Configuring an SSL certificate (Analyzer probe server)
Configure an SSL certificate to initiate a secure session with browsers by creating a private key, creating a certificate signing request (CSR), and applying the server certificate.
Creating a private key and a certificate signing request
Create a certificate signing request (CSR) for Analyzer probe server, and send it to the certificate authority to obtain the certificate file.
Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
NoteStop the crond service using the command:
service crond stop
-
NoteIf you do not want to stop the crond service, you can stop the specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services
Stop all the running services using the command:
/usr/local/megha/bin/stop-all-services.sh
Verify that the following services are stopped by entering these commands:
- Megha
/usr/local/megha/bin/megha-jetty.sh status
- Crond
service crond status
- Megha
Make a backup copy of the keystore files at the following location:
cd /usr/local/megha/jetty/etc cp -p keystore keystore.bak cp -p jetty-ssl.xml jetty-ssl.xml.bak cp -p userKeystoreConfig.xml userKeystoreConfig.xml.bak
NoteUse these backup copies if any error occurs during the configuration process.Remove an existing keystore file present at the following location /usr/local/megha/jetty/etc/keystore using the command:
rm /usr/local/megha/jetty/etc/keystore
Create a new keystore and enter the certificate information:
keytool -genkey -keyalg RSA -alias jetty -keystore /usr/local/megha/jetty/etc/keystore
NoteThe default keystore password for the Analyzer probe server ismegha.jeos
. If you are using a password other than the default, you must change the following fields in the in the/usr/local/megha/jetty/etc/userKeystoreConfig.xml
file:KeyStorePassword KeyManagerPassword TrustStorePassword
Change the ownership to megha in the keystore file:
chown megha:megha /usr/local/megha/jetty/etc/keystore
Change the access permission of the keystore file:
chmod 640 /usr/local/megha/jetty/etc/keystore
Create a certificate signing request (CSR) for the jetty alias:
keytool -certreq -alias jetty -file /tmp/certreq.txt -keystore /usr/local/megha/jetty/etc/keystore
NoteYou must use the keystore password of the Analyzer probe server.Take a backup of jetty keystore after creating the CSR:
cp /usr/local/megha/jetty/etc/keystore /usr/local/megha/jetty/etc/keystoreCSR
Copy the certificate request file and submit it to the certificate authority to create the certificate file:
cat /tmp/certreq.txt
Start the megha service using the command:
/usr/local/megha/bin/megha-jetty.sh start
Start the crond service using the command:
service crond start
Applying server certificates
The certificate authority creates the following three certificate files:
- Root
- Intermediate
- Host
Procedure
Stop the crond service using the command:
service crond stop
-
NoteIf you do not want to stop the crond service, you can stop the specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services
Stop all the running services using the command:
/usr/local/megha/bin/stop-all-services.sh
Verify that the following services are stopped by entering these commands:
- Megha
/usr/local/megha/bin/megha-jetty.sh status
- Crond
service crond status
- Megha
Upload certificate files to the Analyzer probe server. For example, upload them to
/usr/local/megha/jetty/etc
.Import the Root certificate: You must use the keystore password of the Analyzer probe server.
keytool -import -alias ROOT_CA_NAME -keystore /usr/local/megha/jetty/etc/keystore -trustcacerts -file Path_to_Root_Cert
For example,keytool -import -alias RootCA -keystore /usr/local/megha/jetty/etc/keystore -trustcacerts -file /usr/local/megha/jetty/etc/root.cer
Import the intermediate certificate: You must use the keystore password of the Analyzer probe server.
keytool -import -alias Intermediate_CA_NAME -keystore /usr/local/megha/jetty/etc/keystore -trustcacerts -file Path_to_Intermediate_CA_Cert
For example,keytool -import -alias IntermediateCA -keystore /usr/local/megha/jetty/etc/keystore -trustcacerts -file /usr/local/megha/jetty/etc/imd.cer
Import the Host certificate: You must use the keystore password of the Analyzer probe server.
keytool -import -alias jetty -keystore /usr/local/megha/jetty/etc/keystore -trustcacerts -file Path_to_host_Cert
For example,keytool -import -alias jetty -keystore /usr/local/megha/jetty/etc/keystore -trustcacerts -file /usr/local/megha/jetty/etc/host.cer
Start the megha service using the command:
/usr/local/megha/bin/megha-jetty.sh start
Start the crond service using the command:
service crond start
Exporting a self-signed certificate for the Analyzer probe server
Use the keytool command to export self-signed certificates.
