Manually adding a trusted certificate

Instead of using the default SSL certificate that BladeLogic Portal provides through its installer, some organizations may want to use their own certificate. Organizations can use an existing certificate or obtain one from a certificate authority or other trusted source.

If you want to replace the portal's default certificate, you can use the following procedure to create a keystore, add a certificate to the keystore, and modify the tomcat-server.xml file.

To manually add a trusted certificate

  1. Obtain a certificate from a certificate authority or another trusted source.

  2. Using keytool, create a new keystore anywhere on the file system of the portal server. 
    For example, you could navigate to the directory where keytool.exe is located and enter the following command:
    keytool -genkeypair -alias <alias> -keystore <new key store name> -storetype jks

    Note

    Other steps may be required for you to create a new keystore. The commands shown here are examples of the types of commands you may need to execute.

  3. Using keytool, import your SSL certificate into the keystore created in the previous step.
    For example, you could enter the following command:
    keytool -importcert -file <certificate file path> -alias <alias> -keystore <newly created keystore>
  4. Modify the tomcat-server.xml configuration file.
    1. Find the tomcat-server.xml file at: 
      • (Windows) installation_location\foundation\configuration\tomcat-server.xml
      • (Linux) installation_location/foundation/configuration/tomcat-server.xml

    2. Modify tomcat-server.xml by removing the Connector port="8080" tag.  Leave the Connector port="8443" tag. In the  tag that you leave, modify the keystoreFile and keystorePass parameters so they reflect the values you set when creating the new keystore.

      In the example shown below, the tag to remove is highlighted in red. The tag that remains is highlighted in green. Both tags appear in italics.
      Press f to view the example below in full screen.

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

      <Server port="8005" shutdown="SHUTDOWN">
          <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"></Listener>
          <Listener className="org.apache.catalina.core.JasperListener"></Listener>
          <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"></Listener>
          <Listener className="org.eclipse.virgo.web.tomcat.support.ServerLifecycleLoggingListener"></Listener>
          <Service name="Catalina">

              <Connector port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" redirectPort="8443" maxThreads="150" maxConnections="8192"></Connector>

              <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="<path_to_new_keystore>" keystorePass="<new_keystore_password>"></Connector>

              <Engine name="Catalina" defaultHost="localhost">
                  <Realm className="org.apache.catalina.realm.JAASRealm" appName="virgo-kernel" userClassNames="org.eclipse.virgo.kernel.authentication.User" roleClassNames="org.eclipse.virgo.kernel.authentication.Role"></Realm>
                  <Host name="localhost" appBase="" unpackWARs="false" autoDeploy="false" deployOnStartup="false" createDirs="false">
                      <Valve className="org.apache.catalina.valves.AccessLogValve" directory="serviceability/logs/access" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"></Valve>
                      <Valve className="org.eclipse.virgo.web.tomcat.support.ApplicationNameTrackingValve"></Valve>
                  </Host>
              </Engine>
          </Service>
      </Server>

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*