Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Codar1.80

Create new keystore and truststore for secure communication

To comply with FIPS 140-2, the keystore and truststore (that store the keys and certificates used for secure communication between HP Codar and other applications) must support PKCS #12: Personal Information Exchange Syntax Standard (PKCS #12). You must create a new keystore and truststore for HP Codar for PKCS #12.

This section describes the process you should follow to obtain, install, and configure a certificate that supports PKCS #12 for use by HP Codar.

Perform the following tasks (described in more detail in the sections that follow the list below):

Create the Codar server keystore that supports PKCS #12
Create HP Codar's certificate, create a truststore that supports PKCS #12, and import certificate(s)
Configure the Web server
Import the Operations Orchestration certificate as a trusted certificate
Import the VMware vCenter certificate as a trusted certificate
Import the certificates for other applications as trusted certificates
Configure client browsers (optional)

Note In the following examples, CSA_HOME is the directory in which Codar is installed (for example, C:\Program Files\Hewlett-Packard\CSA/usr/local/hp/csa), the keytool utility is included with the JRE (you may choose to use a different utility), and a JRE has been installed for HP Codar in CSA_JRE_HOME.

Step 1: Create an Codar server keystore that Supports PKCS #12

Create the Codar server keystore. For example, do the following:

Open a command prompt and change directories to CSA_HOME.
Run the following command:

"CSA_JRE_HOME\bin\keytool" -genkey -alias csa_fips -validity 365 -keyalg rsa -keysize 2048 -storetype PKCS12 -keystore .\jboss-as\standalone\configuration\keystore_csaID.p12CSA_JRE_HOME/bin/keytool -genkey -alias csa_fips -validity 365 -keyalg rsa -keysize 2048 -storetype PKCS12 -keystore ./jboss-as/standalone/configuration/keystore_csaID.p12

You can use different values for -alias, -validity, -keysize and -keystore. These instructions assume that you will use the -alias and -keystore values recommended here; you will have to adjust the commands accordingly if you use different values.
Enter a keystore password (referred to in this document as the Codar server keystore password).

This password is used to control access to the keystore. This password must be the same as the password you enter for the key in task 6 of this step.
When you are prompted for your first and last name, enter the fully qualified domain name of the HP Codar server.
Follow the prompts to enter the remaining organization and location values.
Enter the keystore password you supplied earlier to use as the key password.

Although keytool allows you to enter different passwords for the keystore and the key, the two passwords must be the same to work with HP Codar.

Step 2: Create HP Codar's Certificate, Create a Truststore that Supports PKCS #12, and Import Certificate(s)

This section shows examples on how to export a self-signed certificate, create a Certificate Authority-signed certificate (optional), create the Codar server truststore that supports PKCS #12, and import the certificates into the truststore and keystore.

Select the type of certificate you will be using (self-signed or Certificate Authority-signed) and complete one of the applicable sections below.

Using a Self-Signed Certificate

Export a self-signed certificate, create the Codar server truststore that supports PKCS #12, and import the self-signed certificate into the Codar server truststore. For example:

Open a command prompt and change directories to CSA_HOME.CSA_HOME.
Export a self-signed certificate by exporting HP Codar's certificate:
1. Run the following command:
  
  "CSA_JRE_HOME\bin\keytool" -export -alias csa_fips -file C:\csa_fips.crt -storetype PKCS12 -keystore .\jboss-as\standalone\configuration\keystore_csaID.p12CSA_JRE_HOME/bin/keytool -export -alias csa_fips -file /tmp/csa_fips.crt -storetype PKCS12 -keystore ./jboss-as/standalone/configuration/keystore_csaID.p12
2. When you are prompted for a password, enter the Codar server keystore password used in step 1 (where you created the Codar server keystore that supports PKCS #12).
Create a truststore that supports PKCS #12 and import the self-signed certificate:
1. Run the following command:
  
  "CSA_JRE_HOME\bin\keytool" -importcert -alias csa_fips -file C:\csa_fips.crt -trustcacerts -keystore .\jboss-as\standalone\configuration\csa_server_truststore.p12CSA_JRE_HOME/bin/keytool -importcert -alias csa_fips -file /tmp/csa_fips.crt >-trustcacerts -keystore ./jboss-as/standalone/configuration/csa_server_truststore.p12
2. When prompted, enter a truststore password (referred to in this document as the Codar server truststore password). You will need this password when you import the Operations Orchestration and other certificates.
3. Enter yes when prompted to trust the certificate.

