NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "Authc" and "NWUI" (Linux)

These instructions describe how to replace the default NetWorker self-signed certificate with a CA-signed certificate for the authc and nwui services on the NetWorker server.

The file names do not have a naming requirement, but the extensions should be referenced for the type of file. The command examples shown are for Linux. For Windows instructions see:.
NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "Authc" and "NWUI" (Windows)
 

Certificate files involved:

<server>.csr: NetWorker server certificate signing request

<server>.key: NetWorker server private key

<server>.crt: NetWorker server CA-signed certificate

<CA>.crt: CA root certificate

<ICA>.crt: CA intermediate certificate (optional if it is available)

Keystores involved:

authc.keystore

authc.truststore

cacerts

nwui.keystore

Generate a private key and certificate signing request (CSR) file to provide to your CA.

• Use the OpenSSL command-line utility to create the NetWorker server private key file (<server>.key) and CSR file (<server>.csr).

  # openssl req -new -newkey rsa:4096 -nodes -out /tmp/<server>.csr -keyout /tmp/<server>.key

• Send the CSR file (<server>.csr) to the CA to generate the CA-signed certificate file (<server>.crt). The CA should provide the CA-signed certificate file (<server>.crt), the root certificate (<CA>.crt), and any intermediate CA certificates (<ICA>.crt).

Pre-verification steps:

Ensure you have the following:

• server.crt file, which contains a PEM certificate whose first line is -----BEGIN CERTIFICATE----- and the last line is -----END CERTIFICATE-----
• The key file starts with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----
• Confirm that all certificates are valid PEM format files by running openssl x509 -in <cert> -text -noout.
• Verify the above output to be sure it is the right certificate.
• Check the output of the following two commands:

  openssl rsa -pubout -in server.key

  openssl x509 -pubkey -noout -in server.crt

  The output of these two commands must match.

In order to facilitate the steps and commands described below, we create the following variables:

java_bin=/opt/nre/java/latest/bin
nsr=<path to /nsr partition> # In case of NVE for instance this is /data01/nsr
cert=<path to server crt file>
key=<path to server key file>
RCAcert=<path to Root CA file>
ICAcert=<path to intermediate CA crt file>

If there is more than one intermediate certificate, create variables for each certificate: ICA1, ICA2, and so on

You must know the correct NetWorker keystore passwords. These passwords are set during AUTHC and NWUI configuration. If you are not sure, see:

• How to retrieve the NetWorker authentication and NWUI service's keystore password

You can also use your keystore pass variables (option 1) or store them in a file to keep the password hidden (option 2):
Example for option 1:

authc_storepass='P4ssw0rd!'
nwui_storepass='Password1!'

Example for option 2:

authc_storepass=$(cat authc_storepass_file.txt)
nwui_storepass=$(cat nwui_storepass_file.txt)

Before you start:

Make a backup copy of the keystore and configuration files that are updated.

tar -zcvf /tmp/NSR_$(hostname -s)_$(date -I).tar.gz $java_bin/../lib/security/cacerts $nsr/nwui/monitoring/app/conf/nwui.keystore /opt/nsr/authc-server/conf /nsr/nwui/monitoring/nwuidb/pgdata

Auth Service Certificate Replacement Steps:

The authc service does not have to be stopped for the below procedure to work. It must be restarted for the new certificates to be loaded, however.

1. Importing the certificates

   • Import the root certificate (<CA>.crt) and any intermediate CA certificates (<ICA>.crt) into the authc.keystore.

     $java_bin/keytool -import -alias RCA -keystore $nsr/authc/conf/authc.keystore -file $RCAcert -storepass $authc_storepass
     $java_bin/keytool -import -alias RCA -keystore /opt/nsr/authc-server/conf/authc.truststore -file $RCAcert -storepass $authc_storepass
     
     $java_bin/keytool -import -alias ICA -keystore $nsr/authc/conf/authc.keystore -file $ICAcert -storepass $authc_storepass
     $java_bin/keytool -import -alias ICA -keystore /opt/nsr/authc-server/conf/authc.truststore -file $ICAcert -storepass $authc_storepass

   • Use the NetWorker Server private key file (<server>.key) and the new CA-signed certificate file (<server>.crt) to create a PKCS12 store file for the emcauthctomcat and emcauthcsaml alias.

     openssl pkcs12 -export -in $cert -inkey $key -name emcauthctomcat -out /tmp/$hostname.tomcat.authc.p12 -password pass:$authc_storepass
     openssl pkcs12 -export -in $cert -inkey $key -name emcauthcsaml -out /tmp/$hostname.saml.authc.p12 -password pass:$authc_storepass

     NOTE: The pkcs12 file password must match the password of the keystore. This is why, in this case, we create it with the authc storepass.

   • Import the PKCS12 store files to the authc.keystore.

