Using third-party Certification Authority certificates

A certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. With this certification, relying parties can trust signatures or assertions made by the private key that corresponds to the public key that is certified.

• Before you begin
• To create a CSR request using OpenSSL
• To configure Apache to support CA certificates
• To configure Cognos to support CA certificates
• Where to go from here

For using third-party CA certificates, the general steps are:

1. Create a certificate signing request (CSR) using OpenSSL and send the CSR to CA. CA returns the signed authority, along with the CA certificate. For instructions, see To create a CSR request using OpenSSL.
2. Configure Apache to support CA certificates. For instructions, see To configure Apache to support CA certificates.
3. Configure IBM Cognos to support CA certificates. For instructions, see To configure Cognos to support CA certificates.

Before you begin

(Microsoft Windows only) Set the OPENSSL_CONF environment variable from the command prompt by executing the following command:

To create a CSR request using OpenSSL

1. Log on to a computer where Network Shell is installed.
2. From the command prompt, navigate to the following directory:
   • (Windows) BDSSAInstallationDirectory\webserver\bin
   • (UNIX) NSHInstallationDirectory/bin
     

3. Use the following command to create an RSA private key that is Triple-DES encrypted. This command creates the private key in the directory from where you run the command.

   • (Windows)

     openssl genrsa -des3 -out <namePrivateKey>.key 2048

     For example:

     openssl genrsa -des3 -out bmcsareports_new.key 2048

   • (UNIX)

     ./openssl genrsa -des3 -out <namePrivateKey>.key 2048

     For example:

     ./openssl genrsa -des3 -out bmcsareports_new.key 2048

     In the above command: 

     • -des3 encrypts the private key with the des3 cipher before outputting it.
     • namePrivateKey indicates the name with which private key will be generated.
     • 2048 indicates the size of the private key to generate in bits.
4. Create and confirm the pass phrase for the private key.
5. After the private key is created, run the following command:

   1. (Windows)

      openssl rsa -in bmcsareports_new.key -out bmcsareports.key

   2. (UNIX)

      openssl rsa -in bmcsareports_new.key -out bmcsareports.key

      In the above command, bmcreports_new.key is the private key that you created in step 3.

6. Enter the pass phrase that you created in step 4.
7. Run the following command to create a CSR by using the private key (bmcsareports_new.key) that you created in step 3:

   1. (Windows)

      openssl req -new -key bmcsareports.key -out bmcsareports_new.csr -config ..\conf\openssl.cnf

   2. (UNIX)

      ./openssl req -new -key bmcsareports.key -out bmcsareports_new.csr -config <NSHInstallationDirectory>/share/openssl.cnf

      For example:

      ./openssl req -new -key bmcsareports.key -out bmcsareports_new.csr -config /opt/bmc/bladelogic/NSH/share/openssl.cnf

      
      bmcsareports_new.csr is the output file containing CSR. The above command sends request to CA to generate the certificate in PEM (Base-64 encoded ASCII) format, which is the format required by Apache and Cognos to support CA certificates.
      

8. Enter the pass phrase that you created in step 4.
9. Enter the following information for the CSR:
   • Country name
   • Site or Province name
   • Locality name
   • Organization name
   • Organizational Unit name
   • Common name
   • Email address
   • A challenge password
   • (Optional) Company name
     The following figure shows the sample information on Windows:
     
10. Send the CSR file (bmcsareports_new.csr) to a CA for signing using one of the following methods. CA returns a signed certificate, for example, ca_cert.crt.
    
    • Have the CSR be signed by a commercial CA like Verisign or Thawte. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed certificate. For more information about commercial CAs see:
      • Verisign: http://digitalid.verisign.com/server
      • Thawte Consulting: http://www.thawte.com/certs/server/request.html
      • CertiSign Certificadora Digital Ltd: http://www.certisign.com.br
      • IKS GmbH: http://www.iks-jena.de/produkte/ca/
      • Uptime Commerce Ltd: http://www.uptimecommerce.com
      • BelSign NV/SA: http://www.belsign.be
    • Use your own CA and get the CSR signed by this CA.
      The result is then a real certificate that can be used for Apache and Cognos.

