Server Name Indication (SNI)
Proper implementation of SSL certificates is required for being able to access MVMA services from another host in your network after installation.
Starting with version 9.2.00, MVMA supports the Server Name Indicator (SNI) extension to the Transport Layer Security (TLS) protocol by which a client indicates the host name to which it is trying to connect in a request (for example, see RFC 3546). Therefore, you must provide certificates for each host name under which MVMA services should be available to MVMA user in the network. By default, MVMA installs its services with SNI enabled with a self-signed certificate in its keystore that is assigned to localhost as the host name, meaning that MVMA is available only if localhost appears in the host name in the URLs for accessing MVMA. Therefore, by default, MVMA is initially available only from within a browser running on the same system that MVMA is installed on.
To make MVMA in your network available from any browser by using the original host name in the URLs, you must add a certificate assigned to the name of the host where MVMA was installed.
For example, to add a self-signed certificate to the MVMA keystore to make MVMA available under the host name mvmahostname, open a console to the MVMA installation directory and perform the following step:
(Windows platform) Run
jre\jdk-21.0.2\bin\keytool -genkey -alias bmmadminhttps_mvmahostname -keyalg RSA -keysize 1024 -validity 3653 -startdate 2022/01/16 -dname "CN=mvmahostname, OU=BMM, O=BMC, L=Minneapolis, ST=MN, C=US" -keystore security\keystore.jks -storepass bmcsoftware
(Linux platform) Run
./jre/jdk-21.0.2/bin/keytool -genkey -alias bmmadminhttps_mvmahostname -keyalg RSA -keysize 1024 -validity 3653 -startdate 2022/01/16 -dname "CN=mvmahostname, OU=BMM, O=BMC, L=Minneapolis, ST=MN, C=US" -keystore security/keystore.jks -storepass bmcsoftware
To adjust this example to your network environment, replace mvmahostname with the network host name of the MVMA 9.2 installation system.
Important
We do not recommend using self-signed certificates in production.
To configure MVMA to use your own certificate, place that certificate in a keystore and provide the associated configuration to the application.
If you have a keystore already configured with your SSL certificate, follow these steps:
- Open <install_directory> /configuration/services/org.apache.felix.http.cfg in a text editor.
- Change the value of the key org.apache.felix.https.keystore so that it points to your keystore file.
Set the value of the key org.apache.felix.https.keystore.password to the password of your keystore. You can encode this password by running the following command and pasting the output into this field:
(Windows) <install_directory>/bin/encodePassword.bat(Linux) <install_directory>/bin/encodePassword.sh
Important
You must include the OBF prefix when using an obfuscated password. Do not use the MD5 password.
- If required, add a org.apache.felix.https.keystore.key.password property and set as the password for your certificate. You can encode this password by running the following command and pasting the output into this field:
(Windows) <install_directory>/bin/encodePassword.bat
(Linux) <install_directory>/bin/encodePassword.sh
If you have a certificate but do not have a keystore, use the keytool utility to create a keystore. You can then insert your certificate into the keystore. MVMA uses this certificate.
Creating a keystore can be a very complicated process; the following procedure details the basic steps only:
- Make sure that you have a valid certificate and you know the password for the certificate.
- Run the command <install_directory> /jre/<JRE platform>/ bin/keytool -importcert -keystore mykeystore.jks -file cert.pem
- When prompted, enter a password for the keystore, and confirm it by re-entering it.
You can now use this keystore in the MVMA configuration. You can use the encodePassword utility to conceal your passwords.
This section includes examples of listing certificates in a jks keystore, and printing a certificate to see the certificate chain.
Important
MVMA
supports Java Keystore files only.
Listing certificates in jks keystore
Run the keytool with the -list parameter. You can use -v to get more verbose output.
Listing certificates in a JKS also forces you to verify that the keystore is of a supported type.
To get a summary of the certificates and keys currently stored in a keystore or truststore run the following command:
keytool --list -keystore keystore.jks -storepass bmcsoftware
Example output
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
bmmadminhttps, Sep 7, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 6F:0E:36:90:4A:28:E3:10:CA:88:BD:64:9B:97:69:CE:B1:20:8C:6D
To get a detailed list of the certificates and keys kept in a keystore or truststore, use the -v option as in the following command:
keytool --list -keystore keystore.jks -storepass bmcsoftware -v
Example output
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: bmmadminhttps
Creation date: Sep 7, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=cching@bmc.com, CN=EM-whartman-W1.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US
Issuer: EMAILADDRESS=cching@bmc.com, CN=EM-whartman-W1.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US Serial number: b525bf03a32ba45d Valid from: Thu Sep 07 11:08:02 CEST 2017 until: Sat Oct 07 11:08:02 CEST 2017 Certificate fingerprints:
MD5: 06:CE:D6:DE:0B:60:C3:49:C9:7D:C0:DE:4B:5C:AC:83
SHA1: 6F:0E:36:90:4A:28:E3:10:CA:88:BD:64:9B:97:69:CE:B1:20:8C:6D
SHA256: 71:9B:43:F5:9F:23:93:F4:C8:50:5C:AC:41:1F:26:99:36:C8:73:F0:2B:04:FA:F0:43:25:2C:29:A5:E8:93:60
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [
0000: 67 29 98 F8 06 DD EC 03 A4 7A 5E AE 29 A1 E8 89 g).......z^.)...
