Hello,
You want to get a keystore file for import into IMC, which includes both its cert / cert chain and private key - or at least it is the easiest way to do it. The format can be PKCS12 or JKS, or possibly other formats would work too, though I've only tested with those two.
As for the certificate itself, it should include a CN, ie. your system's hostname, and any number of SANs for other IPs and DNS aliases of the system (like the FQDN). Purpose should include Server Authentication. The rest of the details in there are not really important.
Make sure the private key password you set matches the keystore password when you export the certificate. iMC expects the same password for both, and not using matching passwords will cause the HTTPS access to fail when you apply it.
Once that's done, just open the Web GUI and go to System Configuration > HTTPS Access Settings, select your keystore file for upload (Server-side Authentication) and enter the password you used for it. Then just restart iMC when the upload is complete, and make sure to clear your browser cache too - and you should see it using your new certificate.
Justin
Working @ HPE
Hello,
I don't think you can skip the passwords with IMC, it's generally a security risk to use a keystore and private key without one anyway, and isn't really any more difficult to set up.
As for the steps to create the files... it really depends on what system you use to generate the CSR and the type of CA you use to create the certificate. Whether you use Microsoft's CA or OpenSSL CA or something else, there are generally plenty of tutorials and guides you can find online to create and export a signed certificate, hence it's not something the iMC docs go into detail about. Which one do you intend to use?
Justin
Working @ HPE
Hello,
As it can be a fairly challenging process, I'll provide two examples. The first using Windows and Keytool, using IMC's keystore newks under iMC\client\security. The second with Linux and OpenSSL creating a new keystore that will be imported with IMC.
Using Java Keytool on Windows:
1. First check your IMC version. If you're running IMC 7.3 E0705 or later, then the built-in keytool included in IMC under IMC\common\jre folder will work. If you're on an older version, either update IMC first, or install the latest JRE on your IMC server separately, as the keytool included in earlier IMC versions was an old one that did not support the X.509 extensions (ie. the SAN).
2. Open Windows CMD and navigate to iMC\client\security folder.
3. Add Keytool to your OS path. For example with latest IMC version - adjust the actual path according to where the keytool.exe file is located: Set PATH="C:\Program Files\iMC\common\jre\bin"
4. Make a backup copy of the newks keystore in the iMC\client\security folder and delete the original.
5. Generate the keypair with a new keystore called 'newks' (you should be in iMC\client\security context):
keytool -genkeypair -v -alias imc -keyalg RSA -keystore newks -storepass iMCV500R001 -keypass iMCV500R001 -validity 3650 -ext san=dns:<hostname>,ip:<ip address>
Replace <hostname> and <ip address> with the appropriate values and add additional dns: or ip: values as needed. The -storepass and -keypass passwords may be changed, but must always be identical.
Fill out the data when prompted to do so. Set the "What is your first and last name" to the hostname or IP of your IMC server. The other parameters are up to you. Once done you should have a new keystore called newks in the iMC\client\security folder (move it there if needed).
6. Generate your CSR for signing by the CA:
keytool -certreq -keyalg RSA -alias imc -file <file>.csr -keystore newks -storepass iMCV500R001 -keypass iMCV500R001 -validity 3650 -ext san=dns:<hostname>,ip:<ip address>
Replace <file> with the name of the CSR file that will be created, while <hostname> and <ip address> are the same values as in step 5. Adjust passwords if needed.
7. Open the CSR file that was generated with a text editor and copy it to clipboard.
8. Get the signed certificate generated by your CA. In this example, I'll provide the steps for Microsoft's CA.
Upload your certificate request (CSR) on the /certsrv interface (CA Web Enrollment page) via Request a certificate -> Advanced certificate request -> Submit a certificate request by using a base-64... and then paste the contents you copied in step 7 with Certificate Template type Web Server.
This will generate the signed certificate, which you can download as Base 64 encoded. Optionally if you have a PKI hierarchy you will want to download the entire certificate chain instead (in which case, you don't need to download the certificate separately, as it's in the chain).
9. Import the certificate into the keystore:
keytool -import -alias imc -keystore newks -file <certname>.cer -storepass iMCV500R001 -keypass iMCV500R001 -validity 3650
Alternatively if you have a certificate chain, instead of the above, import the chain into the keystore:
keytool -import -alias imc -keystore newks -trustcacerts -file <certname>.p7b -storepass iMCV500R001 -keypass iMCV500R001 -validity 3650
Replace <certname> with the name of the certificate/chain file. Adjust passwords if needed. Answer "yes" if prompted about the certificate not being trusted.
Once imported, you can verify it with the command:
keytool -list -v -keystore newks
10. Restart iMC via DMA and then connect to the web GUI using HTTPS. Check the certificate presented and ensure it is correct.
