Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
- Configure Secure Connections for Client Browsers
- Configure CSA to Use a Trusted Certificate Authority-Signed or Subordinate Certificate Authority-Signed Certificate
- Configure CSA to Use a Certificate Authority-Signed Certificate and a Certificate Authority-Provided Keystore
- Configure CSA to Use an Internal Certificate Authority-Signed Certificate
- Configure CSA to Use a Self-Signed Certificate
- Configure CSA to Create a New Self-Signed Certificate for Global Search
- Masking Passwords in standalone.xml Using the JBoss vault Script
Configure CSA to Use a Trusted Certificate Authority-Signed or Subordinate Certificate Authority-Signed Certificate
This section describes the process you should follow to obtain, install, and configure a trusted third-party Certificate Authority-signed or subordinate Certificate Authority-signed certificate for use by CSA. The process by which you acquire a certificate depends on your organization. If you are obtaining a certificate from a trusted third-party Certificate Authority, such as Verisign, perform the following general steps, which are described in detail below. If you are generating and/or obtaining a certificate from an internal Certificate Authority, such as a corporate Certificate Authority, you should perform the general steps in Configure CSA to Use an Internal Certificate Authority-Signed Certificate.
- Create a keystore and a self-signed certificate
- Create a certificate signing request
- Submit the certificate signing request to a Certificate Authority
- Import the Certificate Authority's root certificate
- Import the Certificate Authority-signed certificate
- Configure the Marketplace Portal
- Configure the Web server
- Configure client browsers
- Test the secure connection
Note In the following instructions,
CSA_HOME
is the directory in which CSA is installed
C:\Program Files\HPE\CSA
and on Linux the directory is /usr/local/hpe/csa
) and the keytool
utility
is included with the JRE.
Also, the following instructions are applicable for subordinate Certificate Authorities. Wherever the Certificate Authority is mentioned, the subordinate Certificate Authority is implied. For example, if the content states to submit the certificate to a Certificate Authority, you may also submit the certificate to a subordinate Certificate Authority.
Step 1: Create a Keystore and Self-Signed Certificate
Create a self-signed certificate to send with your request to a Certificate Authority by doing the following:
-
Open a command prompt and change directories to
CSA_HOME
. -
Run the following command:
Windows:
"CSA_JRE_HOME\bin\keytool" -genkeypair -alias csa_ca_signed
-validity 365 -keyalg rsa -keysize 2048 -keystore .\jboss‑as\standalone\configuration\.keystore_ca_signedLinux:
CSA_JRE_HOME/bin/keytool -genkeypair -alias csa_ca_signed
-validity 365 -keyalg rsa -keysize 2048 -keystore ./jboss‑as/standalone/configuration/.keystore_ca_signedwhere
CSA_JRE_HOME
is the directory in which the JRE that is used by CSA is installedYou can use different values for
-alias
,-validity
,-keysize
and-keystore
. These instructions assume that you will use the-alias
and-keystore
values recommended here; you will have to adjust the commands accordingly if you use different values. -
Enter a keystore password.
This password is used to control access to the keystore. This password must be the same as the password you enter for the key later in this procedure.
-
When you are prompted for your first and last name, enter the fully qualified domain name of the CSA server.
-
Follow the prompts to enter the remaining organization and location values.
-
Enter the keystore password you supplied earlier to use as the key password.
Although
keytool
allows you to enter different passwords for the keystore and the key, the two passwords must be the same to work with CSA.
Step 2: Create a Certificate Signing Request
To enable a Certificate Authority to sign the self-signed certificate, you will need to create a Certificate Signing Request using the following procedure:
-
Open a command prompt and change directories to
CSA_HOME
. -
Run the following command:
Windows:
"CSA_JRE_HOME\bin\keytool" -certreq -alias csa_ca_signed
-file C:\csacsr.txt -keystore .\jboss‑as\standalone\configuration\.keystore_ca_signedLinux:
CSA_JRE_HOME/bin/keytool -certreq -alias csa_ca_signed
-file /tmp/csacsr.txt -keystore ./jboss‑as/standalone/configuration/.keystore_ca_signedwhere
CSA_JRE_HOME
is the directory in which the JRE that is used by CSA is installed -
When you are prompted for a password, enter the password you supplied for the keystore and key when you created the keystore and self-signed certificate in step 1.
Step 3: Submit the Certificate Signing Request to a Certificate Authority
Submit the Certificate Signing Request to the Certified Authority following the procedure used by your organization or the third-party provider. After the submission has been processed, you will receive a Certificate Authority-signed certificate and a root certificate for the Certificate Authority.
