topic Re: Trusted External Certificate Import in Server Management - Systems Insight Manager

Trusted External Certificate Import

Robert W. Eastman Jr._2 — Mon, 20 Dec 2010 20:19:17 GMT

We are wanting the ability to publish HPSIM externally via ISA. In order to do that I will need the HPSIM server to have an external authority certificate instead of a self signed certificate. The problem is that HPSIM generates the certificate as 1024 and external certificate authorities now require 2048 for the encryption so when I went to go try to get a certifice Globalsign slapped my hand and Oh not you don't it doesn't meet the 2048 or higher standard. Well I do not see a way in HP SIM to tell it that I want that encrypiton level, even though it states in the manual that you can have 2048 or less.

Is there a way to get HPSIM to generate a request for 2048.,

Re: Trusted External Certificate Import

jasmo — Fri, 12 Aug 2011 11:57:21 GMT

Hi,

I'm in front of the same problem. I would like to have an official certificate signed by a trusted CA, but for SAN (Subject Alternate Name) certificate they only accept at least 2048 bit certificate.

Is ther a way to create / replace the SIM certifcate by one of 2048 bit size?

Could we just replace the private key and it's certificate by one generated using openssl?

Thanks for any hint.

Re: Trusted External Certificate Import

jim goodman — Sat, 13 Aug 2011 02:41:00 GMT

Oddly enough this came up in conversation today between a couple of us who have been asked this very question. The 2048 bit CSR is coming, but isn't here today in SIM. I posed the question internally and if come up with a work around I'll pass it on if no one beats me to the punch and posts it here.

Re: Trusted External Certificate Import

Robert W. Eastman Jr._2 — Fri, 26 Aug 2011 13:44:57 GMT

Does HP know what release of HPSIM that we will be able to produce a 2048 certificate request?

Re: Trusted External Certificate Import

Michael Kutyna — Fri, 23 Dec 2011 15:58:56 GMT

Any word on when these will be supported?

Re: Trusted External Certificate Import

Change_happens — Tue, 03 Jan 2012 10:22:42 GMT

i m sure next version which will be coming soon. 7.0

Re: Trusted External Certificate Import

John T Willis — Fri, 10 Feb 2012 05:18:35 GMT

Using HP SIM 6.3 with 2048 bit third party CA signed cert.

-1. optional - on Windows 2008r2 you might prefer not to reconfigure java Connector port 280 to port 80, Windows 2008r2 supports WinRM - remote management - which also runs over port 80, IIS has special code to support dual purposing the use of port 80 for an application and the WinRM service. But you can install the URL Rewrite module in IIS and add a rule to redirect connections to the Default website automatically to the java Connector port 443 - Another gotcha is the 50000 connector port has challenging syntax which doesn't process a non-slashed URL properly change it to the traditional ></Connector> format and everything will be fine.

0. optional - change URL port to https default port

edit C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\jboss-web.deployer\server.xml change two instances of 50000 to 443

1. get <current password> for private key and keystore from C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\jboss-web.deployer\server.xml search for "keystorePass="

2. create a 2048 bit private keypair and keystore
cd C:\Program Files\HP\Systems Insight Manager\j2re\bin

keytool -genkey -keyalg RSA -keysize 2048 -keypass <current password> -validity 1000 -alias tomcat -keystore hp.keystore

Enter keystore password: <current password>
Re-ener new password: <current password>
First and last name: hpsim.domain.com
Name of Organization Unit: department
Name of Organization: company
Name of City or Locale: city
Name of State or Province: state
Two letter Country Code: us

3. create a signing request

cd C:\Program Files\HP\Systems Insight Manager\j2re\bin
keytool -certreq -alias tomcat -keyalg RSA -keystore hp.keystore -file hpsim.csr

4. get request signed

5. import the CA root and intermediate and signed cert into hp.keystore - portcle is a really nice opensource GUI tool for managing keystores

6. rename old keystore

cd C:\Program Files\HP\Systems Insight Manager\config\certstor

ren hp.keystore old.hp.keystore

7. install new keystore

copy C:\Program Files\HP\Systems Insight Manager\j2re\bin\hp.keystore

C:\Program Files\HP\Systems Insight Manager\config\certstor\hp.keystore

8. synchronize certs
cd C:\Program Files\HP\Systems Insight Manager\bin
mxcert -s

9. restart hp sim
C:\Program Files\HP\Systems Insight Manager\bin>sc stop "HP Systems Insight Manager"
wait about 2 minutes
C:\Program Files\HP\Systems Insight Manager\bin>sc start "HP Systems Insight Manager"
wait about 2 minutes

verify with log file C:\Program Files\HP\Systems Insight Manager\logs\mxdomainmgr.0

Look at the bottom of the file for:

28 Jan 00:43:46,230 INFO [Server] JBoss (MX MicroKernel) [4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)] Started in 58s:812ms

https://hpsim.domain.com/

Re: Trusted External Certificate Import

i3laze — Fri, 25 Mar 2016 13:21:57 GMT

Great manual..

I was successfull only by doing steps 3-5 right in Portecle.app.

Steps 2,6,7 aren't required if you work directly with existing keystore:

C:\Program Files\HP\Systems Insight Manager\config\certstor\hp.keystore