Using CA-signed certificates for communication between peers
Secure Sockets Layer (SSL) is used to keep sensitive information sent across the Internet encrypted. A proper self-signed certificate provides authentication, which ensures that you are sending information to the right server and not to an unintended server. Customers most often send information through several computers. It is possible to avoid intermediate computers from pretending to be your website and trick your users into sending them personal information by using a proper Public Key Infrastructure (PKI), and getting an signed certificate from a trusted provider.
Perform the following tasks to use a CA-signed certificate:
- Generate a CA-signed certificate.
- Replace the SSL certificate with the CA-signed certificate.
- Encrypt the keystore password.
Generate a CA-signed certificate
To generate a CA-signed certificate, perform the following steps:
To generate the keystore with signature algorithm SHA2, run the keytool command, as shown in the following example:
keytool -genkeypair -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -storetype JKS -keystore Sample.keystore -validity 3650 -dname "CN=Sample.bmc.com,O=BMC Software Inc,OU=TSO,L=Houston,ST=Texas,C=US" -ext "SAN=IP:<IPAddress>,IP:<IPAddress>,DNS:*.bmc.com"You can modify the parameters in this command as per your requirements:
Parameter
Description/Value
alias
The key name in the keystore file.
keystore
The name of the keystore file.
In this command, the keystore file is Sample.keystore.
CN
Common Name
The Common Name must be provided by the requester and should be a fully qualified domain name (FQDN).
O
Organization
For example, BMC Software Inc.
OU
Organizational Unit
The Organizational Unit must be provided by the requester.
L
Location
For example, Houston.
ST
State
For example, Texas.
C
Country
For example, US
SAN
Subject Alternative Name
The SAN can be the IP addresses of the machine or the Common Name in FQDN format.
DNS
Domain name of the organization. Ensure to have "*" before Domain Name.
For example, *.bmc.com
- Enter and confirm the valid keystore password, when prompted.
- Enter and confirm the valid alias password when prompted.
The Sample.keystore file is generated. - Run the following command to export certificate signing request (CSR) file:{{code language="none"}}
{{/code}}keytool -certreq -file "C:\Data\TSO\CA Certificate\SampleCSR.csr" -keystore "C:\Data\TSO\CA Certificate\Sample.keystore" -alias tomcat -ext "SAN=IP:192.160.0.1,IP:192.160.0.2" Enter and confirm the keystore password when prompted.
A CSR file named SampleCSR.csr is generated at the location C:\Data\TSO\CA Certificate\SampleCSR.csr using the Sample.keystore file located at C:\Data\TSO\CA Certificate\Sample.keystore.
- Submit the SampleCSR.csr file to the certification authority (CA) and get the CA-signed certificate.
- Import the root CA certificate into the keystore, as follows:
- Run the following command:keytool.exe -importcert -keystore "C:\Data\TSO\CA Certificate\Sample.keystore" -alias tomcat -file "C:\Data\TSO\CA Certificate\Sample.p7b
- When prompted for the password, enter the keystore password.
The following sample messages are displayed, when you execute the above commands:
Top-level certificate in reply:
Owner: CN=BMC-CA, DC=adprod, DC=bmc, DC=com
Issuer: CN=BMC-CA, DC=adprod, DC=bmc, DC=com
Serial number: 43ed9abe568e68bf42b7e518b131014a
Valid from: Thu Sep 20 02:57:52 IST 2012 until: Tue May 15 08:38:08 IST 2046
Certificate fingerprints:
MD5: E7:32:57:81:23:0A:8D:EB:B0:4B:2E:61:B7:03:5A:6A
SHA1: BC:F1:20:2A:B8:E4:E9:C3:08:5C:EE:87:62:49:FE:55:33:1D:D7:9F
SHA256: 24:44:C0:98:C0:53:B4:C8:2E:F3:F0:AF:71:77:D8:56:DD:62:E0:B6:9C:23:8F:B3:3D:B6:AB:4F:95:C0:D3:C5
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 01 ...
#2: ObjectId: 1.3.6.1.4.1.311.21.2 Criticality=false
0000: 04 14 CA 64 2E 54 4D D2 8D BE E5 62 7F 3D E1 2C ...d.TM....b.=.,
0010: 19 AA C3 A4 FB 2D .....-
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A0 A8 B1 CE 4E CE 09 AC B5 D7 4F 59 53 2E 3D 2B ....N.....OYS.=+
0010: 77 7A 2A 14 wz*.
]
]
... Trust this certificate? [no]: yes
Certificate was added to keystore
Replace the SSL certificate with the CA-signed certificate
When you install TrueSight Orchestration 22.2 for the first time or when you upgrade to version 22.2, the Self-signed certificate is the default authentication certificate for communication between peers. To use a CA-signed certificate, you need to replace the Self-signed certificate for all the peers.
Before you begin
Navigate to the <peer>/config directory for each peer (for example, BAOhome/CDP/config for CDP), and verify that the following files are present:
- The default file, certificate.keystore
- The jms-ssl-configuration containing the certificate path and default password
To replace the self-signed certificate with the CA-signed certificate, perform the following steps:
- Stop the TrueSight Orchestration services.
- Navigate to the <peer>/config directory and back up the default self-signed certificate.
- Replace the certificate.keystore file with the CA-signed certificate.
- Update the jms-ssl-configuration file with the certificate name and password.
- Start the TrueSight Orchestration services.
Encrypt the keystore password
To encrypt the keystore password, perform the following steps:
- Run the maintenance tool and encrypt the password by using the Encrypt Product Password option.
- Navigate to the <peer>/config directory and change the encrypted value to yes in the jms-ssl-configuration file.
- Restart the services
Related topics