Using a Certificate Authority-Signed Certificate

Create a self-signed certificate, create a Certificate Authority-signed certificate, import the Certificate Authority-signed certificate into the Codar server keystore, create the Codar server truststore that supports PKCS #12, and import the root certificate into the Codar server truststore. For example:

Open a command prompt and change directories to CSA_HOME.CSA_HOME.
To create a Certificate Authority-signed certificate, you must create a certificate signing request and submit the certificate signing request to a Certificate Authority:
1. From the command prompt, run the following command:
  
  "CSA_JRE_HOME\bin\keytool" -certreq -alias csa_fips -file C:\csacsrfips.csr -keystore .\jboss‑as\standalone\configuration\keystore_csaID.p12CSA_JRE_HOME/bin/keytool -certreq -alias csa_fips -file /tmp/csacsrfips.csr -keystore ./jboss‑as/standalone/configuration/keystore_csaID.p12
2. When you are prompted for a password, enter the Codar server keystore password used in step 1 (where you created the Codar server keystore that supports PKCS #12).
3. Submit the Certificate Signing Request (C:\csacsrfips.csr)(/tmp/csacsrfips.csr) to the Certified Authority following the procedure used by your organization or a third-party provider. After the submission has been processed, you will receive a Certificate Authority-signed certificate (referred to as C:\ca_signed.crt/tmp/ca_signed.crt in the example below) and a root certificate (referred to as C:\ca_root.crt/tmp/ca_root.crt in the example below) for the Certificate Authority.
Import the Certificate Authority-signed certificate into the Codar server keystore:
1. Open a command prompt and change directories to CSA_HOME.CSA_HOME.
2. From the command prompt, run the following command:
  
  "CSA_JRE_HOME\bin\keytool" -importcert -alias ca_signed -file C:\ca_signed.crt -keystore .\jboss‑as\standalone\configuration\keystore_csaID.p12CSA_JRE_HOME/bin/keytool -importcert -alias ca_signed -file /tmp/ca_signed.crt -keystore ./jboss‑as/standalone/configuration/keystore_csaID.p12
3. When you are prompted for a password, enter the Codar server keystore password used in step 1 (where you created the Codar server keystore that supports PKCS #12).
Create a truststore that supports PKCS #12 and import the root certificate:
1. From the command prompt, run the following command:
  
  "CSA_JRE_HOME\bin\keytool" -importcert -alias ca_root -file C:\ca_root.crt -trustcacerts -keystore .\jboss-as\standalone\configuration\csa_server_truststore.p12CSA_JRE_HOME/bin/keytool -importcert -alias ca_root -file /tmp/ca_root.crt >-trustcacerts -keystore ./jboss-as/standalone/configuration/ csa_server_truststore.p12
2. When prompted, enter a truststore password (referred to in this document as the Codar server truststore password). You will need this password when you import the Operations Orchestration and other certificates.
3. Enter yes when prompted to trust the certificate.

Step 3: Configure the Web Server

Encrypt the Codar server keystore password and datasource (database) password using the vault scripts. Follow the instructions at https://community.jboss.org/wiki/JBossAS7SecuringPasswords to create a password vault for JBoss. You will use the encrypted passwords in the following tasks of this step.

Note If you are using the vault scripts, verify that the JAVA_HOME environment variable has been defined. Verify that JAVA_HOME has been set to the directory in which the JRE that is used by Codar is installed.

Windows:

If the directory path name includes a space, verify that the value has been enclosed in quotations marks. For example, to set JAVA_HOME to a directory path name that includes a space, from a command prompt, type
set JAVA_HOME="C:\Program Files\HPE\Codar\jre"

To verify that JAVA_HOME has been defined, from a command prompt, type:
echo %JAVA_HOME%

Linux:

To verify that JAVA_HOME has been defined, from a command prompt, type:
echo $JAVA_HOME

The following is an example of an encrypted password attribute using the JBoss password vault:

password="${VAULT::<vault_block_example>::password::N2NhZDzOMtES0ZGE4MmEtx0}"
Open CSA_HOME\jboss-as\standalone\configuration\ standalone.xml CSA_HOME/jboss-as/standalone/configuration/ standalone.xml in a text editor.
Locate the following entry for the HP Codar server keystore password (this entry may have been modified):

