Introduction
This scenario helps the CA Single Sign-On security Administrator to replace Administrative UI server self-signed certificate with a certificate signed by a trusted Certificate Authority (CA). A trusted certificate ensures a secure connection to the Administrative UI .
Environment:
Product: CA Single Sign-On Administrative UI
Release: r12.0, r12.5, r12.51,r12.52SP1,r12.52SP2(special instructions at the end)
OS: All supported operating systems
Instructions:
1. Stop Administrative UI service.
2. Backup existing Key Store
CA Single Sign-On Administrative UI stores it's certificate in keyStore.jks file located at $AdminUI_Install_Directory$\server\default\conf folder.
Before proceeding with replacing the self-signed certificate with the trusted certificate, backup this keyStore.jks file.
3. List current entries from the keystore
Start a command prompt as Administrator and go to following folder:
$AdminUI_Install_Directory$\server\default\conf
Then, execute following command to list current entries from the keystore
keytool -list -keystore keyStore.jks -storepass changeit -v
Note:
- The default keystore password is "changeit"
- The alias for the default self-signed certificate and keypair is "tomcat"
4. Delete current self-signed certificate and key pair from the keystore
Run the following command to delete the current self-signed certificate and keypair
keytool -delete -alias tomcat -keystore keyStore.jks -storepass changeit -v
5. Generate a Key Pair and a Self-Signed Certificate
Generate a key pair (public and private keys) and a self-signed certificate and store in the CA Single Sign-On Administrative UI keystore using the following keytool command.
keytool -genkeypair -alias JBoss_Key -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=vm1.ca.com" -keypass changeit -validity 7300 -keystore keyStore.jks -storepass changeit -v
Note:
- We changed the alias for the new self-signed certificate to "JBoss_Key".
- Keypass (-keypass) must be same as the key store (-storepass) password
- Ensure that hostname (-dname) matches the FQDN of your Administrative UI server
A key pair and a self-signed certificate are generated and stored in the keystore.
6. Go to $AdminUI_Install_Directory$\server\default\default\deploy\jbossweb.sar and edit server.xml
Change
keyAlias="tomcat"
to
keyAlias="jboss_key" (all lower case)
7. Start the SiteMinder Administrative UI service and verify if the new self-signed certificate is into effect.
Now, if you want to replace the self-signed certificate just created with the trusted certificate signed by Certificate Authority then proceed with the below steps.
8. Stop Administrative UI.
9. Generate and Submit a Certificate Signing Request to a Certificate Authority
Generate a PKCS#10 Certificate Signing Request file using the following keytool command and submit to a trusted CA. CA uses the CSR file to generate a signed certificate identifying your server as secure.
keytool -certreq -alias JBoss_Key -sigalg SHA1withRSA -file adminui_certreq.p10 -keystore keyStore.jks -storepass changeit -v
A CSR file "adminui_certreq.p10"� is generated.
10. Submit the "adminui_certreq.p10"� CSR file to a trusted CA for signing.
11. When you receive the signed certificate from CA, run the following command to import it.
keytool -importcert -alias JBoss_Key -file adminui_cert.p7b -keystore keyStore.jks -storepass changeit -v
Note:
- adminui_cert.p7b is the signed certificate request from CA in PKCS#7 format. PKCS#7 format contains the server certificates, intermediate certificate (if any) and root certificates.
- If only server certificate is provided, then you might need to separately import the intermediate and root certificate as well.
- This overwrites the previously created self-signed certificate with the certificate provided by the CA.
12. Start Administrative UI service and verify if the new trusted certificate is into effect.
Additional Note (for r12.52 SP2)
From r12.52 SP2 onward, the embedded JBoss server used by Administrative UI has been upgraded to JBoss 8 WildFly due to which the folder layout has changed significantly. Please consider following if you are performing the above changes for releases after r12.52SP2
JBoss configuration folder is now moved to : $AdminUI_Install_Directory$\standalone\configuration.
You will find the keystore file keyStore.jks here.
The server.xml related configuration for the alias name is now moved to standalone-full.xml file which can be found at $AdminUI_Install_Directory$\standalone\configuration folder.
