Administer > Configuration > Secure Connections > Configure Secure Connections for Client Browsers > Configure CSA to Use a Certificate Authority-Signed Certificate and a Certificate Authority-Provided Keystore

Configure CSA to Use a Certificate Authority-Signed Certificate and a Certificate Authority-Provided Keystore

This section describes the process you should follow to install and configure a root certificate, Certificate Authority-signed certificate, and Certificate Authority-provided keystore for use by CSA. In this example, the Certificate Authority provides you with a root certificate, signed certificate, and a keystore containing the signed certificate. A Certificate Authority may provide you with a keystore if you are using a wildcard certificate.

Perform the following general steps, which are described in detail below:

  1. Import the Certificate Authority's root certificate
  2. Convert the Certificate Authority-provided keystore
  3. Determine the alias for the certificate from the JKS keystore
  4. Configure the Marketplace Portal
  5. Configure the Web server
  6. Configure client browsers
  7. Test the secure connection

Note In the following instructions,

CSA_HOME is the directory in which CSA is installed (for example, C:\Program Files\HPE\CSA on Windows or /usr/local/hpe/csa on Linux) and the keytool utility is included with the JRE.

In this example, it is assumed that you are given a Certificate Authority-signed certificate (referred to as csa_ca_signed.cer), a Certificate Authority's root certificate (referred to as ca_root.cer), and a keystore provided by the Certificate Authority that contains the Certificate Authority-signed certificate (referred to as .keystore_caprovided). All files are located in C:\ on Windows and /tmp on Linux.

Step 1: Import the Certificate Authority's Root Certificate

This step configures CSA's JRE so it trusts the Certificate Authority that has signed the certificate by importing the Certificate Authority's root certificate into a keystore named cacerts that is shipped with the JRE. The JRE ships with a list of common, trusted Certificate Authority certificates that are stored in this keystore. If the Certificate Authority used to sign the certificate is well known, it is likely that this root certificate is already present in this keystore. It is recommended that you perform the following steps even if you suspect that the certificate is already installed. The keytool command will detect if the root certificate is already present, and you can exit the import process if the certificate exists.

  1. Open a command prompt.
  2. Run the following command:

    Windows:

    "CSA_JRE_HOME\bin\keytool" -importcert -alias csaca -file C:\ca_root.cer -trustcacerts -keystore "CSA_JRE_HOME\lib\security\cacerts"

    Linux:

    CSA_JRE_HOME/bin/keytool -importcert -alias csaca -file /tmp/ca_root.cer -trustcacerts -keystore CSA_JRE_HOME/lib/security/cacerts

    where CSA_JRE_HOME is the directory in which the JRE that is used by CSA is installed

  3. When prompted for the keystore password, enter changeit.

  4. Enter yes when prompted to trust the certificate.

Step 2: Convert the Certificate Authority-Provided Keystore

The keystore used by CSA must be in JKS format. The keystore used by the Marketplace Portal must be in PKCS#12 format. You will need to provide both types of keystores. This section provides the tasks to convert a JKS keystore to a PKCS#12 keystore and a PKCS#12 keystore to a JKS keystore. If your Certificate Authority provided you a keystore in another format, ask your Certificate Authority how to convert it to either the JKS or PKCS#12 format. Then, complete the tasks in this step to create both required keystore formats.

  1. Determine the format of the Certificate Authority-provided keystore. If you do not know the format, ask the Certificate Authority for this information. If your Certificate Authority provided you a keystore in a format other than JKS or PKCS#12, ask your Certificate Authority how to convert it to either the JKS or PKCS#12 format.
  2. Open a command prompt and change directories to CSA_HOME.

  3. To convert a JKS keystore to a PKCS#12 keystore, run the following command:

    Windows:

    "CSA_JRE_HOME\bin\keytool" -importkeystore -srckeystore C:\.keystore_caprovided -deststoretype PKCS12 -destkeystore C:\.keystore_mpp

    Linux:

    CSA_JRE_HOME/bin/keytool -importkeystore -srckeystore /tmp/.keystore_caprovided -deststoretype PKCS12 -destkeystore /tmp/.keystore_mpp

    To convert a PKCS#12 keystore to a JKS keystore, run the following command:

    Windows:

    "CSA_JRE_HOME\bin\keytool" -importkeystore -srckeystore C:\.keystore_caprovided -deststoretype JKS -destkeystore C:\.keystore_csa

    Linux:

    CSA_JRE_HOME/bin/keytool -importkeystore -srckeystore /tmp/.keystore_caprovided -deststoretype JKS -destkeystore /tmp/.keystore_csa

  4. When prompted, enter the password for the destination and source keystores. For simplicity, use the same passwords.

    Use this password when you configure the Marketplace Portal and the Web server.

Step 3: Determine the Alias for the Certificate from the JKS Keystore

Determine the alias for the certificate from the JKS keystore. You will need this alias when you configure the Web server.

If the Certificate Authority provided a JKS keystore, run the following command:

Windows:

"CSA_JRE_HOME\bin\keytool" -list -keystore C:\.keystore_caprovided

Linux:

CSA_JRE_HOME/bin/keytool -list -keystore /tmp/.keystore_caprovided

If you converted the Certificate Authority-provided keystore to JKS, run the following command:

Windows:

"CSA_JRE_HOME\bin\keytool" -list -keystore C:\.keystore_csa

Linux:

CSA_JRE_HOME/bin/keytool -list -keystore /tmp/.keystore_csa

If there is more than one entry displayed, contact the Certificate Authority and ask which alias to use for the certificate. If a certificate chain is being used, typically you would use the alias of the primary certificate.

Step 4: Configure the Marketplace Portal

This step configures the Marketplace Portal to use the root certificate and the PKCS#12 keystore.

  1. Open the CSA_HOME/portal/conf/mpp.json file in a text editor.

  2. Update the ca attribute value for the provider. Enter the path to the root certificate file. For example, C:\ca_root.cer on Windows or /tmp/ca_root.cer on Linux.

  3. Update the ca attribute value for the idmProvider. Enter the path to the root certificate file. For example, C:\ca_root.cer on Windows or /tmp/ca_root.cer on Linux.

  4. Update the pfx attribute value. Enter the name of the PKCS#12 keystore you created earlier. For example, if the Certificate Authority provided a PKCS#12 keystore, C:\.keystore_caprovided on Windows or /.keystore_caprovided on Linux. If you converted the Certificate Authority-provided keystore to PKCS#12, C:\.keystore_mpp on Windows or ./.keystore_mpp on Linux.

  5. Update the passphrase attribute value. Enter the encrypted password used to access the PKCS#12 keystore (see Encrypt a Marketplace Portal Password for instructions). An encrypted password is preceded by ENC without any separating spaces and is enclosed in parentheses. This is the password from step 2 (Convert the Certificate Authority-Provided Keystore).

  6. Save and exit the file.

Step 5: Configure the Web Server

  1. Open CSA_HOME/jboss‑as/standalone/configuration/standalone.xml in a text editor.

  2. Locate the following entry:

    <keystore path="CSA_HOME/jboss‑as/standalone/configuration/.keystore" keystore‑password="changeit"/>

  3. Set the path attribute to the JKS keystore, set the keystore‑password to the value that corresponds to the password you selected for the JKS keystore, and add the alias and set it to the alias you determined in step 3 (Determine the Alias for the Certificate from the JKS Keystore).

    For example, if the Certificate Authority provided a JKS keystore, update the entry to:

    <keystore path="CSA_HOME/jboss‑as/standalone/configuration/.keystore_caprovided" keystore‑password="keystorePassword" alias="<alias_from_step3>"/>

    For example, if you converted the Certificate Authority-provided keystore to JKS, update the entry to:

    <keystore path="CSA_HOME/jboss‑as/standalone/configuration/.keystore_csa" keystore‑password="keystorePassword" alias="<alias_from_step3>"/>

    Note This example stores the password in clear text. If you want to use an encrypted password, see Masking Passwords in standalone.xml Using the JBoss vault Script for information about creating a password vault for JBoss.

  4. Restart the CSA service.

    See Restart CSA for instructions.

  5. After the service has started, review the log files in the CSA_HOME/jboss‑as/standalone/log/ directory and verify that no TLS or keystore errors are present.

Step 6: Configure Client Browsers

The client browser must be configured to trust certificates that are signed by the Certificate Authority. In most situations, this step will already have occurred. Client browsers are likely to already trust well-known third-party Certificate Authorities, or will have previously accessed and trusted Web sites that use internal Certificate Authority root certificates.

To test whether or not the browser on a client system is configured to trust certificates signed by your Certificate Authority, open a supported Web browser and navigate to https://<csahostname>:8444/csa. If you do not see a certificate warning, then the browser is configured properly.

If client browsers need to be configured to trust certificates signed by your Certificate Authority, then you will need to make the root certificate available to clients so it can be installed in the browser. The process of installing the root certificate will vary based on the browser.

  • Microsoft Internet Explorer and Chrome: From Windows Explorer, double-click on the .cer file to begin the import process. Install the certificate in the Trusted Root Certification Authorities store. For information about how to import the certificate, refer to the browser's online documentation.
  • Firefox: To begin the import process, select Tools > Options, select Advanced, select the Encryption tab, and click View Certificates. Import the root certificate into the Authorities tab. For information about how to import the certificate, refer to the browser's online documentation.

Step 7: Test Secure Connections

To test the connection to the Cloud Service Management Console, on a client system, open a supported Web browser and navigate to https://<csahostname>:8444/csa where <csahostname> is the fully-qualified domain name of the system that was used when the certificate was created. If the client browser is configured to accept the Certificate Authority's root certificate and the Web application opens without a certificate warning, then you have successfully configured CSA to use a Certificate Authority-signed certificate. If a certificate warning is displayed, review steps 1-6 to be sure they were followed as documented.