How to enable a wildcard certificate in UMP

Document ID : KB000034602
Last Modified Date : 06/06/2018
Show Technical Document Details
Introduction:
If a wildcard certificate has been provided in either a .pfx or .p12 format, we would need a procedure to import this certificate into UMP. This document describes the tasks on how to import a given a wildcard certificate .pfx file with *.mydomain.com as the domain, import this certificate to wasp and (optionally) apply automatic HTTPS redirects.
Background:
By default, you cannot import these types of certificates into the UMP certificate store following the procedure describes in our documentation on how to enable Https in UMP.
Environment:
Any version of UIM
Instructions:

Prepping WASP

Configure the port number for SSL traffic using the https_port parameter, which is located under the setup key in Raw Configure. This parameter is normally set to 443, but any port between 1 -  65545 can be specified.

 Note: If the https_port parameter does not currently exist in the wasp.cfg file, add it manually. As an example, refer to the http_port parameter.
  1. Configure the number of concurrent https requests using the https_max_threads parameter. The default value is 500, which is located under the setup key in RAW Configure
  2. Save and close wasp.cfg.
  3. Restart WASP. Wasp is now configured correctly to use SSL. The first time it? starts up with SSL enabled, a new keystore wasp.keystore is generated and stored in <Nimsoft>/probes/service/wasp/conf.
  4. Verify - You should now have a wasp.keystore file located in <Nimsoft>/probes/service/wasp/conf. At this point you should be able to access UMP using https://<UMP URL>:443

Set the WASP Keystore Password

  1. Using the probe utility select the ssl_reinitialize_keystore callback (highlight the probe in IM, and press Ctrl+P)
  2. Enter at least a six character password - this is will be the  srcstorepass used later, hit the "play" button. The results should return ok. This will reset the keystore password and render any currently stored certificates invalid.

Import the Private Key into the WASP keystore

This can be very challenging for several reasons. Since a Certificate Sign Request (CSR) was not generated from wasp, the keystore does not currently have any knowledge of the private key used to generate the cert request.  Also, Java can be very particular about the format it expects the key to be in. Another potential hurdle is the fact that the keytool application shipped as part of older versions of Java provided all the functionality to generate a private key and CSR from a Java keystore, but did not allow the importing of a preexisting private key or certificate generated externally. This was fixed in Java 6. The solution is to convert the existing certificate and key into a PKCS12 file, and then use keytool to merge one keystore with another. Java 6 (or higher) can treat a PKCS12 file as a keystore. The most recent java_jre in the Nimsoft archive is 1.8. which meets this requirement.
 

1. Make certain the certificate you have been provided is in the PKCS12 format that java expects. If the certificate is in a .pfx format (PKCS12 extention), it will need to be converted using OpenSSL:

openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name wasp

The name switch above represents the alias that will be assigned to this keystore, wasp in this case.

2. Import the PKC12 certificate to the wasp.keystore location, by default: C:\Program Files (x86)\Nimsoft\probes\service\wasp\conf
Import the private key and signed cert. The first step would be to check the existing keystore using the following command (edit as necessary if the Nimsoft folder is in another location ? this example assumes the default Windows directory on the UMP server):

 In a command prompt, navigate to: C:\Program Files (x86)\Nimsoft\probes\service\wasp\conf

3. Issue the following command:

C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool -list -alias wasp -keystore wasp.keystore
Enter keystore password:
wasp, Nov 1, 2011, PrivateKeyEntry,
Certificate Fingerprint (MD5):4D:E8:79:84:4E:64:70:AD:4D:A9:A3:BF:BE:C5:F6:B3

4. Run the import command replacing the italics with the appropriate password:

C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool -importkeystore -deststorepass p12password
-destkeypass pemPassword -destkeystore wasp.keystore -srckeystore mykeystore.p12 -srcstoretype PKCS12
-srcstorepass srcstorepass -alias wasp

Existing entry alias wasp exists, overwrite? [no]:? yes

5. Verify that you have updated the wasp.keystore - this should differ from the output you got when you ran the command the first time
C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool -list -keystore wasp.keystore

6. Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entries

wasp, Nov 1, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5):4C:7D:FC:9F:20:A7:B4:7F:DC:93:C0:38:83:7C:7F:AB

Restart WASP and test 

You should be able to access the UMP now - https://<ump url>:443

Follow up

  1. If needed, remove http access all together by removing the http_port key in the wasp.cfg. Restart wasp
  2. Make note of certificate expiration data
  3. Secure and document keystore passwords
Additional Information:
https://docops.ca.com/ca-unified-infrastructure-management/8-5/en/installing-ca-uim/optional-post-installation-tasks/configure-https-in-admin-console-or-ump
 
File Attachments:
TEC000003740.zip