Insight Remote Support
1745832 Members
4021 Online
108723 Solutions
New Discussion

Re: Replace the self signed certificate with a signed certificate

 
Vincent Jansen
Occasional Contributor

Replace the self signed certificate with a signed certificate

How do I Replace in IRS 7.4.0 the self signed certificate with a signed certificate?

6 REPLIES 6
toddg1
HPE Pro

Re: Replace the self signed certificate with a signed certificate

I believe this topic is covered in the online "Help" in the Insight Remote Support tool itself.  Select Help at the top, then search for "Certificate".

 

There are some steps listed there for importing certificates.

 

There are a few options depending on what you're trying to do.

 

 

 

 

 


I work for HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Vincent Jansen
Occasional Contributor

Re: Replace the self signed certificate with a signed certificate

No info how to replace the HP self signed certificate. I search for "Certificate" in the online help in IRS self. The results are below.

In the install guide is only written how to add the HP self signed certificate to the trusted stores on the client site.

 

The results for "Certificate" in the online help in IRS self:

Your search for "Certificate" returned 8 result(s).

  • Command line tools
    Command line tools Insight RS has a command line utility that can be used to configure settings and run jobs.
    GUI_rsadmin.htm
  • Configuring Integrity HP-UX servers
    Configuring Integrity HP-UX servers Before attempting to configure Insight Remote Support for your HP-UX monitored device, read the following information.
    MonitoredDevices/Config_HP-UX.html
  • Configuring ProVision-based networking switches
    Configuring ProVision-based networking switches ProVision-based networking switches (formerly E-series/ProCurve) require SNMP for discovery and event monitoring. ProVision-based switches ship with SNMP installed and enabled.
    MonitoredDevices/Config_E-Series_Switch.html
  • Complete the Monitored Device Setup Wizard
    Complete the Monitored Device Setup Wizard The Monitored Device Setup Wizard checks whether Insight RS can communicate with devices in your environment based on the configured credentials and verifies the devices are ready to be monitored by HP Insight Remote Support. The Monitored Device Setup Wizard can be left unattended for large environments. The results can be viewed in the final screen of the wizard or on the Discovery screen in the Insight RS Console.
    ConfigurationWizards/GUI_Endpoint_Intro.htm
  • Manage discovery credentials
    Manage discovery credentials Each device in your environment requires protocols that Insight Remote Support uses to communicate with the device. Each of these protocols must have associated credential information.
    Discovery/GUI_Discovery_ManageCredentials.htm
  • Configuring Integrity Superdome X servers
    Configuring Integrity Superdome X servers The Integrity Superdome X system has implemented single-source event reporting such that all event indications are reported through the Integrity Superdome X Onboard Administrator (OA). The OA monitors the core system hardware and generates WS-Management alert indications when it determines that an important event occurs. The Linux WS-Man providers and Windows WinRM providers monitor partition IO devices and report their events through the OA as well.
    MonitoredDevices/Config_SDX.html
  • Manage Collection Schedules
    Manage Collection Schedules For more information about collections, see About collections. On the Collection Services → Collection Schedules tab, you can:
    CollectionServices/GUI_CollSchedTab_Intro.htm
  • Configuring Integrity Linux servers
    Configuring Integrity Linux servers To configure your Integrity Linux servers to be monitored by Insight RS,

 

Gurbaxis
Visitor

Re: Replace the self signed certificate with a signed certificate

Lawrance Lee_1
HPE Pro

Re: Replace the self signed certificate with a signed certificate

This document is classified as "Public" but somehow it does not seem to be available to the public! 

Title: IRS - How to configure IRS using company signed certificate?

Object Name:mmr_ns-0112182
Document Type:Support Information
Original Owner:NonStop NSK Hardware
Disclosure Level:Public
Version State:final
Environment

FACT:NonStop

FACT:T0918 NonStop Leveraged FW and SW

FACT:Insight Remote Support (IRS)

FACT:rsadmin

FACT:SSL

FACT:TLS

FACT:OpenSSL

FACT:RSA

FACT:Private Key

Questions/Symptoms

GOAL:How to configure IRS using company signed certificate?

GOAL:How to configure IRS using Third Party CA signed certificate?

GOAL:How to import certificates signed by a Private or Third Party CA to IRS?

