Replace Default Self-signed Certificate in Unisphere for VMAX with Trusted Third-party Certificate
Summary: How to replace the default self-signed certificate in Unisphere for VMAX with a certificate issued by a trusted third-party.
Instructions
How to replace the default self-signed certificate in Unisphere for VMAX with a certificate issued by a trusted third party on a standalone host.
- Obtain the keystore password.
- You need the keystore password to complete the following procedure. The keystore password is generated during installation and is stored in the following file:
install_dir/SMAS/jboss/domain/configuration/domain.xml.init
install_dir/SMAS/jboss/domain/configuration/host.xml
- Open the file and search for "
ssl key-alias="tomcat" password=." - Generate a new
JKS key/trust storefile with the server certificate alias Tomcat and key/store password as described above.
- Generate a certificate request.
- To generate a certificate request:
- For Windows, enter the following commands:
cd install_dir\SMAS\jboss\standalone\configuration
install_dir\SMAS\jre\bin\keytool -certreq -alias tomcat -file tomcatcert.csr -keystore Keystore
keytool.exe was located in C:\Program Files\SMAS\jre\bin, so the command must be run from there. Ignore configuration location comment.
- For Linux, enter the following commands:
cd install_dir/SMAS/jboss/standalone/configuration
install_dir/SMAS/jre/bin/keytool -certreq -alias tomcat -file tomcatcert.csr - keystore Keystore
- When prompted to do so, enter the keystore password.
A file named tomcatcert.csr is generated. This file is a certificate request. If the "Failed to establish chain from reply" error message appears, your CA is not in the keystore's default trust chain. (The keystore comes with a default set of trusted CAs.)
- To import a trusted certificate into your keystore:
- For Windows, enter the following commands:
cd install_dir\SMAS\jboss\standalone\configurationinstall_dir\SMAS\jre\bin\keytool -import -alias root -file Trusted_CA_cert_file -keystore keystore -trustcacerts
- For Linux, enter the following commands:
cd install_dir\SMAS\jboss\standalone\configurationinstall_dir\SMAS\jre\bin\keytool -import -alias root -file Trusted_CA_cert_file -keystore keystore -trustcacerts
- Send the generated certificate request file,
tomcatcert.csr, to your CA for validation.
After the request file has been validated, you should receive a signed certificate back from CA.
- Import the CA-signed certificate into the keystore.
Starting with HYPERMAX OS Q1 2015 SR, you can import CA-signed certificates using the CLI or scripts. In the following instructions:
signed_certificate_fileis the signed certificate that you received from your CA.- The password is the password obtained in Step 1: Obtaining the keystore password on the previous page
CA_certificate_aliasis Tomcat.
Using the CLI to import the CA-signed certificate into the keystore:
- To import the CA-signed certificate into the keystore using the CLI:
- Stop the SMAS server.
- For Windows, enter the following commands:
cd install_dir\SMAS\jboss\standalone\configurationinstall_dir\SMAS\jre\bin\keytool -import -alias tomcat -file signed_certificate_file -keystore keystore -trustcacerts
- For Linux, enter the following commands:
cd install_dir/SMAS/jboss/standalone/configurationinstall_dir/SMAS/jre/bin/keytool -import -alias tomcat -file signed_certificate_file -keystore keystore -trustcacerts
- When prompted, enter the keystore password.
Use scripts to import the CA-signed certificate into the keystore. To import the CA-signed certificate into the keystore using scripts:
- Stop the SMAS server.
- For Windows, enter the following commands:
cd install_dir\SMAS\jboss\bin
service.bat importcacert password CA_certificate_alias signed_certificate_file
- For Linux, enter the following commands:
cd install_dir/SMAS/jboss/bininiscst.sh importcacert password CA_certificate_alias signed_certificate_file
- Start the SMAS server.