Data Protection Advisor (DPA): How to install a SSL Certificate in DPA (Linux system)

The following are general steps to install or import a signed certificate on the Data Protection Advisor (DPA) Application Server in a Linux environment.

These are general generic steps that work in many situations, but there can be variations in some environments that require changes or additions to these steps or a different procedure altogether.

1. Make a copy of the apollo.keystore and standalone.xml files from dpa/services/standalone/configuration and the application-service.conf file from dpa/services/executive.

2. Open the copy of the standalone.xml file and search for 'key-alias'. There is a line containing the key-alias and password similar to the following:      

<ssl name="ssl" key-alias="${apollo.keystore.alias:apollokey}" password="apollo"

For simplicity sake, take note of the password and use it in the following steps.
 

3. From a command prompt window, navigate to the <DPA DIR>/dpa/services/_jre/bin directory and run the following command to verify the correct password for the apollo keystore:

./keytool -list -v -keystore <Install Directory>/dpa/services/standalone/configuration/apollo.keystore -storetype PKCS12

Enter the password from standalone.xml to view the current contents of the apollo.keystore and validate that it is a PKCS12 keystore.

4. The next few steps are performed outside of DPA entirely, and will not impact DPA processing. They do not require services be stopped (until step 11). Use the following command to generate a new keystore from which to request the signed certificate:      

./keytool -genkey -keyalg RSA -alias emcdpa -keysize 2048 -dname CN=dpaapp01.emc.corp.com  -keystore new.keystore -storepass password_from_standalone.xml -storetype PKCS12

• The alias can be whatever the end user wants, but be sure to note the alias used here as it is needed in the next steps. In this case, emcdpa is being used.

• The dname is the same as the URL used to access the UI that is https://<hostname>:9002. For example, if the application server name is dpaapp01, but the URL used to access it is http://dpaapp01.emc.corp.com:9002, enter dpaapp01.emc.corp.com as the first and last name.

• The keystore path varies based on where the temporary keystore is being placed. It can be redirected it to another path (that is C:/Temp/new.keystore) or create a new keystore file in /dpa/services/_jre/bin as was done here.
• The storepass should be set to the password you retrieved from standalone.xml (from step 2)

5. Use the following command to generate the certificate request (.csr). Use the alias and keystore created in the previous step. The storepass option allows the use of the keystore password with the command. Use the same password from the previous step. 

./keytool -certreq -alias emcdpa -ext san=dns:dpaapp01.emc.corp.com -keystore new.keystore -storepass password_from_standalone.xml -storetype PKCS12 -file emcdpa.csr

6. Make a copy of temporary keystore as well. This prevents the need to start from scratch should something go wrong during the import. Place a copy of the temporary keystore with the copies of the original files.

7. Open 'emcdpa.csr' as a text file, copy the contents, and use it to request the certificate signed by the CA. They should return a signed certificate (including the full certificate chain) in Base-64 encoded X.509 format.

Depending on the format of the signed certificate, the import can happen a few different ways. If a file containing the signed certificate is received and the full certificate chain, import the certificate in one step. File types that typically contain all of this information include: .pfx, .pkcs12, .p12, .p7b

If the signed certificate includes the full certificate chain (to the root certificate), go to step 8. If you are unsure or would prefer to do it manually, see KB article 532108: How to manually separate the server, intermediate, and root certificates from a single signed certificate for more information.

8. Import the signed certificate into new.keystore using the following command:     

./keytool -import -trustcacerts -alias emcdpa -keystore new.keystore -file emcdpa.p7b -storepass password_from_standalone.xml -storetype PKCS12

Then, verify that the certificate was imported correctly using the command:   

./keytool -list -v -keystore new.keystore -storepass password_from_standalone.xml

If the certificate imported properly, a message "Entry type: PrivateKeyEntry" should be seen and the certificate chain length should represent the certificate chain accurately (For example, if dpaapp01.emc.corp.com contains a signed certificate, an intermediate certificate, and the root certificate- the chain length should be 3).

9. Once the signed certificate (and chain) is imported successfully into new.keystore, stop DPA Application services. 

10. From dpa/services/_jre/bin, copy the temporary keystore (new.keystore) and move it to dpa/services/standalone/configuration. Rename apollo.keystore to apollo.keystore.old, then replace it with the temporary keystore by renaming new.keystore to apollo.keystore. 
11. Edit the application-service.conf file (dpa\services\executive) to update the keystore.alias to match the one you used in the above steps and save your changes. Search for apollo.key and replace it with the alias you used when generating the keystore/csr- in this case, emcdpa. It should look like the following when you are finished editing: 
    # The key below is used for an application executive command. Do not reuse.

wrapper.java.additional.34 = -Dapollo.keystore.alias=emcdpa

10. Edit the standalone.xml file (dpa/services/standalone/configuration) to update the keystore.alias to match the one you used in the above steps and save your changes. Search for apollo.keystore.alias and replace the existing alias with the alias you used when generating the keystore/csr- in this case, emcdpa. It should look like the following when you are finished editing: 

    -<subsystem xmlns="urn:jboss:domain:web:2.1" native="false" default-virtual-server="default-host">
    -<connector name="https" socket-binding="https" secure="true" enable-lookups="false" scheme="https" protocol="HTTP/1.1">
    <ssl name="ssl" protocol="TLSv1,TLSv1.1,TLSv1.2" keystore-type="PKCS12" verify-client="false" cipher-suite="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA" certificate-key-file="${jboss.server.config.dir}/apollo.keystore" password="standalone.xml_password" key-alias="${apollo.keystore.alias:emcdpa}"/>
    </connector>

    
     
11. Restart application services and attempt to log in to the UI.