Administer > System Security > FIPS mode > Configuring FIPS mode in Service Manager > Generate FIPS validated certificates for the SM Server and other components

Generate FIPS validated certificates for the SM Server and other components

Before you can enable FIPS mode in the Service Manager (SM) system, you must obtain a CA certificates file and keystore files in PKCS12 format (with the .p12 file extension) for the SM Server and other components. These certificates are used for FIPS validated TLS connections between the SM Server and other components.

Note In a production environment, you are recommended to use digital security certificates issued by a certificate authority provider, such as Verisign, Thawte, or your corporate certificate authority. The digital certificate contains a public key, the identity of the owner, and a matching private key. The certificate is required to encrypt data sent and received in a “trusted” environment. If you do not have a digital certificate from a provider listed above, you have the option of generating your own certificates to enable encrypted data transfer between the Service manager Server and the trusted clients, as described in the following.

  • Existing customers need to either convert your existing certificates to PKCS12 format or regenerate new PKCS12 certificates.

    Caution The SM Server truststore and trusted clients keystore do not contain a private key, and can work correctly in FIPS mode after conversion to PKCS12 format. However, the SM server keystore and client keystores contain a private key. Before converting them to PKCS12 format, make sure their private key was created using either "keytool -genkey -keyalg RSA" or "keytool -genkeypair -keyalg RSA"; otherwise they cannot work correctly in FIPS mode after conversion to PKCS12 format. Before you proceed, make sure the private key of the existing JKS file was created as noted above. If not, you will need to generate a new PKCS12 certificate.

  • New customers need to generate PKCS12 certificates for the SM Server, clients (Windows, Web Tier, SRC, and Mobility), as well as the Solr Search Engine server.

About the certificate generation toolkit

As a courtesy, HPE provides a certificate generation toolkit along with KM02204270 to help you generate PKCS12 certificates or convert existing certificates to PKCS12 format in an automated way.

For detailed instructions on how to use the toolkit for pkcs12 certificate generation or conversion, see the Generate FIPS validated certificates for the SM Server and other components section in KM02204270.

Example file and host names used in the documentation

The example keystore filenames and fully qualified domain names listed in the following table are used in later configuration steps. The example FQDNs assume that these components reside on different hosts. In your environment, if there are components that reside on the same host, you need to generate only one certificate for them.

Component Keystore Password Description FQDN
N/A smcacerts.p12 changeit CA certificates file  
SM Server

trustedclients.p12

sun-server-smserver.mycompany.net.p12

trustedclients

serverkeystore

Trusted clients keystore

Server keystore

smserver.mycompany.net

Windows Client sun-sun-winhost.mycompany.net.p12 clientkeystore Client keystore

winhost.mycompany.net

Web Tier sun-sun-webhost.mycompany.net.p12 clientkeystore Client keystore

webhost.mycompany.net

Mobility Client sun-sun-mobilehost.mycompany.net.p12 clientkeystore Client keystore

mobilehost.mycompany.net

SRC sun-sun-srchost.mycompany.net.p12 clientkeystore Client keystore

srchost.mycompany.net

Solr Search Engine sun-sun-solrhost.mycompany.net.p12 clientkeystore Client keystore

solrhost.mycompany.net

Chat Server trustedclients.p12 sun-server-chatserver.mycompany.net.p12 trustedclients serverkeystore Trusted clients keystore Server keystore chatserver.mycompany.net
Chat Service sun-sun-chatservicehost.mycompany.net.p12 clientkeystore Client keystore chatservice.mycompany.net
IdM Service sun-sun-idmservicehost.mycompany.net.p12 clientkeystore Client keystore idmservice.mycompany.net

Next step:

Configure FIPS mode in the Server