Run the following command to export the certificate for the Analyzer probe server:
keytool –export –keystore /usr/local/megha/jetty/etc/keystore –alias alias-name –file certificate-file-name
Note- For the alias-name, specify jetty to export the default self-signed certificate.
- For certificate-file-name, specify the absolute path to the export destination of the self-signed certificate.
Checking the expiration dates of certificates for Analyzer probe server
Check the expiration dates of the server certificates and Certificate Authority certificates for Analyzer probe server.
Run the following command to check the expiration date:
keytool -list -v -keystore /usr/local/megha/jetty/etc/keystore
NoteYou must use the keystore password of the Analyzer probe server.Sample output:Valid from: Thu Nov 27 04:43:53 EST 2014 until: Tue Nov 26 04:43:53 EST 2024
Changing the SSL port number of the Analyzer probe server
To change the port number for SSL Communication, change the port numbers specified in the definition files, and then open the new port in the firewall settings.
Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
Stop the crond service using the command:
service crond stop
-
NoteIf you do not want to stop the crond service, you can stop the specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services
Stop all the running services using the command:
/usr/local/megha/bin/stop-all-services.sh
Verify that the following services are stopped by entering these commands:
- Megha
/usr/local/megha/bin/megha-jetty.sh status
- Crond
service crond status
- Megha
Make a backup of the
start.ini
andjetty-ssl.xml
files:cp /usr/local/megha/jetty/start.ini/usr/local/megha/jetty/org_start.ini.backup
cp /usr/local/megha/jetty/jetty-ssl.xml/usr/local/megha/jetty/org_jetty-ssl.xml.backup
Change the port number in the following files:
/usr/local/megha/jetty/start.ini file.
Change the following:
jetty.httpConfig.securePort=<required https port> jetty.http.port=<required http port> https.port=<required https port>
For example:
jetty.httpConfig.securePort=9443 jetty.http.port=8080 https.port=9443
/usr/local/megha/jetty/etc/jetty-ssl.xml
Change the following:
<Set name="port"><Property name="jetty.ssl.port" deprecated="ssl.port" default="REQUIRED PORT" /></Set>
Start the crond service using the command:
service crond start
Start the megha service using the command:
/usr/local/megha/bin/megha-jetty.sh start
After changing the required port number, make sure you open the new port number in the firewall settings.
Enabling strict host name checking between the Analyzer probe server and Analyzer detail view server
When you are connecting the
Analyzer probe server to the
Analyzer detail view server over HTTPS, you can enable strict host name checking by editing the
custom.properties
file.
Before you begin
Verify the following:
- A valid SSL certificate is installed on the
Analyzer detail view server in the keystore file (
/usr/local/httpProxy/jetty/etc/
). - If you are connecting to the
Analyzer detail view server using the IP address:
- The IP address is listed in subject alternate name of the SSL certificate on the Analyzer detail view server.
- If the subject alternate name is not provided in the SSL certificate, the IP address must exist in common name.
- If you are connecting to the
Analyzer detail view server using the host name:
- The host name exists in subject alternate name of the SSL certificate on the Analyzer detail view server.
- If the subject alternate name is not provided in the SSL certificate, the host name must exist in common name.
- If the
Analyzer probe server cannot resolve the host name, add the valid
Analyzer detail view server IP address and host name in the
/etc/hosts
file.
Procedure
Log on to the Analyzer probe server through an SSH client (like putty) as a root user.
Stop the crond service using the command:
service crond stop
-
NoteIf you do not want to stop the crond service, you can stop the specific processes of the Analyzer detail view server and Analyzer probe server by using the crontab -e command as described in Stopping the Analyzer detail view server or Analyzer probe server services and Starting the Analyzer detail view server or Analyzer probe server services
Stop all the running services using the command:
/usr/local/megha/bin/stop-all-services.sh
Verify that the following services are stopped by entering these commands:
- Megha
/usr/local/megha/bin/megha-jetty.sh status
- Crond
service crond status
- Megha
Go to the
/usr/local/megha/conf/custom.properties
file, add the following property, and save the file:https.strict.hostname.check=true
Start the megha service using the command:
/usr/local/megha/bin/megha-jetty.sh start
Start the crond service using the command:
service crond start