How to enable a wildcard certificate in UMP

Document ID : KB000034602
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction

If a wildcard certificate has been provided in either a .pfx or .p12 format, is there any way to import this into UMP?




Procedure

Enabling SSL on UMP using a wildcard certificate
?
TASK: Given a wildcard certificate .pfx file with *.mydomain.com as the domain, import this certificate to wasp and (optionally) apply automatic HTTPS redirects

Prepping WASP

  1. Configure the port number for SSL traffic using the https_port parameter, which is located under the setup key in Raw Configure. This parameter is normally set to 443, but any port between 1 ? 65545 can be specified.? Note: If the https_port parameter does not currently exist in the wasp.cfg file, add it manually. As an example, refer to the http_port parameter.
  2. Configure the number of concurrent https requests using the?https_max_threads parameter. The default value is 500, which is located under the setup key in RAW? Configure
  3. Save and close wasp.cfg.
  4. Restart WASP.? Wasp is now configured correctly to use SSL. The first time it? starts up with SSL enabled, a new keystore wasp.keystore is generated and? stored in <Nimsoft>/probes/service/wasp/conf.
  5. Verify - You should now have a wasp.keystore file located in <Nimsoft>/probes/service/wasp/conf. At this point you should be able to access UMP using https://<UMP URL>:443

Set the WASP Keystore Password

  1. Using the probe utility select the ssl_reinitialize_keystore callback
  2. Enter at least a six character password - this is will be the?srcstorepass used later,?hit the "play" button. The results should return ok.

Import the Private Key into the WASP keystore

This can be very challenging for several reasons. Since a Certificate Sign Request (CSR) was not generated from wasp, the keystore does not currently have any knowledge of the private key used to generate the cert request.? Also, Java can be very particular about the format it expects the key to be in. Another potential hurdle is the fact that the keytool application shipped as part of older versions of Java provided all the functionality to generate a private key and CSR from a Java keystore, but did not allow the importing of a preexisting private key or certificate generated externally. ?This was fixed in Java 6. ?The solution is to convert the existing certificate and key into a PKCS12 file, and then use keytool to merge one keystore with another. Java? 6 can treat a PKCS12 file as a keystore.? The most recent java_jre in the Nimsoft archive is 1.6.0_24, which meets this requirement.?
?

??? 1.? Make certain the certificate you have been provided is in the PKCS12 format that java expects. If the certificate is in a .pfx format (PKCS12 extention), it will need to be converted using OpenSSL:
?

openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name wasp

???????? The name switch above represents the alias that will be assigned to this keystore, wasp in this case.

??? 2.? Import the PKC12 certificate to the wasp.keystore location, by default:? C:\Program Files (x86)\Nimsoft\probes\service\wasp\conf
?
Import the private key and signed cert. The first step would be to check the existing keystore using the following command (edit as necessary if the Nimsoft folder is in another location ? this example assumes the default Windows directory on the UMP server):

?
????????? In a command prompt, navigate to:? C:\Program Files (x86)\Nimsoft\probes\service\wasp\conf

??? 3.? Issue the following command:
?

? ?C:\Program Files (x86)\Nimsoft\jre\jre1.6.0_24\bin\keytool? -list -alias wasp -keystore wasp.keystore

?
?????????????????????????? Enter keystore password:
?????????????????????????? wasp, Nov 1, 2011, PrivateKeyEntry,
?????????????????????????? Certificate Fingerprint (MD5):4D:E8:79:84:4E:64:70:AD:4D:A9:A3:BF:BE:C5:F6:B3
?

??? .? Run the import command replacing the italics with the appropriate password:

?

?C:\Program Files (x86)\Nimsoft\jre\jre1.6.0_24\bin\keytool? -importkeystore -deststorepass p12password?
-destkeypass pemPassword?-destkeystore wasp.keystore -srckeystore mykeystore.p12 -srcstoretype PKCS12
-srcstorepass srcstorepass -alias wasp

?
Existing entry alias wasp exists, overwrite? [no]:? yes
?

6.? Verify that you have updated the wasp.keystore - this should differ from the ?output you got when you ran the command the first time
?
?C:\Program Files (x86)\Nimsoft\jre\jre1.6.0_24\bin\keytool? -list -keystore wasp.keystore
?
7.? Enter keystore password:
?
Keystore type: JKS
Keystore provider: SUN
?
Your keystore contains 1 entries
?
wasp, Nov 1, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5):4C:7D:FC:9F:20:A7:B4:7F:DC:93:C0:38:83:7C:7F:AB
?

Restart WASP and test ? ??

????? ????????You should be able to access the UMP now - https://<ump url>:443
?
??? ??????????Check the certificate via the browser:
?

Follow up

  1. If needed, remove http access all together by removing the http_port key in the wasp.cfg. Restart wasp
  2. Make note of certificate expiration data
  3. Secure and document keystore passwords
Troubleshooting

If wasp failed to start:
  1. Deactivate wasp
  2. Deactivate dashboard engine
  3. Restart dap
  4. Wait for dap to receive a port and pid then start dashboard_engine
  5. Wait for dashboard_engine to get a port and pid and start wasp:

Attachments:

File Attachments:
TEC000003740.zip