Help Document

[PDF]Help Document - Rackcdn.comhttps://b6b45000d3362c7b69f8-0a7250d8bde19e2e09b93fa07c907bb0.ssl.cf5.rackc...

8 downloads 136 Views 140KB Size

HP Operations Orchestration Software Software Version: 9.03 or later

Technical Support Guidelines for replacing the default SSL Certificates

This document is for internal use only.

© George Daflidis-Kotsis – GSD – OO Support - Hewlett-Packard Ltd / 2013

Contents Warranty ....................................................................................................................... iii Restricted Rights Legend ................................................................................................... iii Trademark Notices .......................................................................................................... iii Finding or updating documentation on the Web ................................................................. iv Where to Find Help, Tutorials, and More ........................................................................... iv Support .......................................................................................................................... v This Document ................................................................................................................ 1 I. Using a single self-signed SSL certificate both for Central and RAS.................................... 2 a. Create the necessary keystores. ............................................................................... 2 b. Copy the keystores to the final locations ................................................................... 3 II. Using a single CA-signed SSL certificate both for Central and RAS.................................... 4 a. Create the necessary keystores. ............................................................................... 4 b. Copy the keystores to the final locations ................................................................... 6 III. Using different self-signed certificates for Central and RAS ............................................... 7 A. Replacing the certificate for Central ......................................................................... 7 B. Replacing the certificate for RAS .............................................................................. 7 C. Add the trustedKey entries in the Central & RAS keystores........................................... 8 D. Copy the keystores to the final locations ................................................................... 9 IV. Using different CA-signed certificates for Central and RAS ............................................. 10 A. Replacing the certificate for Central ....................................................................... 10 B. Replacing the certificate for RAS ............................................................................ 11 C. Add the trustedKey entries in the Central & RAS keystores......................................... 13 D. Copy the keystores to the final locations ................................................................. 14 V. Updating the keystore & truststore password ................................................................ 15

ii

Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notices © Copyright 2010 Hewlett-Packard Development Company, L.P. Trademark Notices All marks mentioned in this document are the property of their respective owners.

iii

Finding or updating documentation on the Web Documentation enhancements are a continual project at Hewlett-Packard Software. You can obtain or update the HP OO documentation set and tutorials at any time from the HP Software Product Manuals web site. You will need an HP Passport to log in to the web site. To obtain HP OO documentation and tutorials 1. Go to the HP Software Product Manuals web site (http://support.openview.hp.com/selfsolve/manuals). 2. Log in with your HP Passport user name and password. OR If you do not have an HP Passport, click New users – please register to create an HP Passport, then return to this page and log in. If you need help getting an HP Passport, see your HP OO contact. 3. In the Product list box, scroll down to and select Operations Orchestration. 4. In the Product Version list, click the version of the manuals that you’re interested in. 5. In the Operating System list, click the relevant operating system. 6. Click the Search button. 7. In the Results list, click the link for the file that you want.

Where to Find Help, Tutorials, and More The HP Operations Orchestration software (HP OO) documentation set is made up of the following: •

Help for Central Central Help provides information to the following: •

Finding and running flows

•

For HP OO administrators, configuring the functioning of HP OO

•

Generating and viewing the information available from the outcomes of flow runs

The Central Help system is also available as a PDF document in the HP OO home directory, in the \Central\docs subdirectory. •

Help for Studio Studio Help instructs flow authors at varying levels of programming ability. The Studio Help system is also available as a PDF document in the HP OO home directory, in the \Studio\docs subdirectory.

•

Animated tutorials for Central and Studio HP OO tutorials can each be completed in less than half an hour and provide basic instruction on the following:

iv

•

In Central, finding, running, and viewing information from flows

•

In Studio, modifying flows

The tutorials are available in the Central and Studio subdirectories of the HP OO home directory. •

Self-documentation for operations and flows in the Accelerator Packs and ITIL folders Self-documentation is available in the descriptions of the operations and steps that are included in the flows.

Support For support information, including patches, troubleshooting aids, support contract management, product manuals and more, visit the following site: •

http://support.openview.hp.com

v

This Document Contains instructions for replacing the default Opsware self-signed SSL certificates in the Administrator’s Guide are overly complicated. The instructions presented below present a simplified version that can easily be adapted to different scenarios. There are four main avenues that can be followed: using a single self or CAsigned certificate both for Central & RAS or using one self or CA-signed certificate for Central and a different self or CA-signed certificate for RAS. The procedure below can be executed within the %ICONCLUDE_HOME%\jre1.6\bin folder ($ICONCLUDE_HOME/jre1.6/bin on Linux) and then the keystores can be copied to their final locations. This will safeguard against moving temporary files around. There are two keystores used: -

rc_keystore primarily used by Central. An exact copy of it is also used by Studio. Other than the CA root certificates (if a CA-signed certificate is used, as opposed to a self-signed one) it contains two aliases: pas of the type PrivateKeyEntry ras of the type trustedCertEntry

-

ras_keystore.jks used by RAS. Other than the CA root certificates (if a CAsigned certificate is used, as opposed to a self-signed one) it contains two aliases: pas of the type trustedCertEntry ras of the type PrivateKeyEntry So what is stored as a PrivateKey in the Central keystore is stored as a trustedCert in the RAS keystore and vice versa.

Central keystore pas

ras

RAS keystore

PrivateKey

trustedCert

trustedCert

PrivateKey

pas

ras

It is assumed that the default keystore/truststore password is used. If a different one is used, then the steps will be provided to make the necessary updates to the Jetty-related XML files.

1

I.

Using a single self-signed SSL certificate both for Central and RAS. a. Create the necessary keystores.

1. Generate the self-signed certificates and store them into a temporary keystore called central_keystore.jks: keytool -genkey -keyalg RSA -alias pas -keystore central_keystore.jks storepass -validity 360 -keysize 2048 2. Convert the JKS temporary keystore into a PKCS12 temporary keystore: keytool -importkeystore -srckeystore central_keystore.jks -destkeystore central_keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass -deststorepass 3. Import the certificate from the PKCS12 temporary keystore into the official keystore: java -cp "%ICONCLUDE_HOME%\jetty\lib\jetty-6.1.14.jar" org.mortbay.jetty.security.PKCS12Import central_keystore.p12 rc_keystore 4. Export the Central certificate in PEM format from the official keystore: keytool -export -keystore rc_keystore -alias pas -file CentralServerCertificate.cer 5.

For the RAS keystore: Import the certificate from the PKCS12 temporary keystore into the official keystore:

java -cp "%ICONCLUDE_HOME%\Jetty\lib\jetty-6.1.14.jar" org.mortbay.jetty.security.PKCS12Import central_keystore.p12 ras_keystore.jks 6. For the RAS keystore: Rename the PrivateKeyEntry 'pas' alias to 'ras': keytool -changealias -v -alias pas -destalias ras -keypass keystore ras_keystore.jks -storepass 7. For the RAS keystore: Import the PEM formatted certificate into the ras_keystore.jks under the 'pas' alias: keytool -importcert -keystore ras_keystore.jks -file CentralServerCertificate.cer -alias pas 2

8. Import the PEM formatted certificate into the rc_keystore under the 'ras' alias: keytool -importcert -keystore rc_keystore -file CentralServerCertificate.cer alias ras

b. Copy the keystores to the final locations 1. Stop Studio, Central & RAS. 2. If you used a password other than the default one follow the instructions in Section V 3. Copy the new Central rc_keystore in Central’s conf folder: cp rc_keystore %ICONCLUDE_HOME%\Central\conf 4. Copy the new Central rc_keystore in Studio's conf folder: cp %ICONCLUDE_HOME%\Central\conf\rc_keystore %ICONCLUDE_HOME%\Studio\conf 5. Copy the new RAS ras_keystore.jks in RAS’s conf folder: cp ras_keystore.jks %ICONCLUDE_HOME%\RAS\Java\Default\webapp\conf 6. Start RAS, Central & Studio.

