Steps to import a 3rd party signed SSL certificate for the Veritas Operations Manager 6.x, 7.x and 8.x
Problem
Steps to import a 3rd party signed SSL certificate for the Veritas Operations Manager 6.x, 7.x and 8.x
Error Message from web browser
Your connection is not private
You will also receive Not secure in the url bar.
Solution
Sign the Tomcat web certificate with a Certificate Authority (CA)
Steps for Unix/Linux console server:
- Prepare environment
# mkdir -p /root/viom_certificates/{certs,keys,csr,config,tomcat}
# cd /root/viom_certificates
- Backup existing KeyStore
# cp /opt/VRTSsfmcs/webgui/tomcat/cert/.keystore /root/viom_certificates/tomcat/keystore-`date "+%s"`
Note: The backup file will be useful to get ViOM MS functional with the old keystore.
- Create a 2048 bit keystore using with the keytool utility
# /opt/VRTSsfmcs/webgui/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -validity 3650 -keypass changeit -keystore /root/viom_certificates/tomcat/new_keystore -storepass changeit -dname "C=US, ST=CA, L=Mountain View, O=Veritas, CN=192.168.10.110, CN=viom, CN=viom.arctera.net" -keysize 2048
Notes: Update the CommonName to match your environment.
Keystore password changeit should be unique to your environment
- Create the certificate signing request (CSR).
# /opt/VRTSsfmcs/webgui/jre/bin/keytool -certreq -keyalg RSA -alias tomcat -file csr/viom.csr -keystore /root/viom_certificates/tomcat/new_keystore
Enter keystore password:
- The Certificate Sign Request (CSR) must be sent to the Certificate Authority to be signed.
The following steps can be used to create a locale Certificate Authority (CA)
5.a Create CA private key
# openssl genrsa -aes256 -out keys/ca.key 4096
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
5.b Create CA certificate
# openssl req -x509 -new -nodes -key keys/ca.key -sha256 -days 1826 -out certs/ca.crt -subj '/CN=Local CA/C=US/ST=Mass/L=Boston/O=Support'
Enter pass phrase for keys/ca.key:
Note: Update the Subject for your environment
5.c Sign Certificate using CA cert and key
# echo "subjectAltName=DNS:viom.arctera.net,IP:192.168.10.110" >> config/viom.ext
Note: DNS and IP must match the ViOM server.
# openssl x509 -req -days 3650 -sha256 -in csr/viom.csr -CA certs/ca.crt -CAkey keys/ca.key -out certs/viom.crt -set_serial 01 -extfile config/viom.ext
Certificate request self-signature ok
subject=CN=viom.arctera.net, CN=viom, CN=192.168.10.110, O=Veritas, L=Mountain View, ST=CA, C=US
Enter pass phrase for keys/ca.key:
├── certs
│ ├── ca.crt Certificate Authority
│ └── viom.crt Server Certificate
├── config
│ └── viom.ext Configuration file for signing
├── csr
│ └── viom.csr Certificate Sign Request
├── keys
│ └── ca.key Certificate Authority Private Key
└── tomcat
├── keystore-1743775298 Original Tomcat KeyStore
└── new_keystore Updated Tomcat KeyStore
- At this point, the tomcat webserver (ViOM web server) is still running with the old/original certificates.
- Import Certificate Authority (CA) certificates.
# /opt/VRTSsfmcs/webgui/jre/bin/keytool -import -trustcacerts -alias intermediate -keystore /root/viom_certificates/tomcat/new_keystore -file certs/ca.crtEnter keystore password:
Trust this certificate? [no]: yes
Certificate was added to keystore
8.Import the Server certificate
# /opt/VRTSsfmcs/webgui/jre/bin/keytool -import -alias tomcat -keystore /root/viom_certificates/tomcat/new_keystore -trustcacerts -file certs/viom.crt
Enter keystore password:
Certificate reply was installed in keystore
9. Stop the VOM UI Web server process.
# /opt/VRTSsfmcs/bin/vomsc --stop web
Veritas Operations Manager Services:
Web Server.................................................................................................................[STOPPED]
10. Replace the original key store with the one which contains the newly obtained certificates from the certificate issuing authority.
# cp /root/viom_certificates/tomcat/new_keystore /opt/VRTSsfmcs/webgui/tomcat/cert/.keystore
cp: overwrite '/opt/VRTSsfmcs/webgui/tomcat/cert/.keystore'? y
11. Start the VOM UI WebServer
# /opt/VRTSsfmcs/bin/vomsc --start webVeritas Operations Manager Services:
Web Server.................................................................................................................[RUNNING]
12. If ViOM is configured as a cluster using VCS HA then perform following on the passive node.
# cp /opt/VRTSsfmcs/webgui/tomcat/cert/.new_keystore /opt/VRTSsfmcs/webgui/tomcat/cert/.keystore
Verify communication is now secure.
Note: You will need to import the Root CA along with any Intermediate CA on the host being used to access the ViOM server console.
Keep copies of the new Tomcat keystore along with the Certificate Authority (CA). They will be required when the ViOM server is upgraded.
Applies To
Veritas Operations Manager 6.x, 7.x and 8.x
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.