NetWorker: How to import/replace the Certificate Authority (CA) signed certificate on the NetWorker Server

The instructions are to replace the default NetWorker self-signed certificate with a CA signed certificate for authc server on NetWorker server.

The file names do not have a naming requirement, but the extensions should be referenced for the type of file. The command examples shown are for Linux after copying the files to the /tmp directory; however, the process also applies to Windows using the relevant file paths.  

• <server>.csr : NetWorker server certificate signing request
• <server>.key : NetWorker server private key 
• <server>.crt : NetWorker server CA signed certificate.
• <CA>.crt : CA root certificate
• <ICA>.crt : CA intermediate certificate (optional if it is available)

Keystores involved:

• authc.keystore
• authc.truststore
• cacerts
• nwui.keystore

1) Ensure that there are no backup\restore jobs running in the environment and then shutdown the NetWorker Server services.  

systemctl stop networker

2) Validate there is not a custom Java runtime environment used by the NetWorker Server Authc service.  If the NetWorker Runtime Environment (NRE) is being used, then the default is /opt/nre/java/latest.

# cat /nsr/nsrrc | grep JAVA
JAVA_HOME=/opt/nre/java/latest
export JAVA_HOME

3) Make a backup copy of the keystore and configuration files that are updated.

tar -zcvf /tmp/NSR_$(hostname -s)_$(date -I).tar.gz /opt/nre/java/latest/lib/security/cacerts /nsr/nwui/monitoring/app/conf/nwui.keystore /opt/nsr/authc-server/conf/* /nsr/nwui/monitoring/nwuidb/pgdata/*

4) Use the OpenSSL command-line utility to create the NetWorker server private key file (<server>.key) and certificate signing request file (<server>.csr).  

 # openssl req -new -newkey rsa:2048 -nodes -out /tmp/<server>.csr -keyout /tmp/<server>.key

• Import the root certificate (<CA>.crt) and any intermediate CA certificates (<ICA>.crt) into the authc.keystore.

 # keytool -import -alias RCA -keystore /nsr/authc/conf/authc.keystore -file /tmp/<CA>.crt
 # keytool -import -alias ICA -keystore /nsr/authc/conf/authc.keystore -file /tmp/<ICA>.crt

• Use the NetWorker Server private key file (<server>.key) and the new CA signed certificate file (<server>.crt) to create a PKC12 store file for the emcauthctomcat and emcauthcsaml alias.

# openssl pkcs12 -export -in /tmp/<server>.crt -inkey /tmp/<server>.key -name emcauthctomcat -out /tmp/<server>.tomcat.p12
# openssl pkcs12 -export -in /tmp/<server>.crt -inkey /tmp/<server>.key -name emcauthcsaml -out /tmp/<server>.saml.p12 

• Import the PKC12 store files to the authc.keystore.

# keytool -importkeystore -destkeystore /nsr/authc/conf/authc.keystore -srckeystore /tmp/<server>.tomcat.p12 -srcstoretype PKCS12 
# keytool -importkeystore -destkeystore /nsr/authc/conf/authc.keystore -srckeystore /tmp/<server>.saml.p12 -srcstoretype PKCS12 

• Delete the default NetWorker self-signed certificate and import the new CA signed certificate file (<server>.crt) into the authc.truststore

# keytool -delete -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore
# keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -file /tmp/<server>.crt

 7) Edit the 'admin_service_default_url=localhost' value in the authc-cli-app.properties file to reflect the NetWorker Server name used in the CA signed certificate file:

# cat /opt/nsr/authc-server/conf/authc-cli-app.properties
admin_service_default_protocol=https
admin_service_default_url=<my-networker-server.my-domain.com>
admin_service_default_port=9090
admin_service_default_user=
admin_service_default_password=
admin_service_default_tenant=
admin_service_default_domain=

8) If the NetWorker Web User Interface (NWUI) services are running on the NetWorker Server.

• Stop the NWUI service

systemctl stop nwui

• Delete the default NetWorker self-signed certificate and import the new CA signed certificate file (<server>.crt) into the cacerts keystore:

# keytool -delete -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
# keytool -import -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -file /tmp/<server>.crt -storepass changeit

• Import the emcauthctomcat alias PKC12 store file to the nwui.keystore:

# keytool -importkeystore -destkeystore /nsr/nwui/monitoring/app/conf/nwui.keystore -srckeystore /tmp/<server>.tomcat.p12 -srcstoretype PKCS12

• Copy the new CA signed certificate file (<server>.crt) and the server private key file (<server>.key) to the postgres database directory.

# cp /tmp/<server>.crt /nsr/nwui/monitoring/nwuidb/pgdata/
# cp /tmp/<server>.key /nsr/nwui/monitoring/nwuidb/pgdata/

• Ensure that the copied files have 600 permissions in the postgres database directory

# chmod 600 /nsr/nwui/monitoring/nwuidb/pgdata/<server>.crt
# chmod 600 /nsr/nwui/monitoring/nwuidb/pgdata/<server>.key

• Edit the 'ssl_cert_file' and 'ssl_cert_key' file name entries in the postgresql.conf file.

# cat postgresql.conf | grep -e ssl_cert_file -e ssl_key_file
ssl_cert_file = '<server>.crt'            # (change requires restart)
ssl_key_file = '<server>.key'             # (change requires restart)

# systemctl start networker
# systemctl start nwui

10) Establish authc trust on the NetWorker server after adding the CA signed certificates:

# nsrauthtrust -H <local host or Authentication_service_host> -P 9090

• C:\Program Files\NRE\java\jre##.#_###\lib\security\cacerts
• C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\authc.keystore
• C:\Program Files\EMC NetWorker\nsr\authc-server\conf\authc.truststore
• C:\Program Files\EMC NetWorker\nsr\authc-server\conf\authc-cli-app.properties
• C:\Program Files\EMC Networker\nwui\monitoring\nwuidb\pgdata\postgresql.conf
• C:\Program Files\EMC NetWorker\nwui\monitoring\app\conf\nwui.keystore