Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
- Configure Secure Connections for Client Browsers
- Configure CSA to Use a Trusted Certificate Authority-Signed or Subordinate Certificate Authority-Signed Certificate
- Configure CSA to Use a Certificate Authority-Signed Certificate and a Certificate Authority-Provided Keystore
- Configure CSA to Use an Internal Certificate Authority-Signed Certificate
- Configure CSA to Use a Self-Signed Certificate
- Configure CSA to Create a New Self-Signed Certificate for Global Search
- Masking Passwords in standalone.xml Using the JBoss vault Script
Configure CSA to Use a Self-Signed Certificate
This section describes the process you should follow to obtain, install, and configure a self-signed certificate for use by CSA.
In general, it is recommended that you replace CSA's self-signed certificate with a Certificate Authority-signed certificate. However, you may consider replacing CSA's self-signed with a self-signed certificate you create in the following situations:
- CSA's self-signed certificate has expired and you do not want to configure a Certificate Authority-signed certificate at this time.
- The hostname that you entered when you installed CSA has changed (the hostname you entered during installation is used to configure CSA's self-signed certificate).
- You entered an IP address instead of the fully-qualified domain name when CSA was installed.
- Obtaining a Certificate Authority-signed certificate is not an option in your environment.
You should perform the following general steps:
- Create a keystore and a self-signed certificate.
- Export the self-signed certificate.
- Import the self-signed certificate as a trusted certificate.
- Configure the Marketplace Portal.
- Configure the web server.
- Configure client browsers (optional).
- Test the secure connection.
Note In the following instructions,
CSA_HOME
is the directory in which CSA is installed
C:\Program Files\HPE\CSA
, and on Linux the directory is /usr/local/hpe/csa
). The keytool
utility
is included with the JRE.
Step 1: Create a Keystore and Self-Signed Certificate
To create a self-signed certificate, complete the following steps:
-
Open a command prompt and change directories to
CSA_HOME
. -
Run the following command:
Windows:
"CSA_JRE_HOME\bin\keytool" -genkeypair -alias csa_self_signed
-validity 365 -keyalg rsa -keysize 2048
-keystore .\jboss‑as\standalone\configuration\
.keystore_self_signed [-ext san=ip:<ip_address>]Linux:
CSA_JRE_HOME/bin/keytool -genkeypair -alias csa_self_signed
-validity 365 -keyalg rsa -keysize 2048
-keystore ./jboss‑as/standalone/configuration/
.keystore_self_signed [-ext san=ip:<ip_address>]where
CSA_JRE_HOME
is the directory in which the JRE that is used by CSA is installed and‑ext san=ip:<ip_address>
is the option to specify the IP address of the system on which CSA is installed. This option is required if you specified an IP address instead of the fully-qualified domain name when you installed CSA. If you specified the fully-qualified domain name during installation, you may omit this option.You can use different values for
-alias
,-validity
,-keysize
and-keystore
. These instructions assume that you will use the-alias
and-keystore
values recommended here; you will have to adjust the commands accordingly if you use different values. -
Enter a keystore password.
This password is used to control access to the keystore. This password must be the same as the password you enter for the key later in this procedure.
-
When you are prompted for your first and last name, enter the fully qualified domain name of the CSA server.
-
Follow the prompts to enter the remaining organization and location values.
-
Enter the keystore password you supplied earlier to use as the key password.
Although
keytool
allows you to enter different passwords for the keystore and the key, the two passwords must be the same to work with CSA.
Step 2: Export the Self-Signed Certificate
Export the self-signed certificate using the following procedure:
-
Open a command prompt and change directories to
CSA_HOME
. -
Run the following command:
Windows:
"CSA_JRE_HOME\bin\keytool" -export -alias csa_self_signed
-file C:\csa_self_signed.cer
-keystore .\jboss‑as\standalone\configuration\
.keystore_self_signedLinux:
CSA_JRE_HOME/bin/keytool -export -alias csa_self_signed
-file /tmp/csa_self_signed.cer
-keystore ./jboss‑as/standalone/configuration/
.keystore_self_signedwhere
CSA_JRE_HOME
is the directory in which the JRE that is used by CSA is installed.NOTE: Please do not anytime delete the defaultjboss.cer
certificate from the folderCSA_HOME\jboss-as\standalone\configuration\
-
When you are prompted for a password, enter the keystore password used in step 1.
Step 3: Import the Self-Signed Certificate as a Trusted Certificate
This step configures the JRE so it trusts the self-signed certificate.
- Open a command prompt.
-
Run the following command:
Windows:
"CSA_JRE_HOME\bin\keytool" -importcert -alias csa_self_signed
-file C:\csa_self_signed.cer -trustcacerts
-keystore "CSA_JRE_HOME\lib\security\cacerts"Linux:
CSA_JRE_HOME/bin/keytool -importcert -alias csa_self_signed
-file /tmp/csa_self_signed.cer -trustcacerts
-keystore CSA_JRE_HOME/lib/security/cacertswhere
CSA_JRE_HOME
is the directory in which the JRE that is used by CSA is installed. -
When prompted for the keystore password, enter
changeit
. -
Enter
yes
when prompted to trust the certificate.
Step 4: Configure the Marketplace Portal
This step converts the CSA keystore to a PKCS#12 archive and configures the Marketplace Portal to use the self-signed certificate.
-
Open a command prompt and navigate to
.CSA_HOME
-
Convert the CSA keystore to a PKCS#12 archive. Run the following command:
Windows:
"CSA_JRE_HOME\bin\keytool" -importkeystore -srckeystore .\jboss‑as\standalone\configuration\.keystore_self_signed -deststoretype PKCS12 -destkeystore .\portal\conf\.mppkeystore_self_signed
Linux:
CSA_JRE_HOME/bin/keytool -importkeystore -srckeystore ./jboss‑as/standalone/configuration/.keystore_self_signed -deststoretype PKCS12 -destkeystore ./portal/conf/.mppkeystore_self_signed
-
When prompted, enter the password for the PKCS#12 archive. You will need this password when you configure the
passphrase
attribute later in this section. -
When prompted, enter the password for the CSA keystore (changeit).
-
Open the
CSA_HOME/portal/conf/mpp.json
file in a text editor. -
Update the
ca
attribute value for the provider. Enter the path to the certificate file that you imported in step 2. For example,C:/csa_self_signed.cer
on Windows or/tmp/csa_self_signed.cer
on Linux. -
Update the
ca
attribute value for the idmProvider. Enter the path to the certificate file that you imported in step 2. For example,C:/csa_self_signed.cer
on Windows or/tmp/csa_self_signed.cer
on Linux. -
Update the
pfx
attribute value. Enter the name of the PKS#12 archive you created earlier. For example,../conf/.mppkeystore_self_signed
. -
Update the
passphrase
attribute value. Enter the encrypted password used to access the.mppkeystore_self_signed
archive (see Encrypt a Marketplace Portal Password for instructions). An encrypted password is preceded byENC
without any separating spaces and is enclosed in parentheses. - Save and exit the file.
Step 5: Configure the Web Server
-
Open
CSA_HOME\jboss‑as\standalone\configuration\standalone.xml
in a text editor. -
Locate the following entry:
<keystore keystore-password="changeit" path="CSA_HOME\jboss‑as\standalone\configuration\.keystore"/>
-
Set the
path
attribute to the keystore you used in step 2, set thekeystore‑password
attribute to the value that corresponds to the password you selected for the keystore, and add thekey-alias
attribute and set it to the alias you used in step 2.<keystore path="CSA_HOME\jboss-as\standalone\configuration\.keystore_self_signed" keystore-password="keystorePassword" alias="csa_self_signed"/>
Note This example stores the password in clear text. If you want to use an encrypted password, see Masking Passwords in standalone.xml Using the JBoss vault Script for information about creating a password vault for JBoss.
-
Restart the CSA service. See Restart CSA for instructions.
-
After the service has started, review the log files in the
CSA_HOME/jboss‑as/standalone/log/
directory and verify that no TLS or keystore errors are present.
Step 6: Configure Client Browsers (Optional)
Because the self-signed certificate is not signed by a Certificate Authority, when accessing the
Cloud Service Management Console,
warning messages are displayed in the browser (these messages do not affect normal operations of
CSA). To avoid these warning
messages, import the csa_self_signed.cer
file or add an exception.
- Microsoft Internet Explorer and Chrome: From Windows Explorer,
double-click on the
csa_self_signed.cer
file to begin the import process. Install the certificate in the Trusted Root Certification Authorities store. For information about how to import the certificate, refer to the browser's online documentation. - Firefox: Add an exception by opening the browser and navigating to
https://<csahostname>:8444/csa
where<csahostname>
is the fully-qualified domain name of the system on which CSA is running. When the This Connection is Untrusted page opens, select I Understand the Risks, click the Add Exception button, verify the Server Location, and click Confirm Security Exception. For information about how to import the certificate, refer to the browser's online documentation.
Step 7: Test Secure Connections
To test the connection to the Cloud Service Management Console,
on a client system, open a supported Web browser and navigate to https://<csahostname>:8444/csa
where <csahostname>
is the fully-qualified domain name of the system that was used
when the certificate was created.
If the client browser is configured to accept the self-signed certificate (that is, you have completed
step 6) and the Web application opens without a certificate warning, then you have successfully configured
CSA to use a
self-signed certificate. If you did not complete step 6, verify that the only certificate warning relates to
the certificate not being issued by a trusted authority. If any other certificate warning is displayed,
review steps 1-6 to be sure they were followed as documented.
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to clouddocs@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: