Clarity

Hi All,      We are planning to enable SSL into clarity what steps or pre implementation task I need to consider first? Is any one had done this before?  I have read it in clarity admin guide as well but if any one can suggest the way and pre task that will be more helpful.        Hope to get quick reply soon.      Regards,  Sonal

Sonal,  Pls Refer TEC438658,TEC438752,TEC438803 Kb Articles and also search for "SSL".And also v12 Installation Guide it is some what provided in Detail.  1. Get your our own private key from your company based our production server and then the CSR file is generated from that private key.
       Then get the Internal certificate Signed - Public Key.   (Use Keytool command to generate the private key from your pdn server -refer Kb articles).  2.    Import the Signed certificate to replace the dummy public certificate.  3.   In NSA -->Security-->ssl keystore (Point the path of keystore-It will be in under /clarity/config/.keystore) & ssl password.  4.    In NSA you need to NSA-->Application-->Application Instance    select Https Enabled and enter the URL in Https Entry URL.The same is applicable for Application Instance - nsa too.  5. Re-start application services.  6. Then when you click the new URL Https:// in  your browser   it will prompt A pop up box with the following message:
"Accept Certificate - Unknown certificate; proceed" ,then you need to install the SSL Certificate in Your Local Machine then  the message  will not prompt,otherwise you will get the prompt message every time.  7. But for  3rd Party tools (Open workbench ,MSP) it is always prompting for us.(We are still using 7.5.2).  8. Unless until you import the certificate in your local machine you cannot use client side XOG. (Check the KB Articles -steps given for importing)  9. Remember your  application Server performance will be slightly slower than before as it is "more secured" now.  Good Luck,J.sundar    

Hi Sundar,      Thanks a lot.      Using “.keystoreâ€? file which is provided by clarity I am able to enable https for our dev environment since I have not import licence so its giving me unknown certificate error still I am able to navigate into clarity application using https.      I have couple of question on this.    1. If I’ll get the company provided private key how I’ll create the .keystore file which will required in NSA?  2. Is there any way to generate the private key?  3. Is .keystore file combined both private key and public key?        Regards,  Sonal

Sonal,    Pls find my reply.(you can find these in TEC438803)  1. If I’ll get the company provided private key how I’ll create the .keystore file which will required in NSA?         Sundar--> The .keystore will be there in /clarity/config/.keystore.you need the import the new certificate(private key) in the keystore which you got from your company.             Installing a Certificate:-Import the reply from the certificate authority and replace your self-signed certificate with a chain of certificates.At the bottom of the chain is the certificate issued by the certificate authority that authenticates your public key. The next certificate in the chain is one that authenticates the certificate authority's public key.  To create the CSR:  1 On Clarity’s NSA application server, run the following command:  keytool -import -keystore / /config/.keystore -keyalg RSA -file clarity.cer â€"trustcacerts  keytool -import -keystore /shared/filestore/niku6/config/.keystore -keyalg RSA -file /niku/clarity/config/ wwiseapp.gdc.standardchartered.com.cer -trustcacerts  Note: You may need to import your certificate authority’s root intermediate Certificate into your keystore before you import your certificate. For moreinformation, see your certificate authority documentation.Enter the keystore password and press Enter.To complete the import, enter "yes".You now have a keystore file that contains your private key which is now paired with the signed certificate from your certificate authority.
 
2. Is there any way to generate the private key?           sundar--> The Private Key is a file created from the host address, company name, and location. This is paired with a Public Key.    3. Is   .keystore file combined both private key and public key?                       sundar--> Yes.                       Java uses another container file called the Keystore File. This can be named anything, and located anywhere. In NSA you enter this file location under the Security tab                       of                       Server Properties. It is protected by a password, which you also enter in NSA. The most important point here is that the keystore contains your private key. You cannot extract your private key from this file. You can only create a private key by placing it in a keystore file. A keystore file can contain multiple private/public key pairs. They are differentiated by an alias. If you do not specify an alias, the default alias 'mykey' is used.    Regards,sundar

Hi Sundar,

We have a valid certificate for our Development instance.
but when we open the aplication from local machines(not from installed server), we get the "Certification Error:Navigation Block" warning.
I tried installing the certificate in the local machine also, but dint help.

please suggest how to rectify this.

Thanks in Advance,
Aishwarya

Hello Ishwarya,

Check the url for accessing the server. While installing the ssl u must have given the name something like mycompany.com. Can you provide the url by which ur trying to access?

Hi,

In your dev env are using IP or hostname.com as an URL?.

When you generated the CSR what name you have choosen.

First and last name: Fully-qualified domain name (FQDN), Host name, or URL - to which you plan to apply your certificate.

Hope you have followed all the instructions provided in Installation Guide for SSL .I have copied and enclosed in an word document.


*****************************************************************************************************************************************************************************************************************************************
TEC526289 :-
How to Generate a CSR Request for Tomcat? .

Please follow these steps to generate a CSR request for an SSL certificate.

Solution:

1. Click on Start-->Run and type in CMD.

2. Type 'CD %Java_Home%\bin <%Java_Home% = Installation directory of Java in your environment>

3. Type the following command to generate the Key Pair:

"keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore"

4. When prompted for a password, use default password "changeit" unless you specified a different password during installation.

5. You will be prompted for the following information:

First and last name: Fully-qualified domain name (FQDN), Host name, or URL - to which you plan to apply your certificate.
Organizational unit: Use this field to differentiate between divisions within an organization if applicable. If not enter the DBA of the company.
Organization: The name under which your business is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request.
City/Locality: Name of the city in which your organization is registered/located.
State/Province: Name of state or province where your organization is located.
Country code: The two-letter country code for the country in which your organization is legally registered.

6. Review that the information is correct and press 'Y'.

7. To Generate a CSR enter the following command:

keytool -certreq -keyalg RSA -alias tomcat -file Certificate.csr -keystore tomcat.keystore

8. Enter the keystore password.

9. The CSR will be created.

cheers,
sundar