3

II.

Using a single CA-signed SSL certificate both for Central and RAS. a. Create the necessary keystores.

1. Generate a temporary keystore called central_keystore.jks containing the key used for the Certificate Signing Request (CSR): keytool -genkey -keyalg RSA -alias pas -keystore central_keystore.jks storepass -validity 360 -keysize 2048 2. Generate the CSR: keytool -certreq -keyalg RSA -alias pas -file Certificate.csr -keystore central_keystore.jks -keypass -storepass -storetype JKS Now the certreq.txt file can be sent to the CA so the CA-signed certificate can be provided. NOTE: Alternatively a CSR can be generated using OpenSSL: openssl req -new -newkey rsa:2048 -nodes -keyout Certificate.key -out Certificate.csr The Certificate.csr file has to be sent to the CA and then a CA-signed certificate is returned. The received certificate will need to be converted into PKCS12 format. The following commands can be used, depending on the certificate being in PEM or DER format. For PEM: openssl pkcs12 -export -in Certificate.pem -inkey Certificate.key -out Certificate.p12 -name pas For DER: openssl pkcs12 -inform DER -export -in Certificate.pem -inkey Certificate.key -out Certificate.p12 -name pas Certificate.p12 is the filename that needs to be used in the following command as .

4

3. Import the CA-signed certificate obtained from the CA: keytool -importcert -v -trustcacerts -alias pas -file -keypass -keystore central_keystore.jks -storepass -storetype JKS 4. Import the CA’s root certificate chain into the keystore. Make sure you import any subordinate CA certificates as well: keytool -import -v -trustcacerts -alias CACert -file keystore rc_keystore -storetype JKS OPTIONAL: keytool -import -v -trustcacerts -alias CACert_sub -file -keystore rc_keystore -storetype JKS 5. Convert the JKS temporary keystore into a PKCS12 temporary keystore: keytool -importkeystore -srckeystore central_keystore.jks -destkeystore central_keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass -deststorepass 6. Import the certificate from the PKCS12 temporary keystore into the official keystore: java -cp "%ICONCLUDE_HOME%\jetty\lib\jetty-6.1.14.jar" org.mortbay.jetty.security.PKCS12Import central_keystore.p12 rc_keystore 7. Export the Central certificate in PEM format from the official keystore: keytool -export -keystore rc_keystore -alias pas -file CentralServerCertificate.cer 8.

For the RAS keystore: Import the certificate from the PKCS12 temporary keystore into the official keystore:

java -cp "%ICONCLUDE_HOME%\Jetty\lib\jetty-6.1.14.jar" org.mortbay.jetty.security.PKCS12Import central_keystore.p12 ras_keystore.jks 9. For the RAS keystore: Rename the PrivateKeyEntry 'pas' alias to 'ras': keytool -changealias -v -alias pas -destalias ras -keypass keystore ras_keystore.jks -storepass

5

10. For the RAS keystore: Import the PEM formatted certificate into the ras_keystore.jks under the 'pas' alias: keytool -importcert -keystore ras_keystore.jks -file CentralServerCertificate.cer -alias pas 11. Import the PEM formatted certificate into the rc_keystore under the 'ras' alias: keytool -importcert -keystore rc_keystore -file CentralServerCertificate.cer alias ras

b. Copy the keystores to the final locations 1. Stop Studio, Central & RAS. 2. If you used a password other than the default one follow the instructions in Section V 3. Copy the new Central rc_keystore in Central’s conf folder: cp rc_keystore %ICONCLUDE_HOME%\Central\conf 4. Copy the new Central rc_keystore in Studio's conf folder: cp %ICONCLUDE_HOME%\Central\conf\rc_keystore %ICONCLUDE_HOME%\Studio\conf 5. Copy the new RAS ras_keystore.jks in RAS’s conf folder: cp ras_keystore.jks %ICONCLUDE_HOME%\RAS\Java\Default\webapp\conf 6. Start RAS, Central & Studio.

6

III.

Using different self-signed certificates for Central and RAS A. Replacing the certificate for Central

1. Generate the self-signed certificates and store them into a temporary keystore called central_keystore.jks: keytool -genkey -keyalg RSA -alias pas -keystore central_keystore.jks storepass -validity 360 -keysize 2048 2. Convert the JKS temporary keystore into a PKCS12 temporary keystore: keytool -importkeystore -srckeystore central_keystore.jks -destkeystore central_keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass -deststorepass 3. Import the certificate from the PKCS12 temporary keystore into the official keystore: java -cp "%ICONCLUDE_HOME%\jetty\lib\jetty-6.1.14.jar" org.mortbay.jetty.security.PKCS12Import central_keystore.p12 rc_keystore 4. Export the Central certificate in PEM format from the official keystore: keytool -export -keystore rc_keystore -alias pas -file CentralServerCertificate.cer

B. Replacing the certificate for RAS 1. Generate the self-signed certificates and store them into a temporary keystore called central_keystore.jks: keytool -genkey -keyalg RSA -alias ras -keystore remote_keystore.jks storepass -validity 360 -keysize 2048 2. Convert the JKS temporary keystore into a PKCS12 temporary keystore: keytool -importkeystore -srckeystore remote_keystore.jks -destkeystore remote_keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass -deststorepass

7

3. Import the certificate from the PKCS12 temporary keystore into the official keystore: java -cp "%ICONCLUDE_HOME%\jetty\lib\jetty-6.1.14.jar" org.mortbay.jetty.security.PKCS12Import remote_keystore.p12 ras_keystore.jks 5.

Export the RAS’s public key certificate using the following command:

keytool -export -keystore ras_keystore.jks -alias ras -file RASServerCertificate.cer

C. Add the trustedKey entries in the Central & RAS keystores At this point we have the following: •

rc_keystore – Containing the JKS formatted Central certificate.

•

CentralCertificate.cer – Containing the Central certificate in PEM format.

•

ras_keystore.jks – Containing the JKS formatted RAS certificate.

•

RASCertificate.cer – Containing the RAS certificate in PEM format.

To complete the procedure the respective keystores we need to add the RAS PEM certificate in the Central keystore and the Central PEM certificate in the RAS keystore. 1. Import the RAS's public key certificate into Central’s rc_keystore: keytool -importcert -keystore rc_keystore -file RASServerCertificate.cer -alias ras 2. Import the Central's public key certificate into the ras_keystore.jks: keytool -importcert -keystore ras_keystore.jks -file CentralServerCertificate.cer -alias pas

8

D. Copy the keystores to the final locations NOTE: On Linux replace copy with cp and %ICONCLUDE_HOME% with $ICONCLUDE_HOME. Also use / instead of \ 1. Copy the new Central rc_keystore in Central’s conf folder: copy rc_keystore %ICONCLUDE_HOME%\Central\conf 2. If you used a password other than the default one follow the instructions in Section V 3. Copy the new Central rc_keystore in Studio's conf folder: copy %ICONCLUDE_HOME%\Central\conf\rc_keystore %ICONCLUDE_HOME%\Studio\conf 4. Copy the new RAS ras_keystore.jks in RAS’s conf folder: copy ras_keystore.jks %ICONCLUDE_HOME%\RAS\Java\Default\webapp\conf

9

IV.