0010: 02 E1 A4 5A ...Z
]
]
#2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [
0000: 67 29 98 F8 06 DD EC 03 A4 7A 5E AE 29 A1 E8 89 g).......z^.)...
0010: 02 E1 A4 5A ...Z
]
]
To print a certificate to see the certificate chain
Run the keytool with the -printcert switch against a certificate file. You can use the -v switch to get more verbose output.
To print a self-signed certificate (owner and issuer are the same), use the following command:
$ keytool -printcert -file bmmadminhttps.pem -v
Example output
Owner: EMAILADDRESS=cching@bmc.com, CN=em-whartman-w2.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US
Issuer: EMAILADDRESS=cching@bmc.com, CN=em-whartman-w2.adprod.bmc.com, OU=BMM, O=BMC Software, L=Minneapolis, ST=MN, C=US Serial number: f57e86726ec751a9 Valid from: Fri Sep 08 12:45:31 CEST 2017 until: Sun Oct 08 12:45:31 CEST 2017 Certificate fingerprints:
MD5: A2:EC:62:CD:D0:A5:BB:C9:0D:3B:D8:41:E5:32:3F:87
SHA1: 43:FC:51:47:B3:4A:0D:20:70:69:36:91:68:A6:44:10:CF:1F:18:27
SHA256: BF:44:1B:A7:FB:F2:81:78:71:2D:2F:5D:7B:61:1C:76:4D:6D:53:78:C9:42:98:72:51:0F:55:C7:D8:F7:42:60
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [
0000: B9 BD 13 6E 18 AD 92 82 07 F5 FE A2 4F 42 69 31 ...n........OBi1
0010: E9 1B 42 3E ..B>
]
]
#2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [
0000: B9 BD 13 6E 18 AD 92 82 07 F5 FE A2 4F 42 69 31 ...n........OBi1
0010: E9 1B 42 3E ..B>
]
]
Use the following command example from TIBCO EMS certificates:
keytool -v -printcert -file client.cert.pem
The output refers to the issuer as part of the certificate chain
Owner: EMAILADDRESS=client@testcompany.com, CN=client, OU=client Unit, O=Test Company, L=us-english, ST=California, C=US
Issuer: EMAILADDRESS=client_root@testcompany.com, CN=client_root, OU=client_root Unit, O=Test Company, L=us-english, ST=California, C=US Serial number: d652375c551d16af Valid from: Fri Feb 22 01:28:31 CET 2013 until: Mon Feb 20 01:28:31 CET 2023 Certificate fingerprints:
MD5: 72:34:D8:B9:2B:DD:AC:96:2B:D2:89:98:F1:2E:E1:E4
SHA1: C0:8D:10:29:8A:14:EC:BF:57:FE:C3:46:45:46:68:4C:A8:77:BC:ED
SHA256: C1:42:40:B7:7C:81:B7:70:01:55:BC:31:9E:45:62:46:B4:D0:4B:62:40:22:F9:5C:39:2E:F8:D7:CB:CC:C6:B3
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[
CA:false
PathLen: undefined
]
To follow the certificate chain, you can typically follow the certificate chain with the same certificate the issuer in the previous certificate was referring to:
keytool -v -printcert -file client_root.cert.pem
Example output
Owner: EMAILADDRESS=client_root@testcompany.com, CN=client_root, OU=client_root Unit, O=Test Company, L=us-english, ST=California, C=US
Issuer: EMAILADDRESS=client_root@testcompany.com, CN=client_root, OU=client_root Unit, O=Test Company, L=us-english, ST=California, C=US Serial number: fec57ad3cd27746a Valid from: Fri Feb 22 01:28:31 CET 2013 until: Mon Feb 20 01:28:31 CET 2023 Certificate fingerprints:
MD5: 1E:A5:08:A6:86:38:96:11:18:F5:FD:89:8A:53:1F:F3
SHA1: 39:E0:93:76:E2:99:9A:AC:0C:23:B9:5E:61:8A:90:8D:76:48:96:65
SHA256: B9:15:2A:6E:AC:DF:EF:28:9F:A5:3F:17:15:A2:75:87:CB:AB:46:8C:10:41:E4:13:A0:82:7E:8E:18:46:61:CA
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[
CA:true
PathLen:0
]