Manually adding a trusted certificate

Instead of using the default SSL certificate that BladeLogic Portal provides through its installer, some organizations might want to use their own certificate. Organizations can use an existing certificate or obtain one from a certificate authority or other trusted source.

If you want to replace the default certificate, you can use the following procedure to create a keystore, add a certificate to the keystore, and modify the server.xml file.

To manually add a trusted certificate

1. Create a keystore and a private key (keystore.jks) anywhere on the file system of the portal server.
   A keystore holds your private and public keys. When creating a Java keystore, you create the keystore.jks file that at first contains only the private key. This example uses blp-server as the alias name.
   
   

   keytool -genkeypair -alias blp-server -keystore blp.keystore -storetype jks -keyalg RSA -keysize 2048
   Enter keystore password:
   Re-enter new password:
   What is your first and last name?
     [Unknown]:  vw-aus-clmidd09.bmc.com
   What is the name of your organizational unit?
     [Unknown]:  IDD
   What is the name of your organization?
     [Unknown]:  BMC Software
   What is the name of your City or Locality?
     [Unknown]:  San Jose
   What is the name of your State or Province?
     [Unknown]:  California
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=vw-aus-clmidd09.bmc.com, OU=BMC Software,
   O=IDD, L=San Jose, ST=California
   , C=US correct?
     [no]:  yes
   Enter key password for <clmui>
           (RETURN if same as keystore password):
   Re-enter new password:

   Note

   When you are prompted for first and last name, provide a fully-qualified domain name, as shown in the example above.

2. Create the certificate sign-in request (CSR).

   keytool -certreq -alias blp-server -keyalg RSA -file <Directory>/<fileName.csr> -keystore tsvm.keystore -sigalg SHA256withRSA
   

   Replace <Directory> with the directory in which you want to generate the CRS. <filename>.csr is the file that will hold the CSR.

3. Send the CSR file to a CA for signing using one of the following methods. The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
   • Have the CSR be signed by a commercial CA like Symantec. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed SSL certificate. For more information about commercial CAs, see:
     
     • Symantec: http://digitalid.verisign.com/server
     • CertiSign Certificadora Digital Ltd: http://www.certisign.com.br
     • Uptime Commerce Ltd: http://www.uptimecommerce.com
     • BelSign NV/SA: http://www.belsign.be
   • Use your own CA and get the CSR signed by this CA.  
4. Download the certificate (.pem or .crt file) with either the certificate chain (typically a PKCS7, .p7b file) or a list of root, intermediary, and signing certificates (two, three, or more .pem or .crt files).

5. If the CA provides only individual certificate files for the signed certificate and the certificate chain (and not the p7b), then you must combine these into a p7b format before importing into the keystore. You might have multiple certificates for each CA in the chain, you can concatenate them together and then use the openssl utility to convert to the p7b format:

   cat root_cert.pem intermediate_cert.pem signing_cert.pem <any other intermediate cert> > ca_certs_chain.pem
   openssl crl2pkcs7 -nocrl -certfile <any other signed certificate>.pem -out certs.p7b -certfile ca_certs_chain.pem

   Note

   openssl is a common command line utility on UNIX systems and binaries are available for Windows from the openssl.org site.

6. Import the .p7b file into the keystore on the application server computer.
   The alias name in this command must be the same as the alias name used during the generation of the private key and CSR, for example, blp-server.

   keytool -importcert -keystore <keystoreLocation>/blp.keystore -file <Dir_p7bFile>/<p7bFileName>.p7b -storepass changeit -alias blp-server -storetype jks

   In this command <p7b file> is the file name that contains the CA-signed certificate request and the certificates in the authority chain. The other values are from the previous step when you generated the new keystore. 

7. Verify the contents of the keystore that the SSL certificate is imported into the alias with the "Entry Type" of PrivateKeyEntry or KeyEntry.  
   For example: 
   

   keytool -list -v -keystore "C:\Keys\keystore.jks" > C:\Keys\output_filename.txt
8. Modify the server.xml configuration file, as follows:
   
   1. Navigate to the following location and open the server.xml file with a text editor.
      • (Windows) installation_location\portal\tomcat\conf\server.xml
      • (Linux) installation_location/portal/tomcat/conf/server.xml
        

   2. Modify server.xml by removing the Connector port="8080" tag.  Leave the Connector port="8443" tag. In the  tag that you leave, modify the keystoreFile and keystorePass parameters so they reflect the values you set when creating the new keystore.
      
      In the example shown below, the tag to remove is highlighted in red. The tag that remains is highlighted in green. Both tags appear in italics.
      Press f to view the example below in full screen.
             <Connector maxConnections="8192" maxThreads="500" redirectPort="8443" connectionTimeout="20000" protocol="org.apache.coyote.http11.Http11NioProtocol" port="8080" namePrefix="dcaPortal" useSendfile="false" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript"></Connector>  
      

      <Connector keystorePass="<new_keystore_password> keystoreFile="<path_to_new_keystore>" sslProtocol="TLS" clientAuth="false" secure="true" scheme="https" maxThreads="500" SSLEnabled="true" 

                     protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" namePrefix="dcaPortal" useSendfile="false" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript"></Connector>