Using different CA-signed certificates for Central and RAS A. Replacing the certificate for Central

1. Generate a temporary keystore called central_keystore.jks containing the key used for the Certificate Signing Request (CSR): keytool -genkey -keyalg RSA -alias pas -keystore central_keystore.jks storepass -validity 360 -keysize 2048 2. Generate the CSR: keytool -certreq -keyalg RSA -alias pas -file PAS_Certificate.csr -keystore central_keystore.jks -keypass -storepass -storetype JKS Now the PAS_Certificate.csr file can be sent to the CA so the CA-signed certificate can be provided. NOTE: Alternatively a CSR can be generated using OpenSSL: openssl req -new -newkey rsa:2048 -nodes -keyout Certificate.key -out PAS_Certificate.csr The PAS_Certificate.csr file has to be sent to the CA and then a CA-signed certificate is returned. The received certificate will need to be converted into PKCS12 format. The following commands can be used, depending on the certificate being in PEM or DER format. For PEM: openssl pkcs12 -export -in Certificate.pem -inkey Certificate.key -out Certificate.p12 -name pas For DER: openssl pkcs12 -inform DER -export -in Certificate.pem -inkey Certificate.key -out Certificate.p12 -name pas Certificate.p12 is the filename that needs to be used in the following command as .

10

3. Import the CA-signed certificate obtained from the CA: keytool -importcert -v -trustcacerts -alias pas -file -keypass -keystore central_keystore.jks -storepass -storetype JKS 4. Import the CA’s root certificate chain into the keystore. Make sure you import any subordinate CA certificates as well: keytool -import -v -trustcacerts -alias CACert -file keystore central_keystore.jks -storetype JKS OPTIONAL: keytool -import -v -trustcacerts -alias CACert_sub -file -keystore central_keystore.jks storetype JKS 5. Convert the JKS temporary keystore into a PKCS12 temporary keystore: keytool -importkeystore -srckeystore central_keystore.jks -destkeystore central_keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass -deststorepass 6. Import the certificate from the PKCS12 temporary keystore into the official keystore: java -cp "%ICONCLUDE_HOME%\jetty\lib\jetty-6.1.14.jar" org.mortbay.jetty.security.PKCS12Import central_keystore.p12 rc_keystore 7. Export the Central certificate in PEM format from the official keystore: keytool -export -keystore rc_keystore -alias pas -file CentralServerCertificate.cer

B. Replacing the certificate for RAS 1. Generate a temporary keystore called remote_keystore.jks containing the key used for the Certificate Signing Request (CSR): keytool -genkey -keyalg RSA -alias ras -keystore remote_keystore.jks storepass -validity 360 -keysize 2048

11

2. Generate the CSR: keytool -certreq -keyalg RSA -alias ras -file RAS_Certificate.csr -keystore remote_keystore.jks -keypass -storepass -storetype JKS Now the RAS_Certificate.csr file can be sent to the CA so the CA-signed certificate can be provided.

NOTE: Alternatively a CSR can be generated using OpenSSL: openssl req -new -newkey rsa:2048 -nodes -keyout Certificate.key -out RAS_Certificate.csr The RAS_Certificate.csr file has to be sent to the CA and then a CA-signed certificate is returned. The received certificate will need to be converted into PKCS12 format. The following commands can be used, depending on the certificate being in PEM or DER format. For PEM: openssl pkcs12 -export -in Certificate.pem -inkey Certificate.key -out Certificate.p12 -name ras For DER: openssl pkcs12 -inform DER -export -in Certificate.pem -inkey Certificate.key -out Certificate.p12 -name ras Certificate.p12 is the filename that needs to be used in the following command as .

3. Import the CA-signed certificate obtained from the CA: keytool -importcert -v -trustcacerts -alias ras -file -keypass -keystore remote_keystore.jks -storepass -storetype JKS 4. Import the CA’s root certificate chain into the keystore. Make sure you import any subordinate CA certificates as well: keytool -import -v -trustcacerts -alias CACert -file keystore remote_keystore.jks -storetype JKS

OPTIONAL: keytool -import -v -trustcacerts -alias CACert_sub -file -keystore remote_keystore.jks 12 storetype JKS

5. Convert the JKS temporary keystore into a PKCS12 temporary keystore: keytool -importkeystore -srckeystore remote_keystore.jks -destkeystore remote_keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass -deststorepass 6. Import the certificate from the PKCS12 temporary keystore into the official keystore: java -cp "%ICONCLUDE_HOME%\jetty\lib\jetty-6.1.14.jar" org.mortbay.jetty.security.PKCS12Import remote_keystore.p12 ras_keystore.jks 7. Export the Central certificate in PEM format from the official keystore: keytool -export -keystore remote_keystore.jks -alias pas -file RASServerCertificate.cer

C. Add the trustedKey entries in the Central & RAS keystores At this point we have the following: •

rc_keystore – Containing the JKS formatted Central certificate.

