IntroductionIf a wildcard certificate has been provided in either a .pfx or .p12 format, is there any way to import this into UMP?
ProcedureEnabling SSL on UMP using a wildcard certificate
TASK: Given a wildcard certificate .pfx file with *.mydomain.com as the domain, import this certificate to wasp and (optionally) apply automatic HTTPS redirects
- Configure the port number for SSL traffic using the https_port parameter, which is located under the setup key in Raw Configure. This parameter is normally set to 443, but any port between 1 ? 65545 can be specified.? Note: If the https_port parameter does not currently exist in the wasp.cfg file, add it manually. As an example, refer to the http_port parameter.
- Configure the number of concurrent https requests using the?https_max_threads parameter. The default value is 500, which is located under the setup key in RAW? Configure
- Save and close wasp.cfg.
- Restart WASP.? Wasp is now configured correctly to use SSL. The first time it? starts up with SSL enabled, a new keystore wasp.keystore is generated and? stored in <Nimsoft>/probes/service/wasp/conf.
- Verify - You should now have a wasp.keystore file located in <Nimsoft>/probes/service/wasp/conf. At this point you should be able to access UMP using https://<UMP URL>:443
Set the WASP Keystore Password
- Using the probe utility select the ssl_reinitialize_keystore callback
- Enter at least a six character password - this is will be the?srcstorepass used later,?hit the "play" button. The results should return ok.
Import the Private Key into the WASP keystore
This can be very challenging for several reasons. Since a Certificate Sign Request (CSR) was not generated from wasp, the keystore does not currently have any knowledge of the private key used to generate the cert request.? Also, Java can be very particular about the format it expects the key to be in. Another potential hurdle is the fact that the keytool application shipped as part of older versions of Java provided all the functionality to generate a private key and CSR from a Java keystore, but did not allow the importing of a preexisting private key or certificate generated externally. ?This was fixed in Java 6. ?The solution is to convert the existing certificate and key into a PKCS12 file, and then use keytool to merge one keystore with another. Java? 6 can treat a PKCS12 file as a keystore.? The most recent java_jre in the Nimsoft archive is 1.6.0_24, which meets this requirement.???? 1.? Make certain the certificate you have been provided is in the PKCS12 format that java expects. If the certificate is in a .pfx format (PKCS12 extention), it will need to be converted using OpenSSL:
openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name wasp
???????? The name switch above represents the alias that will be assigned to this keystore, wasp in this case.??? 2.? Import the PKC12 certificate to the wasp.keystore location, by default:? C:\Program Files (x86)\Nimsoft\probes\service\wasp\conf
Import the private key and signed cert. The first step would be to check the existing keystore using the following command (edit as necessary if the Nimsoft folder is in another location ? this example assumes the default Windows directory on the UMP server):
???? 3.? Issue the following command:
????????? In a command prompt, navigate to:? C:\Program Files (x86)\Nimsoft\probes\service\wasp\conf
? ?C:\Program Files (x86)\Nimsoft\jre\jre1.6.0_24\bin\keytool? -list -alias wasp -keystore wasp.keystore
???? .? Run the import command replacing the italics with the appropriate password:
?????????????????????????? Enter keystore password:
?????????????????????????? wasp, Nov 1, 2011, PrivateKeyEntry,
?????????????????????????? Certificate Fingerprint (MD5):4D:E8:79:84:4E:64:70:AD:4D:A9:A3:BF:BE:C5:F6:B3
?C:\Program Files (x86)\Nimsoft\jre\jre1.6.0_24\bin\keytool? -importkeystore -deststorepass p12password?
-destkeypass pemPassword?-destkeystore wasp.keystore -srckeystore mykeystore.p12 -srcstoretype PKCS12
-srcstorepass srcstorepass -alias wasp
?6.? Verify that you have updated the wasp.keystore - this should differ from the ?output you got when you ran the command the first time
Existing entry alias wasp exists, overwrite? [no]:? yes
?C:\Program Files (x86)\Nimsoft\jre\jre1.6.0_24\bin\keytool? -list -keystore wasp.keystore?
7.? Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entries
wasp, Nov 1, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5):4C:7D:FC:9F:20:A7:B4:7F:DC:93:C0:38:83:7C:7F:AB
Restart WASP and test ? ??????? ????????You should be able to access the UMP now - https://<ump url>:443
??? ??????????Check the certificate via the browser:
- If needed, remove http access all together by removing the http_port key in the wasp.cfg. Restart wasp
- Make note of certificate expiration data
- Secure and document keystore passwords
If wasp failed to start:
- Deactivate wasp
- Deactivate dashboard engine
- Restart dap
- Wait for dap to receive a port and pid then start dashboard_engine
- Wait for dashboard_engine to get a port and pid and start wasp: