Enabling third-party Certification Authority certificates to work with Yellowfin

You can enable third-party certificates with Yellowfin. A certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified.

In general, perform the following steps for supporting third-party CA certificates:

1. Use JRE keytool to create a private key and certificate sign-in request (CSR) and send the CSR to the signing authority. The signing authority returns the signed authority, along with the CA certificate. 
2. Use the keystore during Yellowfin installation and configuration. 
3. Configure TrueSight Server Automation with the supporting CA certificates.

To create keystores, private and public keys, and certificates

This section creates a third-party certificate to use with Yellowfin. 

1. Unzip LiveReportingPostInstaller.zip (Window) or LiveReportingPostInstaller.tar (Linux).
   For Linux:
   tar xvf LiveReportingPostInstaller.tar 
2. From the command prompt, navigate to the directory where keytool is located, for example, C:\Program Files\BMC Software\Live_Reporting\jre\bin.

3. Create the keystore and the private key (keystore.jks).
   A keystore holds your private and public keys. When creating a Java keystore, you create the keystore.jks file that at first contains only the private key This example used password as the password.

   keytool -genkey -alias yellowfin-server -keyalg RSA -keystore C:\Keys\keystore.jks -keysize 2048
   Enter keystore password:
   Re-enter new password:
   What is your first and last name?
     [Unknown]:  vw-aus-clmidd09.bmc.com
   What is the name of your organizational unit?
     [Unknown]:  IDD
   What is the name of your organization?
     [Unknown]:  BMC Software
   What is the name of your City or Locality?
     [Unknown]:  San Jose
   What is the name of your State or Province?
     [Unknown]:  California
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=vw-aus-clmidd09.bmc.com, OU=BMC Software,
   O=IDD, L=San Jose, ST=California
   , C=US correct?
     [no]:  yes
   Enter key password for <clmui>
          (RETURN if same as keystore password):
   Re-enter new password:

4. Create the certificate sign-in request (CSR).
   This example used password as the password.

   keytool -certreq -alias yellowfin-server -ext SAN=DNS:appserver1.example.com,
   DNS:appserver2.example.com,DNS:appserver3.example.com -file C:\Keys\yellowfin_server.csr
   -keystore C:\Keys\keystore.jks -sigalg SHA256withRSA

   where,
   SAN= contains the host name used in the CN at minimum, and all the Application Server names and any VIP name.

5. Send the CSR file to a CA for signing using one of the following methods. CA returns a signed SSL certificate, for example, ssl_cert.cer.
   
   • Have the CSR be signed by a commercial CA like Symantec. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed SSL certificate. For more information about commercial CAs, see:
     • Symantec: http://digitalid.verisign.com/server
        
     • CertiSign Certificadora Digital Ltd: http://www.certisign.com.br
     • Uptime Commerce Ltd: http://www.uptimecommerce.com
     • BelSign NV/SA: http://www.belsign.be
   • Use your own CA and get the CSR signed by this CA.  
6. (optional) Download and import the Root CA certificate (for example, RootCA.cer) into the browser's trusted root store certification authorities.
   Trial versions of the Root CA certificate must be installed on each browser where you will test it. This step is not necessary with production certificates. For more information, see the Symantec documentation on using root certificates.   

7. Download and import the Root CA certificate (for example, RootCA.cer) on the product host.
   Do not mismatch the Root and intermediate CA certificates –  select the appropriate Intermediate CA certificate for your SSL Certificate type.

   keytool -import -trustcacerts -alias root -keystore "C:\Keys\keystore.jks" -file "C:\Keys\RootCA.cer"
   Enter keystore password:
   Owner: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.", C
   =US
   Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only.  No assurances.", O="VeriSign, Inc.",
   C=US
   Serial number: 168164a428ca12dfab12f19fb1b93554
   Valid from: Tue Mar 31 19:00:00 CDT 2009 until: Sat Mar 31 18:59:59 CDT 2029
   Certificate fingerprints:
            MD5:  E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
            SHA1: 51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36
            SHA256: 89:DD:5C:3D:FE:28:13:87:45:1F:A3:A0:F7:8C:1A:B6:77:DB:18:63:9E:71:72:AD:B2:52:91:CF:BE:F7:8D:19
            Signature algorithm name: SHA1withRSA
            Version: 3
   Trust this certificate? [no]:  yes
   Certificate was added to keystore

8. Download and import the intermediate certificate (for example, intermediate.cer) on the product host.
   Do not mismatch the Root and intermediate CA certificates –  select the appropriate Intermediate CA certificate for your SSL Certificate type.

   keytool -import -trustcacerts -alias Intermediate -keystore C:\Keys\keystore.jks -file C:\Keys\intermediate.cer
   Enter keystore password:
   Certificate was added to keystore

   For more information, see the Symantec documentation on using intermediate certificates. 

9. Install the SSL certificate (for example, ssl_cert.cer) on the product host.
   The alias name in this command must be the same as the alias name used during the generation of the private key and CSR, for example, blade.

   keytool -import -trustcacerts -alias yellowfin-server -keystore "C:\Keys\keystore.jks"  -file "C:\Keys\ssl_cert.cer"

   For more information, see the Symantec documentation on installing certificates on Tomcat.  

10. Verify the contents of the keystore that the SSL certificate is imported into the alias with the "Entry Type" of PrivateKeyEntry or KeyEntry.  
    For example:

    keytool -list -v -keystore "C:\Keys\keystore.jks" > C:\Keys\output_filename.txt
11. Copy the C:\Keys\keystore.jks file to the <livereporting_installation_directory>\Yellowfin\appserver\conf directory on the Live Reporting Server.
12. Open the <livereporting_installation_directory>\Yellowfin\appserver\conf\server.xml in a text editor and perform the following steps:
    1. Update the keystoreFile parameter with the path to the keystore.jks file you copied in step 11.

    2. Update the keystorePass parameter with the new keystore password. You need to use an encrypted password.

       Tip

       Use the blenc utility in Network Shell to generate the encrypted password. For more information, see Encrypting-values.

    3. Restart the Yellowfin service after you modify these parameters.
13. Perform the following steps to configure live reporting with TrueSight Server Automation:
    1. Export the certificate by using alias yellowfin-server from the newly generated keystore.jks file.
    2. Import the certificate in TrueSight Server Automation Application Server.
       For more information about importing the certificate, see Importing certificate to TrueSight Server Automation application server.
    3. Cross-launch the Live Reporting Dashboard with HTTPS and confirm that the cross-launch is successful.

Where to go from here

For complete end-to-end instructions on enabling HTTPS in Yellowfin with a third-party certificate, see:

Installing-and-configuring-Live-reporting