•

CentralCertificate.cer – Containing the Central certificate in PEM format.

•

ras_keystore.jks – Containing the JKS formatted RAS certificate.

•

RASCertificate.cer – Containing the RAS certificate in PEM format.

To complete the procedure the respective keystores we need to add the RAS PEM certificate in the Central keystore and the Central PEM certificate in the RAS keystore. 1. Import the RAS's public key certificate into Central’s rc_keystore: keytool -importcert -keystore rc_keystore -file RASServerCertificate.cer -alias ras 2. Import the Central's public key certificate into the ras_keystore.jks: keytool -importcert -keystore ras_keystore.jks -file CentralServerCertificate.cer -alias pas

13

D. Copy the keystores to the final locations NOTE: On Linux replace copy with cp and %ICONCLUDE_HOME% with $ICONCLUDE_HOME. Also use / instead of \ 1. Stop Studio and the Central & RAS Services. 2. If you used a password other than the default one follow the instructions in Section V 3. Copy the new Central rc_keystore in Central’s conf folder: copy rc_keystore %ICONCLUDE_HOME%\Central\conf 4. Copy the new Central rc_keystore in Studio's conf folder: copy %ICONCLUDE_HOME%\Central\conf\rc_keystore %ICONCLUDE_HOME%\Studio\conf 5. Copy the new RAS ras_keystore.jks in RAS’s conf folder: copy ras_keystore.jks %ICONCLUDE_HOME%\RAS\Java\Default\webapp\conf 6. Start the RAS & Central services and then Studio.

14

V.

Updating the keystore & truststore password

If you used a password other than the default one (bran507025) you will need to update the password in various files using the following procedure: 1. Generate the new OBFuscated trust & keystore password: java -cp "%ICONCLUDE_HOME%\Jetty\lib\jetty6.1.14.jar";"%ICONCLUDE_HOME%\Jetty\lib\jetty-util-6.1.14.jar" org.mortbay.jetty.security.Password 2. On Central, edit: %ICONCLUDE_HOME%\Central\conf\jetty.xml ($ICONCLUDE_HOME/Central/conf/jetty.xml on Linux) 3. In lines 69 & 70, replace the new OBF password: OBF:new obfuscated string OBF: new obfuscated string 4. On RAS, edit the following files: Windows: %ICONCLUDE_HOME%\RAS\Java\Default\webapp\conf\jetty.xml Linux: $ICONCLUDE_HOME/RAS/Java/Default/webapp/conf/jetty.xml 5. In lines 55 & 56, replace the new OBF password: OBF: new obfuscated string OBF: new obfuscated string 6. Update the password in the secured.properties files for Central & Scheduler. A single command can be used to update both files. Windows files: %ICONCLUDE_HOME%\Central\conf\central-secured.properties %ICONCLUDE_HOME%\Central\conf\scheduler-secured.properties Command: “%ICONCLUDE_HOME%”\Central\tools\change-db-props.bat -d dharma.security.ssl.keyStorePassword= “%ICONCLUDE_HOME%”\Central\tools\change-db-props.bat -d dharma.security.ssl.trustStorePassword= 15

Linux files: $ICONCLUDE_HOME/Central/conf/central-secured.properties $ICONCLUDE_HOME/Central/conf/scheduler-secured.properties Command: “$ICONCLUDE_HOME”/Central/tools/change-db-props.bat -d dharma.security.ssl.keyStorePassword= “$ICONCLUDE_HOME”/Central/tools/change-db-props.bat -d dharma.security.ssl.trustStorePassword=

16

Recommend Documents