Adding SSL Certificates to Vibe for HTTPS

  • 7001857
  • 12-Nov-2008
  • 06-Dec-2016

Environment

Products:
Novell Teaming 1.0
Novell Teaming 1.0 Support Pack 1
Novell Teaming 1.0 Support Pack 2
Novell Teaming 1.0 Support Pack 3
Novell Teaming 2.0
Novell Vibe OnPrem

Situation

The certificates used by Vibe are stored in a “.keystore” file in the Vibe software directory. By default this file comes with a self-signed and expired certificate. This allows Vibe to use SSL/HTTPS out of the box but causes end users to get several warnings when accessing Vibe securely. This document tries to cover the steps needed to replace the existing certificate with either third party certificates or self signed certificates. This document covers creating a new “.keystore” file in a temporary directory, generating a certificate signing request (csr), requesting the new certificates, importing the new certificates into the new “.keystore” file, and then replacing the Vibe servers “.keystore” file.

Resolution

Before starting, it is best if the JDK/bin directory is in the search path. This is helpful in that keytool command can be run from anywhere on the server. If the “keytool” command is not found on your system, look for it with the “find / -name keytool” command (Linux).For this TID example keytool is found under /usr/java/jdk1.7.0_03/bin/.

Step One: Creating a new “.keystore” file
This new “.keystore” file can be created in any directory logged in as any user from a terminal prompt. It is best if a directory is created to place these files in where they can easily be located later. In this TID the example directory is /home/admin/certs.
1.    Open a terminal prompt window

2.    Change to the certs directory: cd /home/admin/certs

3.    Generate a new “.keystore” file:
keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -keysize 2048

4.    When prompted for a password, use “changeit” without the quotes

5.    The next prompt is for First and Last name, use the full dns name for the Vibe server (example: vibe.novell.com)

6.    The next few prompts are for Organizational unit, Organization, City or locality, State or Province, and two-letter country code. You can enter whatever is wanted or nothing.

7.    Enter yes on the prompt asking if the information is correct

8.    At the prompt for the Key password just press Enter to keep the same password as the keystore (changeit).

9.    There should now be a “.keystore” file in the certs directory. Note: the “.” in front of the name make it a hidden file, use the ls -al command to see it.

Note: If you are using a self-signed certificate, please skip to Step Five below. Also for self-signed certificates, you can create one with longer validity by using:
              keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -keysize 2048 -validity 730
This will create a certificate valid for two years (730 days).


Step Two: Generate a Certificate Signing Request (CSR)
The CSR file will be used to request a certificate from a third party authority.
1.    From the same terminal prompt in the same directory where the new “.keystore” file was created issue the commad:
                  keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore .keystore

2.    Enter the keystore password: should be “changeit”

3.    There should now be a certreq.csr file in the directory. Use the ls -al command to view.

Step Three: Request Certificates from Third Party Certificate Authorities (CA)
There are a variety of Third Party Certificate Authorities that are available. Send the certreq.csr file to one of them. Ypu may have to copy/paste its contents on their website. They should send back a set of certificates to import into the Vibe “.keystore” file. Those certificates should include the private certificate requested and any chain certificates needed to get back to the Certificate Authority. It is NECESSARY to import all of them. Sometimes Certificate Authorities do not send you the chain and root certificates and assume that you will download them from their website. Please check the installation instructions of your chosen certificate authority for 'Tomcat Servers' to determine where you can download these chain and root certificates from.


Step Four: Importing certificates into Vibe   
In this section we will import certificates acquired from Certificate Authority into the new keystore created in step one. Place these certificates in the /home/admin/certs directory next to the .keystore file. In this TID we are assuming that your Certificate Authority sent you three files:
a. root.crt: The CA root certificate
b. chain1.crt: The intermediate chain certificate of your CA
c. server.crt: Signed certificate for your Vibe server by the CA


1.    Open a terminal prompt window

2.    Change to the certs directory: cd certs

3.    Import the third party root certificate:
                  keytool -import -alias root -keystore .keystore -trustcacerts -file root.crt

4.    Import the third party chain certificates if any:
                  keytool -import -alias intermed -keystore .keystore -trustcacerts -file chain1.crt

5.    Import the certificate for the Vibe server with the following command:
                  keytool -import -alias tomcat -keystore .keystore -trustcacerts -file server.crt

6.    If prompted for a password, use “changeit” without the quotes

7.    f successful a comment of “Certificate reply was installed in keystore” will be displayed

At this point the new keystore file has been created and is ready to replace the Vibe servers default keystore file.

Step Five: Replacing the Keystore file and restarting Vibe
In this section you will backup the old keystore file and replace it with the newly created keystore file. Once this is done the Vibe server will need to be restarted for it take effect.
1.    Open a terminal prompt if not already there

2.    Change to the certs directory if not already there
        cd /home/admin/certs

3.    Verify the new keystore file exists
        ls -al

4.    Should see a file name .keystore

5.    Switch to the Root user
        su

6.    Enter the root users password when prompted

7.    Change to the Vibe License directory. The default location will vary depending on the Vibe Version and Operating System.

        For Teaming 1.x on Linux:
        cd /opt/icecore/liferay-portal-tomcat-5.5-jdk5-4.3.0/conf
        For Teaming 1.x on Windows:
        cd c:\icecore\liferay-portal-tomcat-5.5-jdk5-4.3.0\conf
  
        For Teaming 2.x on Linux:
        cd /opt/novell/teaming/apache-tomcat-6.0.18/conf
        For Teaming 2.x on Windows:
        cd c:\Program Files\Novell\Teaming\apache-tomcat-6.0.18\conf

        For Vibe 3.x and Vibe 4.0.2 on Linux:
        cd /opt/novell/teaming/apache-tomcat/conf

        For Vibe 3.x on Windows:
        cd c:\Program Files\Novell\Teaming\apache-tomcat\conf

8.    verify the old keystore file is present
       ls -al

9.    Rename the old keystore file for backup purposes
        mv .keystore keystorebackup

10.    Verify this was done
         ls -al

11.    Copy the new keystore to this directory
         cp /home/admin/certs/.keystore ./ (there is a period before the slash)

12.    Verify the new keystore file was copied
         ls -al

13.    Note what user and group owns the other files in the directory (example: admin:users)

14.    Note who owns the new .keystore file, should be root:root

15.    Change the ownership to the same user and group as the other files
         chown admin:users .keystore

16.    Verify this was done
         ls -al

17.    Change the keystore file to executable
         chmod 750 .keystore

18.    Verify this was done
         ls -al

19.    Restart Vibe
         On Linux use the script commands:
                   /etc/init.d/icecore restart (for version 1.x)
         Or
                   /etc/init.d/teaming restart (for Teraming version 2.x and Vibe 3.x)
         On Windows use the shutdown and startup batch files or restart the service.
At this point the Vibe server should now be using the new certificates for HTTPS. Login to the Vibe server on the secure port. By default the secure port is 8443.