In CA APM 10.x what feature does new EM/WebView Jetty web server config SSL property "certAlias" provide and how can the keystore be updated with own Private Key/Certificate pair for that alias value.

Document ID : KB000036154
Last Modified Date : 16/07/2018
Show Technical Document Details
Question:

In CA APM 10.x what is the significance of the new SSL connector property "certAlias" in the Jetty web server config file for the EM Web Server (em-jetty-config.xml) i.e. 
<Set name="certAlias">wily</Set>   (10.0-> 10.5)
<Set name="certAlias">caapm</Set>  (10.7)

Environment:
APM 10.x
Answer:

Pre-APM 10.0 only the fixed name of 'wily' was supported for the Private Key alias stored in the EM_HOME/config/internal/server/keystore file so this a new property which enables the user to use their own alias when loading their Private Key.

The default EM_HOME/config/internal/server/keystore file provided with the EM install contains a Private Key with the default alias of 'wily' (versions 10.0-> 10.5)  or 'caapm' (version 10.7). So the user has 2 choices:

EITHER:

  • Delete the 'wily' or 'caapm' alias from the keystore file.
  • Load own Private Key/Certificate pair into the keystore with the same 'wily' or 'caapm' alias.
  • Leave the Jetty web server config file unchanged

OR:

  • Load own Private Key/Certificate pair into the keystore with new alias 'myalias'
  • Edit the Jetty web server config file to have:  <Set name="certAlias">myalias</Set>

 

    Additional Information:

    NOTES:


    Some useful commands:

    • The following example commands are assumed to be run from directory EM_HOME/config/internal/server
    • For the default keystore provided with the EM install the password is "password"
    • The keytool executable is found in the Java Runtime Environment directory e.g. EM_HOME/jre/bin.
    • For further information on keytool options & parameters see Oracle Java documentation e.g.
    • keytool can be used to create a new keystore with new Private Key/Certificate pair using the genkeypair option - see:
    • To import own Private Key/Certificate pair the ImportPrivateKey utility should be used - see:

    List contents of keystore into a file (verbose output): keytool -list -v -keystore keystore -storepass password > list_keystore.out

    Delete alias 'wily' from keystore: keytool -delete -alias wily -keystore keystore -storepass password
    Delete alias 'caapm' from keystore: keytool -delete -alias caapm -keystore keystore -storepass password