In our example, we will assume the Certificate Authority's root certificate is named csaca.cer
, the
Certificate Authority-signed certificate is named csa_ca_signed.cer
, and that both are located in C:\
on Windows or in /tmp
on Linux.
.
Step 4: Import the Certificate Authority's Root Certificate
This step configures the JRE so it trusts the Certificate Authority that has signed
your certificate. The JRE ships with a list of common, trusted Certificate Authority certificates that are
stored in a keystore named cacerts
. If the Certificate Authority used to sign your certificate
is well known, it is likely that this root certificate is already present in the cacerts
keystore.
It is recommended that you perform the following steps even if you suspect that the certificate is already
installed. The keytool
command will detect if the certificate is already present, and you can
exit the import process if the certificate exists.
- Open a command prompt.
-
Run the following command:
Windows:
"CSA_JRE_HOME\bin\keytool" -importcert -alias csaca -file C:\csaca.cer -trustcacerts -keystore "CSA_JRE_HOME\lib\security\cacerts"
Linux:
CSA_JRE_HOME/bin/keytool -importcert -alias csaca -file /tmp/csaca.cer -trustcacerts -keystore CSA_JRE_HOME/lib/security/cacerts
where
CSA_JRE_HOME
is the directory in which the JRE that is used by CSA is installed -
When prompted for the keystore password, enter
changeit
. -
Enter
yes
when prompted to trust the certificate.
Step 5: Import the Certificate Authority-Signed Certificate
-
The Certificate Authority-signed certificate (
csa_ca_signed.cer
) contains a chain of certificates and you must copy the root and any intermediate certificates in the chain to separate files. Work with your security expert to copy each certificate to a separate file. -
Open a command prompt and change directories to
CSA_HOME
. -
Import the certificate file(s):
You must import each separate file in the following order (each certificate must have a unique alias):
- root certificate
- intermediate or subordinate certificate(s) in hierarchical order
- primary or end-user certificate
For example, if the Certificate Authority-signed certificate contains three certificates (root, intermediate, and primary) and you copied the root certificate to
C:\root.cer
on Windows or/tmp/root.cer
on Linux, and the intermediate certificate toC:\intermediate.cer
on Windows or/tmp/intermediate.cer
on Linux, (you will use the Certificate Authority-signed certificate as the primary certificate), run the following commands in the following order to import each certificate:Windows:
"CSA_JR_HOME\bin\keytool" -importcert ‑alias csa_ca_signed_root ‑file C:\root.cer ‑trustcacerts ‑keystore .\jboss‑as\standalone\configuration\.keystore_ca_signed
"CSA_JRE_HOME\bin\keytool" -importcert ‑alias csa_ca_signed_intermediate ‑file C:\intermediate.cer ‑trustcacerts ‑keystore .\jboss‑as\standalone\configuration\.keystore_ca_signed
"CSA_JRE_HOME\bin\keytool" -importcert ‑alias csa_ca_signed ‑file C:\csa_ca_signed.cer ‑trustcacerts ‑keystore .\jboss‑as\standalone\configuration\.keystore_ca_signed
Linux:
CSA_JRE_HOME/bin/keytool -importcert ‑alias csa_ca_signed_root ‑file /tmp/root.cer ‑trustcacerts ‑keystore ./jboss‑as/standalone/configuration/.keystore_ca_signed
CSA_JRE_HOME/bin/keytool -importcert ‑alias csa_ca_signed_intermediate ‑file /tmp/intermediate.cer ‑trustcacerts ‑keystore ./jboss‑as/standalone/configuration/.keystore_ca_signed
CSA_JRE_HOME/bin/keytool -importcert ‑alias csa_ca_signed ‑file /tmp/csa_ca_signed.cer ‑trustcacerts ‑keystore ./jboss‑as/standalone/configuration/.keystore_ca_signed
where
CSA_JRE_HOME
is the directory in which the JRE that is used by CSA is installedUse the alias of the primary certificate (
csa_ca_signed
) and keystore name (CSA_HOME/jboss-as/standalone/configuration/.keystore_ca_signed
) when you configure the web server. -
When prompted, enter the password for the key and keystore.
Use this password when you configure the web server.
Step 6: Configure the Marketplace Portal
This step converts the CSA keystore to a PKCS#12 archive and configures the Marketplace Portal to use the Certificate Authority-signed certificate.
-
Open a command prompt and navigate to
CSA_HOME
. -
Convert the CSA keystore to a PKCS#12 archive. Run the following command:
Windows:
"CSA_JRE_HOME\bin\keytool" -importkeystore -srckeystore .\jboss‑as\standalone\configuration\.keystore_ca_signed -deststoretype PKCS12 -destkeystore .\portal\conf\.mppkeystore_ca_signed
Linux:
CSA_JRE_HOME/bin/keytool -importkeystore -srckeystore ./jboss‑as/standalone/configuration/.keystore_ca_signed -deststoretype PKCS12 -destkeystore ./portal/conf/.mppkeystore_ca_signed
-
When prompted, enter the password for the PKCS#12 archive. You will need this password when you configure the
passphrase
attribute later in this section. -
When prompted, enter the password for the CSA keystore (changeit).
-
Open the
CSA_HOME/portal/conf/mpp.json
file in a text editor. -
Update the
ca
attribute value for the provider. Enter the path to the certificate file that you imported in Step 5: Import the Certificate Authority-Signed Certificate. For example,C:\csa_ca_signed.cer on Windows or /tmp/csa_ca_signed.cer
on Linux. If you imported a chain of certificates, use the certificate file of the primary certificate. -
Update the
ca
attribute value for the idmProvider. Enter the path to the certificate file that you imported in Step 5: Import the Certificate Authority-Signed Certificate. For example,C:\csa_ca_signed.cer on Windows or /tmp/csa_ca_signed.cer
on Linux. If you imported a chain of certificates, use the certificate file of the primary certificate. -
Update the
pfx
attribute value. Enter the name of the PKS#12 archive you created earlier. For example,..\conf\.mppkeystore_ca_signed
. -
Update the
passphrase
attribute value. Enter the encrypted password used to access the.mppkeystore_ca_signed
archive (see Encrypt a Marketplace Portal Password for instructions). An encrypted password is preceded byENC
without any separating spaces and is enclosed in parentheses. - Save and exit the file.
Step 7: Configure the Web Server
-
Open
CSA_HOME/jboss‑as/standalone/configuration/standalone.xml
in a text editor. -
Locate the following entry:
<keystore path="CSA_HOME/jboss‑as/standalone/configuration/.keystore" keystore‑password="changeit"/>
-
Set the
path
attribute to the keystore you used in Step 5: Import the Certificate Authority-Signed Certificate, set thepassword
attribute to the value that corresponds to the password you selected for the keystore, and add thealias
attribute and set it to the alias you used in Step 5: Import the Certificate Authority-Signed Certificate.<keystore path="CSA_HOME/jboss‑as/standalone/configuration/.keystore_ca_signed" keystore‑password="keystorePassword" alias="csa_ca_signed"/>
Note If you imported a chain of certificates, use the alias of the primary certificate.
Note This example stores the password in clear text. If you want to use an encrypted password, see Masking Passwords in standalone.xml Using the JBoss vault Script for information about creating a password vault for JBoss.
-
Restart the CSA service.
See Restart CSA for instructions.
-
After the service has started, review the log files in the
CSA_HOME/jboss‑as/standalone/log/
directory and verify that no TLS or keystore errors are present.
Step 8: Configure Client Browsers
The client browser must be configured to trust certificates that are signed by the Certificate Authority. In most situations, this step will already have occurred. Client browsers are likely to already trust well-known third-party Certificate Authorities, or will have previously accessed and trusted Web sites that use internal Certificate Authority root certificates.
To test whether or not the browser on a client system is configured to trust certificates signed by your Certificate Authority, open a supported Web browser and navigate to https://<csahostname>:8444/csa
. If you do not see a certificate warning, then the browser is configured properly.
If client browsers need to be configured to trust certificates signed by your Certificate Authority, then you will need to make the root certificate available to clients so it can be installed in the browser. The process of installing the root certificate will vary based on the browser.
- Microsoft Internet Explorer and Chrome: From Windows Explorer,
double-click on the
.cer
file to begin the import process. Install the certificate in the Trusted Root Certification Authorities store. For information about how to import the certificate, see the browser's online documentation. - Firefox: To begin the import process, select Tools > Options, select Advanced, select the Encryption tab, and click View Certificates. Import the root certificate into the Authorities tab. For information about how to import the certificate, see the browser's online documentation.
Step 9: Test Secure Connections
To test the connection to the Cloud Service Management Console,
on a client system, open a supported Web browser and navigate to https://<csahostname>:8444/csa
where <csahostname>
is the fully-qualified domain name of the system that was used
when the certificate was created.
If the client browser is configured to accept the Certificate Authority's root certificate and the Web application
opens without a certificate warning, then you have successfully configured
CSA to use a Certificate
Authority-signed certificate. If a certificate warning is displayed, review steps 1-8 to be sure they were followed
as documented.
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to clouddocs@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: