following sample messages are displayed:

      Enter keystore password:  <password>
            Certificate stored in file agentcert.cer.
  3. Copy and import the self-signed certificate into the application server, as follows:
    1. Copy the certificate to the BCAN_DATA directory.
    2. Run the following command:
      keytool -importcert -keystore "BCAN_HOME\java\lib\security\cacerts" -alias agent -file \BCAN_DATA\agentcert.cer 
    3. When prompted for the password, enter changeit.
  4. Start the BCA-Networks Web Server service on the application server and BCA-Networks Agent service on the remote device agent.

Back to top


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*