Administer > Configuration > Secure Connections > Configure Secure Connections for Client Browsers > Configure CSA to Use an Internal Certificate Authority-Signed Certificate

Configure CSA to Use an Internal Certificate Authority-Signed Certificate

This section describes the process you should follow to install and configure an internal root and internal Certificate Authority-signed certificate for use by CSA. An internal certificate is one that is generated by an internal Certificate Authority, such as a corporate or government Certificate Authority. For an internal Certificate Authority, you do not have to generate a self-signed certificate nor create a certificate signing request. The internal Certificate Authority should provide you with a root certificate and signed certificate.

Perform the following general steps, which are described in detail below:

  1. Import the internal Certificate Authority's root certificate
  2. Import the internal Certificate Authority-signed certificate
  3. Configure the Marketplace Portal
  4. Configure the Web server
  5. Configure client browsers
  6. Test the secure connection

Note In the following instructions, CSA_HOME is the directory in which CSA is installed (for example, C:\Program Files\HPE\CSA on Windows or /usr/local/hpe/csa on Linux) and the keytool utility is included with the JRE.

In this example, we will assume you are given an internal Certificate Authority-signed certificate (referred to as csa_internalca_signed.cer), an internal Certificate Authority's root certificate (referred to as csainternalca.cer), and both certificates are located in C:\ on Windows or /tmp on Linux.

Step 1: Import the Certificate Authority's Root Certificate

This step configures the JRE so it trusts the internal Certificate Authority that has signed your certificate by importing the internal Certificate Authority into a keystore named cacerts that is shipped with the JRE.

  1. Open a command prompt.
  2. Run the following command:

    Windows:

    "CSA_JRE_HOME\bin\keytool" -importcert -alias csainternalca -file C:\csainternalca.cer -trustcacerts -keystore "CSA_JRE_HOME\lib\security\cacerts"

    Linux:

    CSA_JRE_HOME/bin/keytool -importcert -alias csainternalca -file /tmp/csainternalca.cer -trustcacerts -keystore CSA_JRE_HOME/lib/security/cacerts

    where CSA_JRE_HOME is the directory in which the JRE that is used by CSA is installed.

  3. When prompted for the keystore password, enter changeit.

  4. Enter yes when prompted to trust the certificate.

Step 2: Import the Internal Certificate Authority-Signed Certificate

  1. The internal Certificate Authority-signed certificate (csa_internalca_signed.cer) contains a chain of certificates and you must copy the root and any intermediate certificates in the chain to separate files. Work with your security expert to copy each certificate to a separate file.

  2. Open a command prompt and change directories to CSA_HOME.

  3. Import the certificate file(s):

    You must import each separate file in the following order (each certificate must have a unique alias):

    • root certificate
    • intermediate or subordinate certificate(s) in hierarchical order
    • primary or end-user certificate

    For example, if the internal Certificate Authority-signed certificate contains three certificates (root, intermediate, and primary) and you copied the root certificate to C:\root.cer on Windows or /tmp/root.cer and the intermediate certificate to C:\intermediate.cer on Windows or /tmp/intermediate.cer on Linux (you will use the internal Certificate Authority-signed certificate file as the primary certificate), run the following commands in the following order to import each certificate:

    Windows:

    "CSA_JRE_HOME\bin\keytool" -importcert ‑alias csa_internalca_signed_root ‑file C:\root.cer ‑trustcacerts ‑keystore .\jboss‑as\standalone\configuration\.keystore_internalca_signed

    "CSA_JRE_HOME\bin\keytool" -importcert ‑alias csa_internalca_signed_intermediate ‑file C:\intermediate.cer ‑trustcacerts ‑keystore .\jboss‑as\standalone\configuration\.keystore_internalca_signed

    "CSA_JRE_HOME\bin\keytool" -importcert ‑alias csa_internalca_signed ‑file C:\csa_internalca_signed.cer ‑trustcacerts ‑keystore .\jboss‑as\standalone\configuration\.keystore_internalca_signed

    Linux:

    CSA_JRE_HOME/bin/keytool -importcert ‑alias csa_internalca_signed_root ‑file /tmp/root.cer ‑trustcacerts ‑keystore ./jboss‑as/standalone/configuration/.keystore_internalca_signed

    CSA_JRE_HOME/bin/keytool -importcert ‑alias csa_internalca_signed_intermediate ‑file /tmp/intermediate.cer ‑trustcacerts ‑keystore ./jboss‑as/standalone/configuration/.keystore_internalca_signed

    CSA_JRE_HOME/bin/keytool -importcert ‑alias csa_internalca_signed ‑file /tmp/csa_internalca_signed.cer ‑trustcacerts ‑keystore ./jboss‑as/standalone/configuration/.keystore_internalca_signed

    where CSA_JRE_HOME is the directory in which the JRE that is used by CSA is installed.

    Use the alias of the primary certificate (csa_internalca_signed) and keystore name (CSA_HOME/jboss‑as/standalone/configuration/.keystore_internalca_signed) when you configure the Web server.

