Configure Codar to use self-signed certificate

This section describes the process you should follow to obtain, install, and configure a self-signed certificate for use by Codar.

In general, recommends that you replace Codar's self-signed certificate with a Certificate Authority-signed certificate. However, you may consider replacing Codar's self-signed with a self-signed certificate you create in the following situations:

  • Codar's self-signed certificate has expired and you do not want to configure a Certificate Authority-signed certificate at this time.
  • You want to configure a certificate with a hostname that matches the Codar hostname to avoid certain browser warnings that occur when accessing the Codar Console.
  • The hostname that you entered when you installed Codar has changed (the hostname you entered during installation is used to configure Codar's self-signed certificate).
  • You entered an IP address instead of the fully-qualified domain name when Codar was installed.
  • Obtaining a Certificate Authority-signed certificate is not an option in your environment.

You should perform the following general steps:

  1. Step 1: Create a keystore and self-signed certificate
  2. Step 2: Export the self-signed certificate
  3. Step 3: Import self-signed certificate as a trusted certificate
  4. Step 4: Configure web server
  5. Step 5: Configure client browsers (optional)
  6. Step 6: Test secure connections

Note In the following instructions, CSA_HOME is the directory in which Codar is installed (for example, on Windows, the directory is C:\Program Files\HPE\Codar) and on Linux the directory is /usr/local/hpe/codar). The keytool utility is included with the JRE.

Step 1: Create a keystore and self-signed certificate

Create a self-signed certificate by completing the following steps:

  1. Open a command prompt and change directories to CSA_HOME.

  2. Run the following command:

    Windows:

    "CSA_JRE_HOME\bin\keytool" -genkeypair -alias codar_self_signed
    -validity 365 -keyalg rsa -keysize 2048
    -keystore .\jboss‑as\standalone\configuration\
    .keystore_self_signed [-ext san=ip:<ip_address>]

    Linux:

    CSA_JRE_HOME/bin/keytool -genkeypair -alias codar_self_signed
    -validity 365 -keyalg rsa -keysize 2048
    -keystore./jboss-as/standalone/configuration/
    .keystore_self_signed [-ext san=ip:<ip_address>]

    CSA_JRE_HOME is the directory in which the JRE that is used by  Codar is installed and -ext san=ip:<ip_address> is the option to specify the IP address of the system on which Codar is installed. This option is required if you specified an IP address instead of the fully qualified domain name when you installed Codar. If you specified the fully-qualified domain name during installation, you may omit this option.

    You can use different values for -alias, -validity, -keysize and -keystore. These instructions assume that you will use the -alias and -keystore values recommended here; you will have to adjust the commands accordingly if you use different values.

  3. Enter a keystore password.

    This password is used to control access to the keystore. This password must be the same as the password you enter for the key later in this procedure.

  4. When you are prompted for your first and last name, enter the fully qualified domain name of the Codar server.
  5. Follow the prompts to enter the remaining organization and location values.

  6. Enter the keystore password you supplied earlier to use as the key password.

    Although keytool allows you to enter different passwords for the keystore and the key, the two passwords must be the same to work with Codar.

Step 2: Export the self-signed certificate

Export the self-signed certificate completing the following steps:

  1. Open a command prompt and change directories to CSA_HOME.

  2. Run the following command:

    Windows:

    "CSA_JRE_HOME\bin\keytool" -export -alias codar_self_signed
    -file C:\codar_self_signed.cer
    -keystore .\jboss-as\standalone\configuration\
    .keystore_self_signed

    Linux:

    CSA_JRE_HOME/bin/keytool -export -alias codar_self_signed
    -file /tmp/codar_self_signed.cer
    -keystore ./jboss-as/standalone/configuration/
    .keystore_self_signed

    CSA_JRE_HOME is the directory in which the JRE that is used by Codar is installed

  3. When you are prompted for a password, enter the keystore password used in step 1.

Step 3: Import self-signed certificate as a trusted certificate

This step configures the JRE to trust the self-signed certificate. Import the self-signed certificate by completing the following steps:

  1. Open a command prompt.

  2. Run the following command:

    Windows:

    "CSA_JRE_HOME\bin\keytool" -importcert -alias codar_self_signed
    -file C:\codar_self_signed.cer -trustcacerts
    -keystore "CSA_JRE_HOME\lib\security\cacerts"

    Linux:

    CSA_JRE_HOME/bin/keytool -importcert -alias codar_self_signed
    -file /tmp/codar_self_signed.cer -trustcacerts
    -keystore CSA_JRE_HOME/lib/security/cacerts

    CSA_JRE_HOME is the directory in which the JRE that is used by Codar is installed.