To configure Apache to support CA certificates

1. If BMC BladeLogic Decision Support for Server Automation is not configured for SSL communication using https, run the following command:

   set sslon

   This command configures Apache and Cognos to support SSL communication. You must restart the Apache server and Cognos to verify that the reports are accessible.

2. Copy the certificate private key file (bmcsareports_new.key), and the CA certificate file (ca_cert.crt) in the BLREPORTS_HOME\webserver\conf folder. All the certificates must be PEM (Base-64 encoded ASCII) formatted. You can use OpenSSL to convert certificates into the PEM format.

   Tip

   To verify that a file is PEM-formatted, open the file and check that contents of the file is enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" tags.

3. Navigate to the BLREPORTS_HOME\webserver\conf folder, open the httpd-ssl.conf file, and do the following:
   1. Search for SSLCertificateKeyFile and specify the full path of the certificate private key file. For example: SSLCertificateKeyFile "C:/Program Files (x86)/BMC/Reports/webserver/conf/bmcsareports.key".
   2. If the CA certificate is available, search for SSLCACertificateFile and uncomment the line containing this entry, and specify the full path of the CA certificate file. For example: SSLCACertificateFile "C:/Program Files (x86)/BMC/Reports/webserver/conf/ca_cert.crt".

4. Restart the Apache server.

   Warning

   After configuring Apache for CA certificate support, you must not run the set sslon or the set sslport commands. These commands undo the configuration changes made for CA certificate support.

   Note

   If the Apache server does not start and the Apache log shows the following error, use the resolution mentioned on http://www.entrust.net/knowledge-base/technote.cfm?tn=5634.

   [error] Init: SSLPassPhraseDialog builtin is not supported on Win32

To configure Cognos to support CA certificates

1. Copy the CA certificate (ca_cert.crt) received from your CA to a secure location on the Cognos server.
   The certificate must be in the PEM format.

2. Import the CA certificate by navigating to BLREPORTS_HOME\portal\bin on the command prompt by running the following command:

   Note

   The following command imports the CA certificate with the key store (jCAKeystore in this case) password if you specify the password. If -p is not included, NoPassWordSet is used as a default password. If you want to specify a different password, perform the following steps before executing this command:

   1. From the IBM Cognos Configuration, change the Signing key store password, the Encryption key store password, and the Certificate Authority key store password.

   2. Navigate to the BDSSAInstallationDirectory/portal/configuration directory, open the cogstartup_oracle.xml.tmpl or cogstartup_sqlserver.xml.tmpl file (depending on the database), and edit the passwords in the following directives: certificateAuthorityKeyFilePassword, signKeyFilePassword, and encryptKeyFilePassword.

   • (Windows)

     ThirdPartyCertificateTool.bat -java:local -T -i -r <CA_certFle> -k
     <BLREPORTS_HOME>\portal\configuration\signkeypair\jCAKeystore -p <password>

     For example:

     ThirdPartyCertificateTool.bat -java:local -T -i -r <CA_certFle> -k
     <BLREPORTS_HOME>\portal\configuration\signkeypair\jCAKeystore -p NoPassWordSet
   • (UNIX)
     1. From the command prompt, set the JAVA_HOME variable to BLREPORTS_HOME/jre.

     2. Enter the following command:

        ThirdPartyCertificateTool.sh -java:local -T -i -r <CA_certFile> -k
        <BLREPORTS_HOME>/portal/configuration/signkeypair/jCAKeystore -p <password>

        For example:

        ThirdPartyCertificateTool.sh -java:local -T -i -r <CA_certFile> -k
        <BLREPORTS_HOME>/portal/configuration/signkeypair/jCAKeystore -p NoPassWordSet
3. Restart Cognos.
4. Navigate to the BLREPORTS_HOME/portal/logs directory and open the cogconfig_response.csv file.
5. Verify that the following messages are logged in the file:
   EXEC, "Start Service]", "Starting the service 'Cognos 8'" and SUCCESS, "[Start Service]", "Completed successfully."
   These messages indicate that Cognos is restarted successfully.

Where to go from here

Setting-global_names-to-true-for-Oracle-databases