If you receive a root certificate trust warning in the browser, that mean the certificate of the root CA that signed your cert is not trusted on your machine. You'll need to import it into your "Trusted Root Certification Authorities" in Windows to avoid getting the error.
NOTE: If you did not use the default IMC keystore/keypass password above, you will need to adjust IMC's relevant configuration files before it can open the keystore to use the certificate:
- iMC\client\conf\server.xml (defines the HTTPS Connector for iMC)
- iMC\client\bin\startup.bat (startup script for iMC тАУ see .sh equivalent on Linux)
The keystore name and password appear as follows in server.xml:
keystoreFile="security/newks" keystorePass="iMCV500R001"
They are stored a bit differently in the startup.bat(.sh) file:
-Djavax.net.ssl.keyStore="%IMC_HOME%\security\newks" -Djavax.net.ssl.keyStorePassword=iMCV500R001
You can adjust the path and password as needed for your keystore and password, save the files, and then restart IMC for the change to take effect. Mind the quotations in server.xml and lack thereof in the startup file. In case of certain special characters like < > in the password, IMC may replace these when starting up with escape characters by design.
Using OpenSSL on Linux (RHEL):
Note that iMC supports a variety of keystore formats. I have tested JKS, PKCS#12 and PFX successfully. The method below is one example, but not the only way you can get a working keystore with OpenSSL. If anything is unclear, please consult the extensive OpenSSL documentation first.
1. Make sure OpenSSL is installed (should be by default):
yum install openssl -y
2. Generate the private key. In this example, we use filename imc.pem with password iMCV500R001:
openssl genpkey -algorithm RSA -out /etc/pki/tls/private/imc.pem -pass pass:iMCV500R001
3. Before creating the CSR, create an OpenSSL config file that will include the X.509 extensions for SAN we need to identify the IMC server by multiple DNS Names/IP addresses. Here we create imc_cert.cnf using nano:
nano /etc/pki/tls/imc_cert.cnf
File contents (adjust all the values as needed):
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = CountryCode
ST = State
L = SomeCity
O = HPE
OU = LAB
CN = imc
[req_ext]
subjectAltName = _names
[alt_names]
IP.1 = 10.10.10.1
DNS.1 = imc
DNS.2 = imc.local.lab
The important values above are the CN = which should be the hostname/IP of your IMC server, and the IPs/hostnames after [alt_names]. These should include all addresses and names that you use to connect to your IMC server.
Save the file and exit the editor.
4. Create the CSR based on the previously generated private key and config file:
openssl req -new -key /etc/pki/tls/private/imc.pem -out /etc/pki/tls/imc.csr -config /etc/pki/tls/imc_cert.cnf
In this example the CSR imc.csr will be created.
5. Have your CA generate the signed certificate using this CSR. It's expected here that you already have a working CA that can sign it. Here is an example of the command I used on my OpenSSL CA server in my lab:
openssl x509 -req -in imc.csr \
> -CA /etc/pki/CA/certs/opensslCA.crt \
> -CAkey /etc/pki/CA/private/opensslCA.key \
> -CAcreateserial \
> -out imc.crt \
> -days 365
Note that if you use an OpenSSL CA, it must respect the Subject Alternate Names that you have requested in the CSR, or you will get a certificate without them. This means copy_extensions = copy should be configured in the CA's CA_default configuration.
6. Create a keystore with the certificate and private key. In this case I create a PKCS#12 file, but you could also use JKS or PFX etc. (plenty of instructions for this can be found online).
openssl pkcs12 -export \
-in /etc/pki/tls/certs/imc.crt \
-inkey /etc/pki/tls/private/imc.pem \
-out /root/imc.p12
Make sure you set the export password to the same password as used for the private key when prompted!
This results in an imc.p12 file located in the root directory that contains both the certificate and its private key.
7. Open the IMC Web GUI and access System > System Configuration > HTTPS Access Settings.
8. Upload the keystore file (imc.p12 in this example) using Server-side Authentication option and providing the password you set. Note that just like with the Windows process above, the keystore password and private key password must match.
9. Restart iMC, and now the HTTPS interface should present your new signed certificate.
Hope that helps get your signed certificate installed in iMC.
Justin
Working @ HPE
Hello,
I guess you won't be working on this any more, but I want to mention for anyone else that jserver process not starting after following the steps above means something is wrong with IMC's access to the keystore.
Make sure the keystore password and private key password match, and that they are correctly entered in the two configuration files I mentioned above, along with the name of the keystore file. You could always double-check your keystore with Java keytool using "keytool -list -v -keystore <keystore-filename>" (replacing keystore-filename with the correct name like newks - if you can open the keystore with the same password provided to iMC, it should be able to open it too, and jserver would start.
If needed you can debug why it won't start using the iMC\client\log\imcforeground.log file, it should show some certificate-related issue when trying to start up.
Justin
Working @ HPE