Cause

CAUSE:IRS is configured with self-signed certificate by default. Company (i.e. Private CA) or Third-Party signed certificates need to be configured due to organizational security enforcement.

Answer/Solution

FIX:
There are 3 possible scenarios in which a customer would like to import their own certificates to Insight Remote Support (IRS):

>>>>>> Scenario #1: Create a private key and CSR by using the rsadmin utility, and import the signed certificate.

In this scenario, you would use the rsadmin utility to generate the private key and Certificate Signing Request (CSR), and then import the certificates received from your corporate Certificate Authority (CA) into the IRS database. The steps are as follows:

>> Step 1: Checking the default configuration key settings related to the certificate:

rsadmin config -displayAll | find "uca.cert"

Example output:

GLOBAL uca.cert.checkrevocationstatus.cache.timeout => 86400
GLOBAL uca.cert.country => US
GLOBAL uca.cert.email =>
GLOBAL uca.cert.locality => Palo Alto
GLOBAL uca.cert.organization => Hewlett-Packard
GLOBAL uca.cert.organizationunit => Insight Remote Support
GLOBAL uca.cert.signaturealgorithm => SHA256WITHRSAENCRYPTION
GLOBAL uca.cert.stateorprov => California

>> Step 2: Issue the following commands to update the configuration keys that define certificate fields in the CSR. These fields need to be provided by your corporate CA.

For example:

rsadmin config -set uca.cert.organization="Hewlett Packard Enterprise Company"
rsadmin config -set uca.cert.organizationunit="Global NonStop Solution Center"
rsadmin config -set uca.cert.locality="Palo Alto"
rsadmin config -set uca.cert.stateorprov="California"
rsadmin config -set uca.cert.country="US"
rsadmin config -set uca.cert.email="nonstopsupport@hpe.com"

>> Step 3: Verify that the configuration key settings were changed prior to generating the CSR:

rsadmin config -displayAll | find "uca.cert"

Example output:

GLOBAL uca.cert.checkrevocationstatus.cache.timeout => 86400
GLOBAL uca.cert.country => US
GLOBAL uca.cert.email => nonstopsupport@hpe.com
GLOBAL uca.cert.locality => Palo Alto
GLOBAL uca.cert.organization => Global NonStop Solution Center
GLOBAL uca.cert.organizationunit => Hewlett Packard Enterprise Company
GLOBAL uca.cert.signaturealgorithm => SHA256WITHRSAENCRYPTION
GLOBAL uca.cert.stateorprov => California

>> Step 4: Generate the CSR by executing the following command:

rsadmin cert -csr

>> Step 5: Take the resulting Base64 encoded CSR to your corporate CA for signing and request a Base64 encoded response. There are two possible responses:

a) A certificate chain containing the signed certificate and the CA certificate(s).

The file will typically be in a P7b format. In that case, issue the following command:

rsadmin cert -csr -response <servchain.p7b>

b) A signed certificate, Root CA and (if any) Intermediate CA certificate(s) in separate files.

In that case, you need to import the Root CA and (if any) Intermediate CA certificate(s) into the IRS database and then import the signed certificate.

i) Import the Root CA and (if any) Intermediate CA certificate(s). They must be imported in the appropriate order.

rsadmin cert -alias <IntCAname> -import -trustfile <intcert.pem>
rsadmin cert -alias <RootCAname> -import -trustfile <cacert.pem>

ii) Import the signed certificate

rsadmin cert -csr -response <servcert.pem>

>> Step 6: Restart IRS services

net stop hprsmain
net stop hprsreceivers
net start hprsmain
net start hprsreceivers

>>>>>> Scenario #2: Create a private key and CSR by using a tool other than rsadmin, and import the signed certificate and private key.

In this scenario, you would use your own tool (e.g. OpenSSL) to generate the private key and Certificate Signing Request (CSR), and then import the private key and the signed certificates received from the corporate Certificate Authority (CA) into the IRS database. The steps are as follows:

>> Step 1: Create the private key and CSR by using your own tool. The details of the CSR depend on the corporate requirements so check with your Certificate Authority on how to create your private key and CSR. If you were to use OpenSSL, here is an example of creating a SHA256 private key and CSR:

$ openssl req -out csr.pem -new -sha256 -newkey rsa:2048 -keyout servkey.pem
Generating a RSA private key
...+++++
......................+++++
writing new private key to 'servkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Palo Alto
Organization Name (eg, company) [Default Company Ltd]:Hewlett Packard Enterprise Company
Organizational Unit Name (eg, section) []:Global NonStop Solution Center
Common Name (eg, your name or your server's hostname) []:server.hpe.com
Email Address []:nonstopsupport@hpe.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$

Note: In the above example, you have to enter a "pass phrase" and the details of the CSR. Some entries might be optional such as the email address. The "challenge password" and "company name" are also optional and in the example above are blank (just press the ENTER key).

>> Step 2: Submit the CSR to your corporate CA.

>> Step 3: Once you receive your certificates, create the P7b certificate chain using OpenSSL (in this example, <servcert.pem> is the Server certificate, <intcert.pem> is the Intermediate CA, and <cacert.pem> is the Root CA):

openssl crl2pkcs7 -nocrl -certfile <servcert.pem> -certfile <intcert.pem> -certfile <cacert.pem> -out <servchain.p7b>

>> Step 4: Stop the IRS services:

net stop hprsmain
net stop hprsreceivers

>> Step 5: Import the certificate chain (p7b) certificate using rsadmin:

rsadmin cert -alias jetty -import -trustfile <servchain.p7b>

>> Step 6: Remove the pass phrase from the private key using OpenSSL if that's not already done (in this example, <servkey.pem> is the private key encrypted with <servkeypass>, which is the "pass phrase" used in Step 1):

openssl rsa -in <servkey.pem> -out <servkey_nopass.pem> -passin pass:<servkeypass>

>> Step 7: Import the new private key <servkey_nopass.pem>:

rsadmin cert -alias jetty -import -trustkey <servkey_nopass.pem>

>> Step 8: Start the IRS services:

net start hprsmain
net start hprsreceivers

>>>>>> Scenario #3: Create a private key and CSR by using your own tool (e.g. OpenSSL) and import a self-signed certificate signed with SHA256.

To create and import a self-signed certificate signed with SHA256, execute the following commands:

>> Step 1: Create a self-signed certificate with RSA private key using OpenSSL and remove the pass phrase (in this example, <servkey.pem> is the private key encrypted with <servkeypass>, which is the "pass phrase" entered after executing the first command):

openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout <servkey.pem> -out <servcert.pem>
openssl rsa -in <servkey.pem> -out <servkey_nopass.pem> -passin pass:<servkeypass>

>> Step 2: Stop the IRS services:

net stop hprsmain
net stop hprsreceivers

>> Step 3: Delete the current Insight RS client certificate:

rsadmin cert -delete -alias jetty

>> Step 4: Import a new Insight RS client certificate:

rsadmin cert -import -alias jetty -trustfile <servcert.pem>

>> Step 5: Import the new private key:

rsadmin cert -import -alias jetty -trustkey <servkey_nopass.pem>

>> Step 6: Start the IRS services:

net start hprsmain
net start hprsreceivers

© Copyright 2021 Hewlett Packard Enterprise Development Company, L.P.

I work for HPE.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Dave15
Occasional Visitor

Re: Replace the self signed certificate with a signed certificate

Hi Lawrance Lee - 

I have senario 2.

I have my p7b file with the whole certificate chain and i also have exported the private key and have taken the password off.

However when i import the p7b certs file i get the following results:

  *************

C:\Program Files\HP\RS\BIN>rsadmin cert -alias jetty -import -trustfile c:\certificate.p7b

p7b chain trusting 'IRSRootCA'

p7b chain trusting 'IRSIssuingCA'

Cannot validate certificate chain.  Not importing "jetty".

Could not validate cert [1]: subject/issuer name chaining check failed

Certificate import failed

Jetty and Receiver restart pending

Cert import failed alias=jetty file=c:\certificate.p7b

  *******************

Sunitha_Mod
Moderator

Re: Replace the self signed certificate with a signed certificate

Hello @Dave15

Thank you for posting! Since you have posted in an old topic and there is no response yet, I would recommend you to create a new topic using the create "New Discussion" button, so the experts can check and assist you further. 

Thanks,
Sunitha G
I'm an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo