By default Sentinel creates a self-signed certificate which would be valid for 100 years. Due to security reasons we should sign the SSL certificate with Certificate Authority.

This document describes the steps involved in creating a custom certificate for Sentinel with the third-party CA.

I am using a free SSL Trial of external Certificate Authority (Thawte) here for testing.

Step 1:

Creating the Certificate Signing Request

/opt/novell/sentinel/jdk/jre/bin/keytool -genkey -alias webserver -validity 365 -storetype JKS -keyalg RSA -keysize 2048 -storepass password -keypass password -keystore .webserverkeystore.jks -dname "CN=server1.Atlas.com,OU=Security, O=Microfocus.com, L=Vienna, ST=Washington, C=US" -ext san=dns:server1.Atlas.com,dns:server2.Atlas.com && /opt/novell/sentinel/jdk/jre/bin/keytool -certreq -alias webserver -file .webserverkeystore.csr -keystore .webserverkeystore.jks -storepass password

Note:

  • The above command generates a Certificate Signing Request (CSR), using the PKCS#10 format.
  • A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.

Step 2:

Getting a Signed Certificate

Go to your third party CA website Eg: http://www.thawte.com/

I am using a free SSL Trial here for testing.

ca4

ca5

ca6

ca7

ca8

ca9

<img class="alignnone size-medium wp-image-95473" src="https://www.netiq.com/communities/cool-solutions/wp-content/uploads/sites/2/2017/06/ca10-500×256.png"

alt=”ca10″ width=”500″ height=”256″ />

ca11

Step 3:

Check your inbox for an email from Thawte.

This email will contain your signed certificate, intermediate certificate and root certificate.

ca12

ca13

ca14

ca15

Importing the Signed Certificates and Root Certificate into Sentinel truststore

Step 4:

Now we need to import these certificates into .webserverkeystore.jks keystore generated in the step #1 and the certificates copied in the step #3.

  1. Copy the .webserverkeystore.jks file (generated in step#1) and the certificates saved in the step#3 to Sentinel server.
  2. Backup the default self-signed certificate:
    Command:

    mv /etc/opt/novell/sentinel/config/.webserverkeystore.jks /etc/opt/novell/sentinel/config/.webserverkeystore.jks_bkp
  3. Copy the .webserverkeystore.jks file mentioned in the point#1 to /etc/opt/novell/sentinel/config/
    Command:

    cp .webserverkeystore.jks /etc/opt/novell/sentinel/config/

    Note: make sure this file has novell permission.

  4. Import the intermediate certificate first –> then the root certificate –> and then the signedcert
  • Command to import intermediate certificate:
    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias inter -file /opt/cert/intermediate.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password
  • Command to import root certificate:
    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias root -file /opt/cert/root.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password
  • Command to import signedcert:
    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias webserver -file /opt/cert/signedcert.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password

Note:

  • The intermediate and root certificate should have different alias names, but the signed certificate should be imported with the same alias that was used while creating a certificate pair.
  • After importing all three certificates you should see : ” Certificate reply was installed in keystore ” message.

Step 5:

  1. Now list the keystore and check if all the certificates are imported successfully.
    Command:

    /opt/novell/sentinel/jdk/jre/bin/keytool -list  -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password
  2. To get a detailed output:
    Command:

    /opt/novell/sentinel/jdk/jre/bin/keytool -list -v -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password

Note:

Check for the following in the detailed output:

Alias name: webserver
Entry type: PrivateKeyEntry
Certificate chain length: 3

Step 6:

Restart sentinel service
Command:
rcsentinel restart

Step 7:

Import the intermediate certificate and the root certificate in browser of your choice and access Sentinel Server using the FQDN.
Ex: https://server1.atlas.com:8443/

2 votes, average: 1.50 out of 52 votes, average: 1.50 out of 52 votes, average: 1.50 out of 52 votes, average: 1.50 out of 52 votes, average: 1.50 out of 5 (2 votes, average: 1.50 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
Jun 22, 2017
3:19 pm
Reads:
515
Score:
1.5
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow