Enabling APM HTTPS Communications using a Non-default Keystore or Certificate.

Document ID : KB000014934
Last Modified Date : 14/02/2018
Show Technical Document Details

    By default, APM provides a CA-provided Keystore and Certificate for using SSL communications to Enterprise Manager and Webview instances. The certificate provided is untrusted by any browser.


    How can I create a new keystore with a trusted certificate?

All Supported APM releases.

     The steps below rely on the Java Keytool utility provided with most JVMs. For more information on Keytool, see: https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html.

To create a new keystore and import a trusted certificate, do the following:

1- Create the keystore using the following command:

<Path to Java>/bin/keytool -genkey -alias <Alias> -keyalg RSA -keysize 2048 -keystore <Keystore Name>

At this point you are asked a series of questions. Be sure to answer the question "What is your first and last name?" with the FQDN of the server.

Also note the keystore password as this password will be required for all subsequent steps.


2- Once the keystore is created, verify the keystore's contents using the list command:

<Path to Java>/bin/keytool -list -v -keystore <Keystore Name>

After completing this step, there should be a single PrivateKeyEntry.


3- Create a Certificate Signing Request based on the keystore's PrivateKeyEntry:

<Path to Java>/bin/keytool -certreq -alias <Alias> -keystore <Keystore Name> -file <hostname>.csr

This command should generate an unsigned CSR based on the keystore's PrivateKeyEntry. Then after creating, follow your organization's process for signing the CSR and obtaining any needed root or intermediate certificates.


4-  Import Certificates into the keystore:

Now import the certificates obtained in step 3 to your keystore. First, to import the root certificate:
<Path to Java>/bin/keytool -import -trustcacerts -keystore <Keystore Name> -alias rootCertificate -file <Root Certificate>

The same command is used to import any intermediate certificates needed:
<Path to Java>/bin/keytool -import -trustcacerts -keystore <Keystore Name> -alias intermediateCertificate -file <Intermediate Certificate>

Finally, import the server certificate created from the CSR generated in step 3:
<Path to Java>/bin/keytool -import -keystore <Keystore Name> -alias <Should be the same Alias used when generating the keystore> -file (Server Certificate>


5- Verify the contents of the keystore using the list command:

<Path to Java>/bin/keytool -list -v -keystore <Keystore Name>

There should be a root certificate entry, entries for each intermediate certificate imported, and an entry for the server certificate. The root and intermediate certificates should show as "Entry type: TrustedCertEntry" and the server certificate as "Entry type: PrivateKeyEntry".


6- Update the APM Configuration:

Now, update the APM configuration to make use of your newly created keystore.

For more information on this topic, see: https://docops.ca.com/ca-apm/10-5/en/administrating/configure-enterprise-manager/configure-enterprise-manager-communications#ConfigureEnterpriseManagerCommunications-EnableSSLforEnterpriseManagerCommunications.

We will focus on the updates needed to made to either the webview-jetty-config.xml (Webview) or em-jetty-config.xml (Enterprise Manager).

In this file, the following properties need updating (with defaults shown):

A - <Set name="certAlias">wily</Set>

This should be updated to the Alias used both when creating the keystore (step 1) and importing the server certificate (step 4).

B- <Set name="keystore"><SystemProperty name="introscope.config" default="./config"/>/internal/server/keystore</Set>

The path specified here should be updated with the path and name of your newly created keystore.

C- <Set name="password">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
   <Set name="keyPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>

These passwords were specified during keystore creation (step 1). The passwords can be in plain text or obfuscated.

To obfuscate the password, follow the steps listed here: https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec1974214.html.

D- As a final step, you may update additional configurations specified in the jetty configuration. For details on each property, see https://docops.ca.com/ca-apm/10-5/en/administrating/configure-enterprise-manager/configure-enterprise-manager-communications#ConfigureEnterpriseManagerCommunications-EnableSSLforEnterpriseManagerCommunications.

Once all changes have been made, restart the EM or Webview process for the changes to take effect.


Additional Information:

    After following these steps, should you encounter any problems connecting to the EM or Webview over SSL, the following article should help in gathering additional information about the problem: https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC1792134.html.

As always, contact CA  Support if you have further questions.