1748324 Members
4117 Online
108762 Solutions
New Discussion юеВ

Re: Certificate in iMC

 
rafter_1
Advisor

Certificate in iMC

Anyone know how to change the certificate in iMC for web clients? If using https currently get the default iMC certificate. I have proper certificates, how do I get it to use them instead

(will prevent the annoying allow certificates too!)

16 REPLIES 16
Graham Hurst
Advisor
rafter_1
Advisor

Re: Certificate in iMC

Hi,

 

Well done with the blog, this is what I'd worked out sometime ago too :) ..

 

Now heres a new one for you... v5 SP1, has this changed as it looks like it... Is the new keystore file "newks" instead of "keystore"?

 

It appears that just using the previous cert keystore that I've been using with all the previous versions doesn't work if you just use it like before...

 

Any advice or knowledge of the changes to the certs in SP1?

 

Cheers!

LindsayHill
Honored Contributor

Re: Certificate in iMC

You've probably worked it out by now, but yeah, it seems that newks is now used, and that the default storepass is now iMCV500R001

 

Look in C:\Progam Files\iMC\client\conf\applicationContexts.xml. That defines the keystore to be used, and the password.

 

I'll be digging into this some more tomorrow.

Papageno
Occasional Advisor

Re: Certificate in iMC

I've just been down this path, and thought I'd followed it religiously, but the jserver process starts with errors and there is now no IMC web service, though ports 8080 and 8443 are listening.  Any ideas?

 

The IMC Monitoring Agent says the jserver process status is "Error occurred in process startup.  For details see the log."  What log?

 

A listing of the keystore is attached.

 

Any help gratefully received.

 

 

 

 

 

Papageno
Occasional Advisor

Re: Certificate in iMC

Thought I'd added an attachment but it seems to have got lost.  Here it is below...

 

C:\Program Files\iMC\client\security>keytool -list -v -keystore .\newks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: 1
Creation date: Jun 7, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=win2k-imc.aarons.net, O=Aarons Inc, ST=GB, C=UK
Issuer: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Serial number: 6
Valid from: Fri Jun 07 10:32:08 GMT 2013 until: Sat Jun 07 10:32:08 GMT 2014
Certificate fingerprints:
         MD5:  19:D4:95:7D:DF:B0:C5:B7:EE:F2:B2:6B:E3:9F:F5:A9
         SHA1: 9F:2D:E6:47:A7:A8:57:4B:D0:0D:E2:FE:CB:FA:CF:A7:48:55:F3:47
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]

]

Certificate[2]:
Owner: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Issuer: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Serial number: dc00dde55cfcd0f9
Valid from: Thu Mar 28 13:19:55 GMT 2013 until: Wed Mar 28 13:19:55 GMT 2018
Certificate fingerprints:
         MD5:  A3:56:C1:B6:2E:52:B4:27:37:6A:48:85:B8:E0:67:8F
         SHA1: A0:33:D5:5D:96:7E:06:FC:8F:FA:C5:9D:50:87:B2:14:E2:27:BA:AD
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]

[CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK]
SerialNumber: [    dc00dde5 5cfcd0f9]
]



*******************************************
*******************************************


Alias name: imc
Creation date: Jun 7, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=win2k-imc.aarons.net, O=Aarons Inc, ST=GB, C=UK
Issuer: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Serial number: 6
Valid from: Fri Jun 07 10:32:08 GMT 2013 until: Sat Jun 07 10:32:08 GMT 2014
Certificate fingerprints:
         MD5:  19:D4:95:7D:DF:B0:C5:B7:EE:F2:B2:6B:E3:9F:F5:A9
         SHA1: 9F:2D:E6:47:A7:A8:57:4B:D0:0D:E2:FE:CB:FA:CF:A7:48:55:F3:47
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]

]

Certificate[2]:
Owner: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Issuer: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Serial number: dc00dde55cfcd0f9
Valid from: Thu Mar 28 13:19:55 GMT 2013 until: Wed Mar 28 13:19:55 GMT 2018
Certificate fingerprints:
         MD5:  A3:56:C1:B6:2E:52:B4:27:37:6A:48:85:B8:E0:67:8F
         SHA1: A0:33:D5:5D:96:7E:06:FC:8F:FA:C5:9D:50:87:B2:14:E2:27:BA:AD
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]

[CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK]
SerialNumber: [    dc00dde5 5cfcd0f9]
]



*******************************************
*******************************************



C:\Program Files\iMC\client\security>

 

LindsayHill
Honored Contributor

Re: Certificate in iMC

Hi Papageno

Sorry I don't have time to investigate this more closely, but you could check this post I made a while ago that covers setting up a custom certificate: http://www.netopscommunity.net/en_GB/forums/-/message_boards/view_message/48010#_19_message_48010

The logfile you need is somewhere under the client directory. - off the top of my head it's called imcforeground.log.
Papageno
Occasional Advisor

Re: Certificate in iMC

Hi LindsayHill

 

Thanks for the pointer.  I finally tracked the issue down to my pfx package for transferring the server and CA trust chain certificates.  It contained all the right certificates and keys, but the keytool import just didn't generate the trust chain.  I finally built a working keystore using the process below.  May be helpful for other folks, who knows?

 

тАвGenerate a Java keystore and key pair
keytool -genkey -alias imc -keyalg RSA -keystore newks -keysize 2048 -storepass iMCV500R001

тАвGenerate a certificate signing request (CSR) for the keystore
keytool -certreq -alias imc-server.papageno-home.net -keystore newks -file imc-server.papageno-home.net.csr -storepass iMCV500R001

тАвSign CSR from OpenSSL
sudo openssl ca -in imc-server.papageno-home.net.csr  -out imc-server.papageno-home.net.crt  -days 365

тАвKeytool barfs on the full crt file, so strip out the certificate to just the lines begining and ending with "---BEGIN/END CERTIFICATE---" as imc-server.papageno-home.net.crt.modified

тАвImport a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias papageno-home.net -file ca.crt -keystore newks -storepass iMCV500R001

тАвImport a signed primary certificate to an existing Java keystore with alias "imc" ('cos IMC expects it so)
keytool -import -trustcacerts -alias imc -file imc-server.aarons.net.crt.modified -keystore newks -storepass iMCV500R001

тАвSet key password to same as store password
keytool.exe -keypasswd -alias imc -keypass keypassword -new iMCV500R001 -keystore newks -storepass iMCV500R001

 

 

LindsayHill
Honored Contributor

Re: Certificate in iMC

Good to hear you got it working - and thanks for posting back here to let us know how you did it. Might help someone else in future.

Florian_Baaske
Occasional Contributor

Re: Certificate in iMC

Hey,

 

I was looking for the same issue and did it. I wrote a blog about the solution I found with the latest iMC version. For those, who are still searching for the solution have a look at it.

 

http://www.flomain.de/2014/10/imc-webserver-certificate/

 

BR

Florian