Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Configuring an SSL certificate (Analyzer probe server)

Configure an SSL certificate to initiate a secure session with browsers by creating a private key, creating a certificate signing request (CSR), and applying the server certificate.

Creating a private key and a certificate signing request

Create a certificate signing request (CSR) for Analyzer probe server, and send it to the certificate authority to obtain the certificate file.

  1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.

    Note
  2. Stop the crond service using the command:

    service crond stop
  3. NoteIf you do not want to stop the crond service, you can stop the specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services
  4. Stop all the running services using the command:

    /usr/local/megha/bin/stop-all-services.sh
  5. Verify that the following services are stopped by entering these commands:

    • Megha
      /usr/local/megha/bin/megha-jetty.sh status
    • Crond
      service crond status
  6. Make a backup copy of the keystore files at the following location:

    cd /usr/local/megha/jetty/etc
    cp -p keystore keystore.bak
    cp -p jetty-ssl.xml jetty-ssl.xml.bak
    cp -p userKeystoreConfig.xml userKeystoreConfig.xml.bak
    NoteUse these backup copies if any error occurs during the configuration process.
  7. Remove an existing keystore file present at the following location /usr/local/megha/jetty/etc/keystore using the command:

    rm /usr/local/megha/jetty/etc/keystore
  8. Create a new keystore and enter the certificate information:

    keytool -genkey -keyalg RSA -alias jetty -keystore /usr/local/megha/jetty/etc/keystore
    
    NoteThe default keystore password for the Analyzer probe server is megha.jeos. If you are using a password other than the default, you must change the following fields in the in the /usr/local/megha/jetty/etc/userKeystoreConfig.xml file:
    KeyStorePassword
    KeyManagerPassword
    TrustStorePassword
  9. Change the ownership to megha in the keystore file:

    chown megha:megha /usr/local/megha/jetty/etc/keystore
  10. Change the access permission of the keystore file:

    chmod 640 /usr/local/megha/jetty/etc/keystore
  11. Create a certificate signing request (CSR) for the jetty alias:

    keytool -certreq -alias jetty -file /tmp/certreq.txt -keystore /usr/local/megha/jetty/etc/keystore
    NoteYou must use the keystore password of the Analyzer probe server.
  12. Take a backup of jetty keystore after creating the CSR:

    cp /usr/local/megha/jetty/etc/keystore /usr/local/megha/jetty/etc/keystoreCSR
    
  13. Copy the certificate request file and submit it to the certificate authority to create the certificate file:

    cat /tmp/certreq.txt
    
  14. Start the megha service using the command:

    /usr/local/megha/bin/megha-jetty.sh start
  15. Start the crond service using the command:

    service crond start

Applying server certificates

The certificate authority creates the following three certificate files:

  • Root
  • Intermediate
  • Host

Procedure

  1. Stop the crond service using the command:

    service crond stop
  2. NoteIf you do not want to stop the crond service, you can stop the specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services
  3. Stop all the running services using the command:

    /usr/local/megha/bin/stop-all-services.sh
  4. Verify that the following services are stopped by entering these commands:

    • Megha
      /usr/local/megha/bin/megha-jetty.sh status
    • Crond
      service crond status
  5. Upload certificate files to the Analyzer probe server. For example, upload them to /usr/local/megha/jetty/etc.

    1. Import the Root certificate: You must use the keystore password of the Analyzer probe server.

      keytool -import -alias ROOT_CA_NAME -keystore /usr/local/megha/jetty/etc/keystore -trustcacerts -file Path_to_Root_Cert
      For example, keytool -import -alias RootCA -keystore /usr/local/megha/jetty/etc/keystore -trustcacerts -file /usr/local/megha/jetty/etc/root.cer
    2. Import the intermediate certificate: You must use the keystore password of the Analyzer probe server.

      keytool -import -alias Intermediate_CA_NAME -keystore /usr/local/megha/jetty/etc/keystore -trustcacerts -file Path_to_Intermediate_CA_Cert
      For example, keytool -import -alias IntermediateCA -keystore /usr/local/megha/jetty/etc/keystore -trustcacerts -file /usr/local/megha/jetty/etc/imd.cer
    3. Import the Host certificate: You must use the keystore password of the Analyzer probe server.

      keytool -import -alias jetty -keystore /usr/local/megha/jetty/etc/keystore -trustcacerts -file Path_to_host_Cert
      For example, keytool -import -alias jetty -keystore /usr/local/megha/jetty/etc/keystore -trustcacerts -file /usr/local/megha/jetty/etc/host.cer
  6. Start the megha service using the command:

    /usr/local/megha/bin/megha-jetty.sh start
  7. Start the crond service using the command:

    service crond start

Exporting a self-signed certificate for the Analyzer probe server

Use the keytool command to export self-signed certificates.

  1. Run the following command to export the certificate for the Analyzer probe server:

    keytool –export –keystore /usr/local/megha/jetty/etc/keystore –alias alias-name –file certificate-file-name
    Note
    • For the alias-name, specify jetty to export the default self-signed certificate.
    • For certificate-file-name, specify the absolute path to the export destination of the self-signed certificate.

Checking the expiration dates of certificates for Analyzer probe server

Check the expiration dates of the server certificates and Certificate Authority certificates for Analyzer probe server.

  1. Run the following command to check the expiration date:

    keytool -list -v -keystore /usr/local/megha/jetty/etc/keystore
    NoteYou must use the keystore password of the Analyzer probe server.
    Sample output: Valid from: Thu Nov 27 04:43:53 EST 2014 until: Tue Nov 26 04:43:53 EST 2024

Changing the SSL port number of the Analyzer probe server

To change the port number for SSL Communication, change the port numbers specified in the definition files, and then open the new port in the firewall settings.

  1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.

  2. Stop the crond service using the command:

    service crond stop
  3. NoteIf you do not want to stop the crond service, you can stop the specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services
  4. Stop all the running services using the command:

    /usr/local/megha/bin/stop-all-services.sh
  5. Verify that the following services are stopped by entering these commands:

    • Megha
      /usr/local/megha/bin/megha-jetty.sh status
    • Crond
      service crond status
  6. Make a backup of the start.ini and jetty-ssl.xml files:

    • cp /usr/local/megha/jetty/start.ini/usr/local/megha/jetty/org_start.ini.backup
    • cp /usr/local/megha/jetty/jetty-ssl.xml/usr/local/megha/jetty/org_jetty-ssl.xml.backup
  7. Change the port number in the following files:

    • /usr/local/megha/jetty/start.ini file.

      Change the following:

      jetty.httpConfig.securePort=<required https port>
      
      jetty.http.port=<required http port>
      
      https.port=<required https port>

      For example:

      jetty.httpConfig.securePort=9443
      
      jetty.http.port=8080
      
      https.port=9443
    • /usr/local/megha/jetty/etc/jetty-ssl.xml

      Change the following:

      <Set name="port"><Property name="jetty.ssl.port" deprecated="ssl.port" default="REQUIRED PORT" /></Set>
  8. Start the crond service using the command:

    service crond start
  9. Start the megha service using the command:

    /usr/local/megha/bin/megha-jetty.sh start
  10. After changing the required port number, make sure you open the new port number in the firewall settings.

Enabling strict host name checking between the Analyzer probe server and Analyzer detail view server

When you are connecting the Analyzer probe server to the Analyzer detail view server over HTTPS, you can enable strict host name checking by editing the custom.properties file.

After enabling this option, the Analyzer probe server verifies whether the connection destination (IP address or host name) is the same as the subject alternate name or common name of the SSL certificate that is installed on the Analyzer detail view server. For details on setting up this connection, refer to Initial setup of Analyzer probe server.

Before you begin

Verify the following:

  • A valid SSL certificate is installed on the Analyzer detail view server in the keystore file (/usr/local/httpProxy/jetty/etc/).
  • If you are connecting to the Analyzer detail view server using the IP address:
    • The IP address is listed in subject alternate name of the SSL certificate on the Analyzer detail view server.
    • If the subject alternate name is not provided in the SSL certificate, the IP address must exist in common name.
  • If you are connecting to the Analyzer detail view server using the host name:
    • The host name exists in subject alternate name of the SSL certificate on the Analyzer detail view server.
    • If the subject alternate name is not provided in the SSL certificate, the host name must exist in common name.
  • If the Analyzer probe server cannot resolve the host name, add the valid Analyzer detail view server IP address and host name in the /etc/hosts file.

NoteIf you install the new SSL certificate or make any changes to the default SSL certificate, then you must restart the HTTP proxy service. Refer to Restarting the HTTP proxy service.

Procedure

  1. Log on to the Analyzer probe server through an SSH client (like putty) as a root user.

  2. Stop the crond service using the command:

    service crond stop
  3. NoteIf you do not want to stop the crond service, you can stop the specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services
  4. Stop all the running services using the command:

    /usr/local/megha/bin/stop-all-services.sh
  5. Verify that the following services are stopped by entering these commands:

    • Megha
      /usr/local/megha/bin/megha-jetty.sh status
    • Crond
      service crond status
  6. Go to the /usr/local/megha/conf/custom.properties file, add the following property, and save the file:

    https.strict.hostname.check=true
  7. Start the megha service using the command:

    /usr/local/megha/bin/megha-jetty.sh start
  8. Start the crond service using the command:

    service crond start

 

  • Was this article helpful?