Clarity

Expand all | Collapse all

Security Certs

  • 1.  Security Certs

    Posted Aug 17, 2016 01:27 PM

    I'm so sorry, this is probably a basic and stupid question.  We need to install a new security cert and I've never done this with Tomcat / Clarity.

     

    So we have 3 servers and a load balancer.  The server guys are telling me that we need to install the certs on the servers but not the LB.  They said we need to generate a keystore?  (Maybe?)  There's one there from 3 years ago (a .jks file) that they said we need to update.

     

    1. Are they right?  Is that the correct process to get a new cert?

    2. How do I do that and does it affect Clarity?  (This is production.)



  • 2.  Re: Security Certs

    Posted Aug 17, 2016 01:32 PM

    I should probably add that we're on 14.2.  So will generating a new keystore for Clarity require doing another one for Jaspersoft as well? 



  • 3.  Re: Security Certs

    Broadcom Employee
    Posted Aug 17, 2016 01:35 PM

    Hi Allison,

     

    Why not in Load balancer, its better to manage at one place rather than installing multiple certificates on multiple app servers.

     

    Regards
    Suman Pramanik



  • 4.  Re: Security Certs

    Posted Aug 17, 2016 01:44 PM

    Hi Suman, I have no doubt you're correct and it would be better on the LB.  However, this is production as I said and I'm loathe to start changing stuff around from the current configuration without a pressing reason.  I'd rather get new certs for each server if that's the way it's set up now.



  • 5.  Re: Security Certs

    Broadcom Employee
    Posted Aug 17, 2016 01:56 PM

    Hi Allison,

     

    I leave that you to you, but where you can manage with 1 certificate cost you will involve 2 certificate for PPM and 1 for Jaspersoft. However again its an organization decision.

     

    Regards

    Suman Pramanik



  • 6.  Re: Security Certs

    Posted Aug 17, 2016 02:16 PM

    Wait, what?  I need a cert for Jaspersoft?  We haven't moved JS to prod yet, but I didn't do a cert for the one in QC.  Does it need one???  Does redoing the cert for PPM somehow affect JS???  I did a keystore, but we didn't generate a csr or anything....



  • 7.  Re: Security Certs

    Broadcom Employee
    Posted Aug 17, 2016 03:00 PM

    Hi Alison,

     

    Its not an mandatory to have certificate on Jaspersoft but if you want to have HTTPS enabled on Jaspersoft you need to have the certificate installed. The keystore which you generated to integrate Jaspersoft is not for SSL but to integrate PPM and Jaspersoft.

     

    Regards
    Suman Pramanik



  • 8.  Re: Security Certs

    Posted Aug 17, 2016 03:08 PM

    OK, well we ran the keytool -genkey , keytool -certreq, and import.  (I also updated the password in NSA.)  Unfortunately, Clarity is still pointed to the OLD (expiring) cert.  Clearly we did something wrong here.  Do the files need to be somewhere specific??

     



  • 9.  Re: Security Certs

    Posted Aug 17, 2016 04:28 PM

    I would suggest using KeyStore Explorer -- Way easier than Keytool for working with keystores and loading certificates.

     

    V/r,

    Gene



  • 10.  Re: Security Certs

     
    Posted Aug 22, 2016 06:42 PM

    Hi Allison.nichols - Did any of the responses help answer your question? If so please mark as Correct Answer. Thanks!



  • 11.  Re: Security Certs
    Best Answer

    Posted Aug 23, 2016 09:42 AM

    Well, no, not really.  I ended up calling CA Support and they sent me the appropriate documentation regarding SSL certs for PPM.    Here's the correct answer, from Syed.

     

     

    Good Afternoon Allison

    Please use these steps

    (the information is available in the CA-PPM installation guide for release 14.2

    ----------------------------------------------------------------------------------------------------------

    Create Certificate Signing Requests (CSRs) For production systems, replace the test certificate with a real, certified certificate. To obtain a certified certificate, create a certificate signing request (CSR) and send it to a certificate authority. The certificate authority generates a real certificate that authenticates your public key.

     

    Use the Java command keytool to create the CSR. The required Java parameters are defined in the following procedure.

    See the Oracle web site for complete information about parameters for this Java command.

     

    Follow these steps:

    1. On the CA Clarity PPM application server, open a command prompt, and issue the following command:

    keytool -certreq -keystore /<clarity home>/config/.keystore -keyalg RSA -file caclarityppm.csr

    2. Define the following values:

         -certreq

         Generates a certificate signing request (CSR).

          keystore

          Specifies the path and filename of the keystore file. By default the keystore is named

          .keystore and is located in the <clarity home>/config/ directory.

          keyalg

          Specifies the algorithm (RSA) to use when generating the key pair.

          file

          Specifies the name (caclarityppm.csr) of the generated certificate request file.

    3. Using your web browser, go to your certificate authority website, and provide the contents of the CSR file you generated.

    Use the process that your certificate authority specifies. Your CSR is provided to you by your certificate authority.

    4. Copy the contents of the new certificate into a file on the CA Clarity PPM application server (for example, caclarityppm.cer).

    Note: Your private key remains unaffected.

     

    Install Certificate Signing Requests

    Import the reply from the certificate authority and replace your self-signed certificate with a chain of certificates. At the bottom of the chain is the certificate that the certificate authority issues to authenticate your public key. The next certificate in the chain is one that authenticates the certificate authority public key.

    To create a keystore file containing your private key which is paired with the signed certificate from your certificate authority, use the following procedure.

    Follow these steps:

    1. Open the CA Clarity PPM application server, open a command prompt, and issue the following command:

    keytool -import -keystore /<clarity home>/config/.keystore -keyalg RSA -file CA Clarity PPM.cer -trustcacerts

    Note: You can be required to import your certificate authority’s root intermediate certificate into your keystore file before you import your certificate.

    See your certificate authority documentation for more information.

    2. Enter the keystore password and press Enter.

    3. Enter yes.

    --------------------------------------------------------------------------------------------------------

    For additional information please refer to Pages 198 - 200 thanks Syed.

     

    There is one more step - you need to run "service stop start app" to get the new certificate to be used.



  • 12.  Re: Security Certs

     
    Posted Aug 23, 2016 11:08 AM

    Great! Thank you for sharing



  • 13.  Re: Security Certs

    Posted Aug 17, 2016 02:51 PM

    There have been plenty of threads on SSL and certs.

    Not answering you questions, but you might get better understading with

    CERTIFICATES FOR NON-TECHIES_11.pdf

    How to enable SSL in clarity ?  and the zip file in it

    I think the zip file is from documentation and you can see the same at

    SAP Portal Services

    (Installation guide > System Administration › Manage Security › Enable Secure Sockets Layer (SSL) in Apache Tomcat )

    I have not located that in the current version of the documentation.

    SSL Certificate Issues

    unfortunately the links on the learning path have been jived