  4. When prompted, enter the password for the key and keystore.

    Use this password when you configure the Web server.

Step 3: Configure the Marketplace Portal

This step converts the CSA keystore to a PKCS#12 archive and configures the Marketplace Portal to use the internal Certificate Authority root certificate.

  1. Open a command prompt and navigate to CSA_HOME.

  2. Convert the CSA keystore to a PKCS#12 archive. Run the following command:

    Windows:

    "CSA_JRE_HOME\bin\keytool" -importkeystore -srckeystore .\jboss‑as\standalone\configuration\.keystore_internalca_signed -deststoretype PKCS12 -destkeystore .\portal\conf\.mppkeystore_internalca_signed

    Linux:

    CSA_JRE_HOME/bin/keytool -importkeystore -srckeystore ./jboss‑as/standalone/configuration/.keystore_internalca_signed -deststoretype PKCS12 -destkeystore ./portal/conf/.mppkeystore_internalca_signed

  3. When prompted, enter the password for the PKCS#12 archive. You will need this password when you configure the passphrase attribute later in this section.

  4. When prompted, enter the password for the CSA keystore (changeit).

  5. Open the CSA_HOME/portal/conf\mpp.json file in a text editor.

  6. Update the ca attribute value for the provider. Enter the path to the certificate file that you imported in step 2. For example, C:\csa_internalca_signed.cer on Windows or /tmp/csa_internalca_signed.cer on Linux. If you imported a chain of certificates, use the certificate file of the primary certificate.

  7. Update the ca attribute value for the idmProvider. Enter the path to the certificate file that you imported in step 2. For example, C:\csa_internalca_signed.cer on Windows or /tmp/csa_internalca_signed.cer on Linux. . If you imported a chain of certificates, use the certificate file of the primary certificate.

  8. Update the pfx attribute value. Enter the name of the PKS#12 archive you created earlier. For example, ..\conf\.mppkeystore_internalca_signed.

  9. Update the passphrase attribute value. Enter the encrypted password used to access the .mppkeystore_internalca_signed archive (see Encrypt a Marketplace Portal Password for instructions). An encrypted password is preceded by ENC without any separating spaces and is enclosed in parentheses.

  10. Save and exit the file.

Step 4: Configure the Web Server

  1. Open CSA_HOME/jboss‑as/standalone/configuration/standalone.xml in a text editor.

  2. Locate the following entry:

    <keystore path="CSA_HOME/jboss‑as/standalone/configuration/.keystore" keystore‑password="changeit"/>

  3. Set the path attribute to the keystore you used in step 2, set the keystore‑password attribute to the value that corresponds to the password you selected for the keystore, and add the alias attribute and set it to the alias you used in step 2.

    <keystore path="CSA_HOME/jboss‑as/standalone/configuration/.keystore_internalca_signed" keystore‑password="keystorePassword" alias="csa_internalca_signed" />

    Note If you imported a chain of certificates, use the alias of the primary certificate.

    Note This example stores the password in clear text. If you want to use an encrypted password, see Masking Passwords in standalone.xml Using the JBoss vault Script for information about creating a password vault for JBoss.

  4. Restart the CSA service. See Restart CSA for instructions.

  5. After the service has started, review the log files in the CSA_HOME/jboss‑as/standalone/log/ directory and verify that no TLS or keystore errors are present.

Step 5: Configure Client Browsers

The client browser must be configured to trust certificates that are signed by the Certificate Authority. In most situations, this step will already have occurred. Client browsers are likely to already trust well-known third-party Certificate Authorities, or will have previously accessed and trusted Web sites that use internal Certificate Authority root certificates.

To test whether or not the browser on a client system is configured to trust certificates signed by your Certificate Authority, open a supported Web browser and navigate to https://<csahostname>:8444/csa. If you do not see a certificate warning, then the browser is configured properly.

If client browsers need to be configured to trust certificates signed by your Certificate Authority, then you will need to make the root certificate available to clients so it can be installed in the browser. The process of installing the root certificate will vary based on the browser.

  • Microsoft Internet Explorer and Chrome: From Windows Explorer, double-click on the .cer file to begin the import process. Install the certificate in the Trusted Root Certification Authorities store. For information about how to import the certificate, refer to the browser's online documentation.
  • Firefox: To begin the import process, select Tools > Options, select Advanced, select the Encryption tab, and click View Certificates. Import the root certificate into the Authorities tab. For information about how to import the certificate, refer to the browser's online documentation.

Step 6: Test Secure Connections

To test the connection to the Cloud Service Management Console, on a client system, open a supported Web browser and navigate to https://<csahostname>:8444/csa where <csahostname> is the fully-qualified domain name of the system that was used when the certificate was created. If the client browser is configured to accept the Certificate Authority's root certificate and the Web application opens without a certificate warning, then you have successfully configured CSA to use a Certificate Authority-signed certificate. If a certificate warning is displayed, review steps 1-5 to be sure they were followed as documented.