  3. When you are prompted for a password, enter the keystore password used in step 1.

  4. Enter yes when prompted to trust the certificate.

Step 4: Configure web server

Configure the web server by completing the following steps:

  1. Open CSA_HOME\jboss‑as\standalone\configuration\
    standalone.xml     in a text editor.

  2. Locate the following entry:

    <keystore path=
    "CSA_HOME\jboss‑as\standalone\configuration\
    .keystore" keystore-password="changeit"/>

  3. Set the path attribute to the keystore you used in step 2, set the keystore-password attribute to the value that corresponds to the password you selected for the keystore, and add the key-alias attribute and set it to the alias you used in step 2.

    Windows: 

    <keystore path="<CSA_HOME>\jboss-as\standalone\configuration\.keystore_self_signed" keystore-password="keystorePassword"
alias="csa_self_signed"/>

    Linux: 

    <keystore path="$CSA_HOME/jboss-as/standalone/
configuration/.keystore_self_signed" keystore-password="keystorePassword"
alias="csa_self_signed"/>

    Note This example stores the password in clear text. If you want to use an encrypted password, follow the instructions at https://community.jboss.org/wiki/JBossAS7SecuringPasswords to create a password vault for JBoss.

  1. Restart the Codar service, see Restart Codar.

    To restart HP Codar on Windows:

    1. If you have configured Codar to be FIPS 140-2 compliant, create an Codar encryption keystore password file. The name and location of this file must match the value configured for the keystorePasswordFile property in the following file:

      CSA_HOME\jboss-as\standalone\deployments\csa.war\
      WEB-INF\classes\csa.properties

      The password file must contain only the following content: keystorePassword=<HP CODAR encryption keystore password>

      where <HP CODAR encryption keystore password> is the Codar encryption keystore password in clear text.

      This file is automatically deleted when the Codar service is started.

    2. On the server that hosts Codar, navigate to Control Panel > Administrative Tools > Services.
    3. Right-click on the Codar service and select Restart.

     

    To restartCodar on Linux, on the server that hosts Codar:

    1. Type the following:

      service codar restart

    2. If you installed an embedded Operations Orchestration instance, as the root user, type:

      <embeddedHPOOinstallation>/central/bin/central stop<embeddedHPOOinstallation>/central/bin/central start

      For example, type:
      /usr/local/hp/codar/OO/central/bin/central stop
      /usr/local/hp/codar/OO/central/bin/central start

  2. After the service has started, review the log files in
    CSA_HOME\jboss‑as\standalone\log\ and verify that no TLS or keystore errors are present.

Step 5: Configure client browsers (optional)

Because the self-signed certificate is not signed by a Certificate Authority, when accessing the Codar Console, warning messages are displayed in the browser (these messages do not affect normal operations of Codar). To avoid these warning messages, import the codar_self_signed.cer file or add an exception.

  • Microsoft Internet Explorer and Chrome: From Windows Explorer, double-click on the
    codar_self_signed.cer file to begin the import process. Install the certificate in the Trusted Root Certification Authorities store. For information on how to import the certificate, see the browser's online documentation.
  • Firefox: Add an exception by opening the browser and navigating to https://<codarhostname>:8444/csa where <codarhostname> is the fully-qualified domain name of the system on which Codar is running. When the This Connection is Untrusted page opens, select I Understand the Risks, click the Add Exception button, verify the Server Location, and click Confirm Security Exception. For information on how to import the certificate, see the browser's online documentation.

Step 6: Test secure connections

To test the connection to the Codar Console, on a client system, open a supported Web browser and navigate to https://<codarhostname>:8444/csa where <codarhostname> is the fully-qualified domain name of the system that was used when the certificate was created. If the client browser is configured to accept the Certificate Authority's root certificate and the web application opens without a certificate warning, then you have successfully configured Codar to use a Certificate Authority-signed certificate. If any other certificate warning is displayed, review steps 1-5 to be sure they were followed as documented.

Send Help Center feedback