Configure Codar to use internal Certificate Authority-Signed certificate

This section describes the process you should follow to install and configure an internal root and internal Certificate Authority-signed certificate for use by  Codar. An internal certificate is one that is generated by an internal Certificate Authority, such as a corporate or government Certificate Authority. For an internal Certificate Authority, you do not have to generate a self-signed certificate nor create a certificate signing request. The internal Certificate Authority should provide you with a root certificate and signed certificate.

Perform the following general steps:

  1. Step 1: Import the Certificate Authority's root certificate
  2. Step 2: Import internal Certificate Authority-Signed certificate
  3. Step 3: Configure the web server
  4. Step 4: Configure client browsers
  5. Step 5: Test secure connections

Note In the following instructions, CSA_HOME is the directory in which Codar is installed (for example, on Windows the directory is C:\Program Files\HPE\Codar and on Linux the directory is /usr/local/hpe/codar). The keytool utility is included with the JRE.

In this example, it is assumed that you are given an internal Certificate Authority-signed certificate (referred to as codar_internalca_signed.cer), an internal Certificate Authority's root certificate (referred to as codarinternalca.cer). Both certificates are located in C:\ on Windows or in /tmp on Linux.

Step 1: Import the Certificate Authority's root certificate

This step configures the JRE so it trusts the internal Certificate Authority that has signed your certificate by importing the internal Certificate Authority into a keystore named cacerts that is shipped with the JRE.

  1. Open a command prompt.

  2. Run the following command:

    On Windows:

    "CSA_JRE_HOME\bin\keytool" -importcert -alias codarinternalca -file C:\codarinternalca.cer -trustcacerts -keystore "CSA_JRE_HOME\lib\security\cacerts"

    On Linux:

    CSA_JRE_HOME/bin/keytool -importcert -alias codarinternalca -file/tmp/codarnternalca.cer -trustcacerts -keystore CSA_JRE_HOME/lib/security/cacerts

    CSA_JRE_HOME is the directory in which the JRE that is used by Codar is installed.

  3. When prompted enter the password for the keystore.

  4. Enter yes when prompted to trust the certificate.

Step 2: Import internal Certificate Authority-Signed certificate

  1. Open a command prompt and change directories to CSA_HOME.

  2. Run the following command:

    On Windows:

    "CSA_JRE_HOME\bin\keytool" -importcert -alias codar_internalca_signed
    -file C:\codar_internalca_signed.cer -trustcacerts -keystore .\jboss‑as\standalone\configuration\.keystore_internalca_signed

    On Linux:

    CSA_JRE_HOME/bin/keytool -importcert -alias codar_internalca_signed
    -file /tmp/codar_internalca_signed.cer -trustcacerts -keystore ./jboss‑as/standalone/configuration/.keystore_internalca_signed

    CSA_JRE_HOME is the directory in which the JRE that is used by Codar is installed.

    Use this alias and keystore name when you configure the web server.

  3. When prompted, enter the password for the key and keystore.

    Use this password when you configure the web server.

Step 3: Configure the web server

Configure the web server by completing the following steps:

  1. Open CSA_HOME\jboss‑as\standalone\configuration\
    standalone.xml     in a text editor.

  2. Locate the following entry:

    <ssl name="ssl" key-alias="CODAR" certificate-key-file=
    "CSA_HOME\jboss‑as\standalone\configuration\
    .keystore verify-client="false"/>

  1. Add a new attribute named password with a value that corresponds to the password you selected for the keystore, change the name of the key-alias to the alias you used in step 2, and change the name of the certificate-key-file to the keystore you used in step 2.

    On Windows:

    <ssl name="ssl" key-alias="codar_self_signed" certificate-key-file="
    "CSA_HOME\jboss-as\standalone\configuration\
    .keystore_internalca_signed" password="keystorePassword"
    verify-client="false"/>

    On Linux:

    <ssl name="ssl" key-alias="codar_ca_signed" certificate-key-file=
    CSA_HOME/jboss-as/standalone/configuration/
    .keystore_ca_signed" password="keystorePassword"
    verify-client="false"/>

    Note This example stores the password in clear text. If you want to use an encrypted password, follow the instructions at https://community.jboss.org/wiki/JBossAS7SecuringPasswords to create a password vault for JBoss.

    Note If you are using the vault scripts, verify that the JAVA_HOME environment variable has been defined. Verify that JAVA_HOME has been set to the directory in which the JRE that is used by Codar is installed.

    Windows:

    If the directory path name includes a space, verify that the value has been enclosed in quotations marks. For example, to set JAVA_HOME to a directory path name that includes a space, from a command prompt, type
    set JAVA_HOME="C:\Program Files\HPE\Codar\jre"

    To verify that JAVA_HOME has been defined, from a command prompt, type:
    echo %JAVA_HOME%

    Linux:

    To verify that JAVA_HOME has been defined, from a command prompt, type:
    echo $JAVA_HOME

    The following is an example of an encrypted password attribute using the JBoss password vault:password="${VAULT::<vault_block_example>::password::N2NhZDzOMtES0ZGE4MmEtx0}"

  1. Restart the Codar service, see Restart Codar.
  2. After the service has started, review the log files in CSA_HOME\jboss‑as\
    standalone\log\     and verify that no TLS or keystore errors are present.

Step 4: Configure client browsers

The client browser must be configured to trust certificates that are signed by the Certificate Authority. In most situations, this step will already have occurred. Client browsers are likely to already trust well-known third-party Certificate Authorities, or will have previously accessed and trusted Web sites that use internal Certificate Authority root certificates.

To test whether or not the browser on a client system is configured to trust certificates signed by your Certificate Authority, open a supported Web browser and navigate to https://<codarhostname>:8444/csa. If you do not see a certificate warning, then the browser is configured properly.

If client browsers need to be configured to trust certificates signed by your Certificate Authority, then you will need to make the root certificate available to clients so it can be installed in the browser. The process of installing the root certificate will vary based on the browser.

  • Microsoft Internet Explorer and Chrome: From Windows Explorer, double-click on the .cer file to begin the import process. Install the certificate in the Trusted Root Certification Authorities store. For information on how to import the certificate, see the browser's online documentation.
  • Firefox: To begin the import process, select Tools > Options, select Advanced, select the Encryption tab, and click View Certificates. Import the root certificate into the Authorities tab. For information on how to import the certificate, see the browser's online documentation.

Step 5: Test secure connections

To test the connection to the Codar Console, on a client system, open a supported Web browser and navigate to https://<codarhostname>:8444/csa where <codarhostname> is the fully-qualified domain name of the system that was used when the certificate was created. If the client browser is configured to accept the Certificate Authority's root certificate and the web application opens without a certificate warning, then you have successfully configured Codar to use a Certificate Authority-signed certificate. If a certificate warning is displayed, review steps 1-4 to be sure they were followed as documented.

Send Help Center feedback