     $java_bin/keytool -importkeystore -destkeystore /nsr/authc/conf/authc.keystore -srckeystore /tmp/$hostname.tomcat.authc.p12 -srcstoretype PKCS12 -srcstorepass $authc_storepass -deststorepass $authc_storepass
     $java_bin/keytool -importkeystore -destkeystore /nsr/authc/conf/authc.keystore -srckeystore /tmp/$hostname.saml.authc.p12 -srcstoretype PKCS12 -srcstorepass $authc_storepass -deststorepass $authc_storepass

   • Import the PKCS12 store files to the authc.truststore.

     $java_bin/keytool -importkeystore -destkeystore /opt/nsr/authc-server/conf/authc.truststore -srckeystore /tmp/$hostname.tomcat.authc.p12 -srcstoretype PKCS12 -srcstorepass $authc_storepass -deststorepass $authc_storepass
     $java_bin/keytool -importkeystore -destkeystore /opt/nsr/authc-server/conf/authc.truststore -srckeystore /tmp/$hostname.saml.authc.p12 -srcstoretype PKCS12 -srcstorepass $authc_storepass -deststorepass $authc_storepass

   • Delete the default NetWorker self-signed certificate and import the new CA-signed certificate file (<server>.crt) into the authc.truststore.

     $java_bin/keytool -delete -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass $authc_storepass
     $java_bin/keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -file $cert -storepass $authc_storepass
     $java_bin/keytool -delete -alias emcauthcsaml -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass $authc_storepass
     $java_bin/keytool -import -alias emcauthcsaml -keystore /opt/nsr/authc-server/conf/authc.truststore -file $cert -storepass $authc_storepass

   • Finally import this certificate into the Java cacerts keystore file under emcauthctomcat alias:

     $java_bin/keytool -delete -alias emcauthctomcat -keystore $java_bin/../lib/security/cacerts -storepass changeit
     $java_bin/keytool -import -alias emcauthctomcat -keystore $java_bin/../lib/security/cacerts -file $cert -storepass changeit

2. Edit the admin_service_default_url=localhost value in the authc-cli-app.properties file to reflect the NetWorker Server name used in the CA-signed certificate file:

   cat /opt/nsr/authc-server/conf/authc-cli-app.properties
   admin_service_default_protocol=https
   admin_service_default_url=<my-networker-server.my-domain.com>
   admin_service_default_port=9090
   admin_service_default_user=
   admin_service_default_password=
   admin_service_default_tenant=
   admin_service_default_domain=

3. A restart of NetWorker services is needed for authc to use the new imported certificate.

nsr_shutdown 
systemctl start networker

4. Re-establish authc trust on the NetWorker server:

   nsrauthtrust -H <local host or Authentication_service_host> -P 9090

Authc post-verifications:

The output of each "Certificate fingerprint" alias coincides with the ones of the other keystores:

$java_bin/keytool -list -keystore $java_bin/../lib/security/cacerts -storepass changeit | grep emcauthctomcat -A1
$java_bin/keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass $authc_storepass | grep emcauthctomcat -A1
$java_bin/keytool -list -keystore $nsr/authc/conf/authc.keystore -storepass $authc_storepass | grep emcauthctomcat -A1

The output should be similar to this:

Certificate fingerprint (SHA-256): FD:54:B4:11:42:87:FF:CA:80:77:D2:C7:06:87:09:72:70:85:C1:70:39:32:A9:C0:14:83:D9:3A:29:AF:44:90

This fingerprint is from the certificate which was installed. This indicates that the introduction of the new certificate in the different keystores was done correctly.

openssl x509 -in $cert -fingerprint -sha256 -noout

When the authc service is up and running, you can check that the certificate it provides to an inbound connection is the same as the above:

openssl x509 -in <(openssl s_client -connect localhost:9090 -prexit 2>/dev/null </dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p') -fingerprint -sha256 -noout

*The above command was run from the NetWorker server itself, so it connects to localhost. Connections from outside use <nw server name>:9090
 

NetWorker User Interface (nwui) Service Certificate Replacement Steps:

We assume that the nwui services are running on the NetWorker server.

• Stop the nwui service

  systemctl stop nwui

• Delete the default NetWorker self-signed certificates and import the new CA-signed certificate file (<server>.crt) into the cacerts keystore. For consistency, we replace all nwui-related certificates with the CA-signed certificate.

  • It is necessary to determine whether NetWorker Runtime Environment (NRE) or Java Runtime Environment (JRE) is used before performing the following steps.
  • If JRE is used, the path of /cacerts is at $java_bin/../lib/security/cacerts.
  • If NRE is used, the path of /cacerts is at /opt/nre/java/latest/lib/security/cacerts.

    $java_bin/keytool -delete -alias emcnwuimonitoring -keystore $java_bin/../lib/security/cacerts -storepass changeit
    $java_bin/keytool -import -alias emcnwuimonitoring -keystore $java_bin/../lib/security/cacerts -file $cert -storepass changeit
    
    $java_bin/keytool -delete -alias emcnwuiserv -keystore $java_bin/../lib/security/cacerts -storepass changeit
    $java_bin/keytool -import -alias emcnwuiserv -keystore $java_bin/../lib/security/cacerts -file $cert -storepass changeit
    
    $java_bin/keytool -delete -alias emcnwuiauthc -keystore $java_bin/../lib/security/cacerts -storepass changeit
    $java_bin/keytool -import -alias emcnwuiauthc -keystore $java_bin/../lib/security/cacerts -file $cert -storepass changeit

• Use the NetWorker Server private key file (<server>.key) and the new CA-signed certificate file (<server>.crt) to create a PKCS12 store file for the emcauthctomcat and emcauthcsaml alias for the nwui keystore.

  openssl pkcs12 -export -in $cert -inkey $key -name emcauthctomcat -out /tmp/$hostname.tomcat.nwui.p12 -password pass:$nwui_storepass
  openssl pkcs12 -export -in $cert -inkey $key -name emcauthcsaml -out /tmp/$hostname.saml.nwui.p12 -password pass:$nwui_storepass

  NOTE: The pkcs12 file password must match the password of the keystore. This is why, in this case, we create it with the nwui storepass.

• Import the .p12 files, root CA certificate, and intermediate CA certificates into the nwui keystore.

  $java_bin/keytool -importkeystore -destkeystore $nsr/nwui/monitoring/app/conf/nwui.keystore -srckeystore /tmp/$hostname.tomcat.nwui.p12 -srcstoretype PKCS12 -srcstorepass $nwui_storepass -deststorepass $nwui_storepass
  
  $java_bin/keytool -importkeystore -destkeystore $nsr/nwui/monitoring/app/conf/nwui.keystore -srckeystore /tmp/$hostname.saml.nwui.p12 -srcstoretype PKCS12 -srcstorepass $nwui_storepass -deststorepass $nwui_storepass
  
  $java_bin/keytool -import -alias RCA -keystore $nsr/nwui/monitoring/app/conf/nwui.keystore -file $RCAcert -storepass $nwui_storepass
  
  $java_bin/keytool -import -alias ICA -keystore $nsr/nwui/monitoring/app/conf/nwui.keystore -file $ICAcert -storepass $nwui_storepass

• Rename the emcnwuimonitoring, emcnwuiauthc, and emcnwuiserv certificates, and put our server certificate here in this path with the same name.

  mv /nsr/nwui/monitoring/app/conf/emcnwuimonitoring.cer /nsr/nwui/monitoring/app/conf/emcnwuimonitoring.cer_orig
  cp $cert /nsr/nwui/monitoring/app/conf/emcnwuimonitoring.cer
  chown nsrnwui:nsrnwui /nsr/nwui/monitoring/app/conf/emcnwuimonitoring.cer
  
  mv /opt/nwui/conf/emcnwuiauthc.cer /opt/nwui/conf/emcnwuiauthc.cer_orig
  cp $cert /opt/nwui/conf/emcnwuiauthc.cer
  chown nsrnwui:nsrnwui /opt/nwui/conf/emcnwuiauthc.cer
  
  mv /opt/nwui/conf/emcnwuiserv.cer /opt/nwui/conf/emcnwuiserv.cer_orig
  cp $cert /opt/nwui/conf/emcnwuiserv.cer
  chown nsrnwui:nsrnwui /opt/nwui/conf/emcnwuiserv.cer

• Start the nwui services

  systemctl start nwui

nwui Post-verifications:

The output of each "Certificate fingerprint" alias coincides with the ones of the other keystores:

$java_bin/keytool -list -keystore $nsr/nwui/monitoring/app/conf/nwui.keystore -storepass $nwui_storepass | grep emcauthctomcat -A1
$java_bin/keytool -list -keystore $java_bin/../lib/security/cacerts -storepass changeit | grep emcauthctomcat -A1
$java_bin/keytool -list -storepass $authc_storepass -keystore $nsr/authc/conf/authc.keystore | grep emcauthctomcat -A1

This fingerprint is from the certificate which was installed. This indicates that the introduction of the new certificate in the different keystores was done correctly.

openssl x509 -in $cert -fingerprint -sha256 -noout

nwui PostgreSQL Certificate Replacement Steps

mv $nsr/nwui/monitoring/nwuidb/pgdata/server.crt /nsr/nwui/monitoring/nwuidb/pgdata/server.crt_orig
mv $nsr/nwui/monitoring/nwuidb/pgdata/server.key /nsr/nwui/monitoring/nwuidb/pgdata/server.key_orig
cp $cert $nsr/nwui/monitoring/nwuidb/pgdata/server.crt
cp $key $nsr/nwui/monitoring/nwuidb/pgdata/server.key

For further information about importing a CA-signed certificate, see the Dell NetWorker Security Configuration Guide.

The process for replacing the NetWorker Management Console (NMC) self-signed certificate with a CA signed certificate is detailed in the following KB:

NetWorker: How to Import or Replace Certificate Authority Signed Certificates for NMC