Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

Trusted External Certificate Import

Robert W. Eastman Jr._2
Frequent Advisor

Trusted External Certificate Import

We are wanting the ability to publish HPSIM externally via ISA. In order to do that I will need the HPSIM server to have an external authority certificate instead of a self signed certificate. The problem is that HPSIM generates the certificate as 1024 and external certificate authorities now require 2048 for the encryption so when I went to go try to get a certifice Globalsign slapped my hand and Oh not you don't it doesn't meet the 2048 or higher standard. Well I do not see a way in HP SIM to tell it that I want that encrypiton level, even though it states in the manual that you can have 2048 or less.

Is there a way to get HPSIM to generate a request for 2048.,
(NTFS) No Time For Stupidity
7 REPLIES
jasmo
Visitor

Re: Trusted External Certificate Import

Hi,

 

I'm in front of the same problem. I would like to have an official certificate signed by a trusted CA, but for SAN (Subject Alternate Name) certificate they only accept at least 2048 bit certificate.

Is ther a way to create / replace the SIM certifcate by one of 2048 bit size?

Could we just replace the private key and it's certificate by one generated using openssl?

 

Thanks for any hint.

jim goodman
Trusted Contributor

Re: Trusted External Certificate Import

Oddly enough this came up in conversation today between a couple of us who have been asked this very question. The 2048 bit CSR is coming, but isn't here today in SIM. I posed the question internally and if come up with a work around I'll pass it on if no one beats me to the punch and posts it here.

Robert W. Eastman Jr._2
Frequent Advisor

Re: Trusted External Certificate Import

Does HP know what release of HPSIM that we will be able to produce a 2048 certificate request?

(NTFS) No Time For Stupidity
Michael Kutyna
Occasional Visitor

Re: Trusted External Certificate Import

Any word on when these will be supported?

Change_happens
Honored Contributor

Re: Trusted External Certificate Import

i m sure next version which will be coming soon. 7.0

Re: Trusted External Certificate Import


Using HP SIM 6.3 with 2048 bit third party CA signed cert.

 

-1. optional - on Windows 2008r2 you might prefer not to reconfigure java Connector port 280 to port 80, Windows 2008r2 supports WinRM - remote management - which also runs over port 80, IIS has special code to support dual purposing the use of port 80 for an application and the WinRM service. But you can install the URL Rewrite module in IIS and add a rule to redirect connections to the Default website automatically to the java Connector port 443 - Another gotcha is the 50000 connector port has challenging syntax which doesn't process a non-slashed URL properly change it to the traditional ></Connector> format and everything will be fine.

 

0. optional - change URL port to https default port

edit C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\jboss-web.deployer\server.xml change two instances of 50000 to 443


1. get <current password> for private key and keystore from C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\jboss-web.deployer\server.xml search for "keystorePass="

2. create a 2048 bit private keypair and keystore
cd C:\Program Files\HP\Systems Insight Manager\j2re\bin

 

keytool -genkey -keyalg RSA -keysize 2048 -keypass <current password> -validity 1000 -alias tomcat -keystore hp.keystore

Enter keystore password: <current password>
Re-ener new password: <current password>
First and last name: hpsim.domain.com
Name of Organization Unit: department
Name of Organization: company
Name of City or Locale: city
Name of State or Province: state
Two letter Country Code: us

3. create a signing request

cd C:\Program Files\HP\Systems Insight Manager\j2re\bin
keytool -certreq -alias tomcat -keyalg RSA -keystore hp.keystore -file hpsim.csr

 

4. get request signed

5. import the CA root and intermediate and signed cert into hp.keystore - portcle is a really nice opensource GUI tool for managing keystores

6. rename old keystore

cd C:\Program Files\HP\Systems Insight Manager\config\certstor

ren hp.keystore old.hp.keystore

7. install new keystore

copy C:\Program Files\HP\Systems Insight Manager\j2re\bin\hp.keystore

C:\Program Files\HP\Systems Insight Manager\config\certstor\hp.keystore

8. synchronize certs
cd C:\Program Files\HP\Systems Insight Manager\bin
mxcert -s

9. restart hp sim
C:\Program Files\HP\Systems Insight Manager\bin>sc stop "HP Systems Insight Manager"
wait about 2 minutes
C:\Program Files\HP\Systems Insight Manager\bin>sc start "HP Systems Insight Manager"
wait about 2 minutes

 

verify with log file C:\Program Files\HP\Systems Insight Manager\logs\mxdomainmgr.0

Look at the bottom of the file for:

28 Jan 00:43:46,230 INFO  [Server] JBoss (MX MicroKernel) [4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)] Started in 58s:812ms

 

https://hpsim.domain.com/

 

i3laze
Visitor

Re: Trusted External Certificate Import

Great manual..

 

I was successfull only by doing steps 3-5 right in Portecle.app.

Steps 2,6,7 aren't required if you work directly with existing keystore:

C:\Program Files\HP\Systems Insight Manager\config\certstor\hp.keystore