<ssl name="ssl" key-alias="CSA" certificate-key-file= "CSA_HOME\jboss-as\standalone\configuration\ .keystoreCSA_HOME/jboss-as/standalone/configuration/ .keystore" verify-client="false"/>
Update the entry by:
- Removing the name and key-alias attributes and values
- Changing the value of certificate-key-file to the keystore you created in step 1 (CSA_HOME\jboss-as\ standalone\configuration\keystore_csaID.p12CSA_HOME/jboss-as/ standalone/configuration/keystore_csaID.p12)
- Adding or changing the value of password to the encrypted value of the Codar server keystore password you generated in task 1 of this step
- Adding or changing the value of protocol to TLSv1
- Adding the attribute keystore-type and setting its value to PKCS12
For example:

<ssl name="ssl" key-alias="CSA" certificate-key-file="CSA_HOME\jboss-as\ standalone\configuration\keystore_csaID.p12CSA_HOME/jboss-as/ standalone/configuration/keystore_csaID.p12" password="${VAULT::<vault_block_ssl>::password::BdBDkaoLEhjodlsaOI0x0}" protocol="TLSv1" keystore-type="PKCS12" verify-client="false"/>
Locate the following entry for the datasource password (this entry may have been modified):

Microsoft SQL Server

<datasource jndi-name="java:jboss/datasources/csaDS" pool-name="mssqlDS"> <connection-url>jdbc:jtds:sqlserver://127.0.0.1:1433/example;ssl=request </connection-url> <driver>mssqlDriver</driver> <pool> <min-pool-size>10;</min-pool-size> <max-pool-size>200;</max-pool-size> <prefill>true;</prefill> </pool> <security> <security-domain>csa-encryption-sec;</security-domain> </security> <datasource>
Replace the security-domain entry with the datasource username and password, setting the password value to the encrypted value of the datasource password you generated in task 1 of this step. For Microsoft SQL Server, also update the connection-url ssl attribute value from request to authenticate (if it has not already been updated).

For example:

Microsoft SQL Server

<datasource jndi-name="java:jboss/datasources/csaDS" pool-name="mssqlDS"> <connection-url> jdbc:jtds:sqlserver://127.0.0.1:1433/example;ssl=requestauthenticate </connection-url> <driver>mssqlDriver</driver> <pool> <min-pool-size>10;</min-pool-size> <max-pool-size>200;</max-pool-size> <prefill>true;</prefill> </pool> <security> <security-domain>csa-encryption-sec;</security-domain> <user-name>datasource_username</user-name> <password> ${VAULT::<vault_block_datasource>::password::AjkhlDFOblgeMmEtx0} </password> </security> <datasource>
Locate and delete the following entry for the datasource password (this entry may have been modified):

Microsoft SQL Server

<security-domain name="csa-encryption-sec" cache-type="default"> <authentication> <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required"> <module-option name="username" value="<old_user_name>"/> <module-option name="password" value="<old_encoded_password>"/> <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=mssqlDS"/> </login-module> </authentication> </security-domain>
Add the following vault properties to <server xmlns="urn:jboss:domain:1.3">. Set the values as applicable to your system setup.

<vault> <vault-option name="KEYSTORE_URL" value="C:\vault\vault.keystore"/> <vault-option name="KEYSTORE_PASSWORD" value="MASK-2PtpNyQsI1E7t"/> <vault-option name="KEYSTORE_ALIAS" value="vault"/> <vault-option name="SALT" value="12345678"/> <vault-option name="ITERATION_COUNT" value="50"/> <vault-option name="ENC_FILE_DIR" value="C:\vault\"/> </vault>

Step 4: Import the Operations Orchestration Certificate as a Trusted Certificate

Because the integration of HP Codar and Operations Orchestration requires a secure connection, you must import the Operations Orchestration certificate.

For each system running HP Codar, import the root certificate of each Operations Orchestration's Certificate Authority (you must first export Operations Orchestration's certificate from Operations Orchestration's truststore and then import it into the Codar server truststore).

The following is an example of how to export the Operations Orchestration certificate and import it into the Codar server truststore.

On the system running Operations Orchestration, open a command prompt and change the directory to %ICONCLUDE_HOME% (Windows) or $ICONCLUDE_HOME (Linux).
Run the following command:

Operations Orchestration 10.x, Windows
.\java\bin\keytool -exportcert -alias tomcat -file C:\oo.crt -keystore .\Central\var\security\key.store -storepass changeit

Operations Orchestration 9.x, Windows
.\jre1.6\bin\keytool -exportcert -alias pas -file C:\oo.crt -keystore .\Central\conf\rc_keystore -storepass bran507025

Operations Orchestration 10.x, Linux
./java/bin/keytool -exportcert -alias tomcat -file /tmp/oo.crt -keystore ./Central/var/security/key.store -storepass changeit

Operations Orchestration 9.x, Linux
./jre1.6/bin/keytool -exportcert -alias pas -file /tmp/oo.crt -keystore ./Central/conf/rc_keystore -storepass bran507025

where C:\oo.crt and /tmp/oo.crt are examples of filenames and locations used to store the exported root certificate (you can choose a different filename and location).
If Operations Orchestration is not running on the same system as HP Codar, copy oo.crt from the Operations Orchestration system to the system running HP Codar (in this example, the file is copied to C:\/tmp).
On the system running HP Codar, change the directory to CSA_HOME and run the following command:

"CSA_JRE_HOME\bin\keytool" -importcert -alias pas -file C:\oo.crt -keystore .\jboss-as\standalone\configuration\csa_server_truststore.p12 -storepass <Codar server truststore password>CSA_JRE_HOME/bin/keytool -importcert -alias pas -file /tmp/oo.crt -keystore ./jboss-as/standalone/configuration/csa_server_truststore.p12 -storepass <Codar server truststore password>
When prompted to trust the certificate, enter yes.

Step 5: Import the Provider's Certificate as a Trusted Certificate

If you configure the access point to Matrix Operating Environment, Server Automation, VMware vCenter, or any provider in the Codar Console to use a secure connection, you must import the provider's certificate into the truststore.

For each system running HP Codar, import the root certificate of the provider's Certificate Authority into the truststore (you must first export the provider's certificate from the provider's truststore and then import it into the Codar server truststore).

The following is an example of how to import the VMware vCenter certificate into the Codar server truststore.

Obtain the root certificate of VMware vCenter's Certificate Authority and copy it to the system running HP Codar (in this example, the file is copied to C:\vcenter.crt/tmp/vcenter.crt).
On the system running HP Codar, change the directory to CSA_HOME and run the following command:

"CSA_JRE_HOME\bin\keytool" -importcert -alias vcenter -file C:\vcenter.crt -keystore .\jboss-as\standalone\configuration\csa_server_truststore.p12 -storepass <Codar server truststore password>CSA_JRE_HOME/bin/keytool -importcert -alias vcenter -file /tmp/vcenter.crt -keystore
5
./jboss-as/standalone/configuration/csa_server_truststore.p12 -storepass <Codar server truststore password>
When prompted to trust the certificate, enter yes.

Step 6: Import the Certificates for other Applications as Trusted Certificates

If other applications, such as the database, LDAP, SMTP, Operations Orchestration Load Balancer, or Continuous Delivery Automation require a secure connection, you must import the other applications' certificates into the Codar server truststore.

The following is an example of how to import another application's certificate into the Codar server truststore.

Export the certificate for the application and copy the certificate file to the system running HP Codar.
Import this certificate into the Codar server truststore.

For example, run the following command on the system running HP Codar:

"<csa_jre>\bin\keytool" -importcert -alias <alias> -file <filename.crt> -trustcacerts -keystore "CSA_HOME\jboss-as\standalone\ configuration\csa_server_truststore.p12" -storepass <Codar server truststore password>"<csa_jre>/bin/keytool" -importcert -alias <alias> -file <filename.crt> -trustcacerts -keystore "CSA_HOME/jboss-as/standalone/ configuration/csa_server_truststore.p12" -storepass <Codar server truststore password>

Step 7: Configure Client Browsers (Optional)

If HP Codar's certificate is not signed by a Certificate Authority, when accessing the Codar Console, warning messages are displayed in the browser (these messages do not affect normal operations of HP Codar). To avoid these warning messages, import the csa_fips.crt file or add an exception.

Microsoft Internet Explorer and Chrome: From Windows Explorer, double-click on the
csa_fips.crt file to begin the import process. Install the certificate in the Trusted Root Certification Authorities store. For information on how to import the certificate, see the browser's online documentation.
Firefox: Add an exception by opening the browser and navigating to https://<csahostname>:8444/csa where <csahostname> is the fully-qualified domain name of the system on which HP Codar is running. When the This Connection is Untrusted page opens, select I Understand the Risks, click the Add Exception button, verify the Server Location, and click Confirm Security Exception. For information on how to import the certificate, refer to the browser's online documentation.

Send Help Center feedback