Re: Certificate in iMC (741 Views)
Reply
Advisor
rafter_1
Posts: 21
Registered: ‎02-18-2009
Message 1 of 9 (1,301 Views)

Certificate in iMC

Anyone know how to change the certificate in iMC for web clients? If using https currently get the default iMC certificate. I have proper certificates, how do I get it to use them instead

(will prevent the annoying allow certificates too!)

Please use plain text.
Advisor
Graham Hurst
Posts: 11
Registered: ‎12-20-2006
Message 2 of 9 (1,198 Views)
Please use plain text.
Advisor
rafter_1
Posts: 21
Registered: ‎02-18-2009
Message 3 of 9 (1,014 Views)

Re: Certificate in iMC

Hi,

 

Well done with the blog, this is what I'd worked out sometime ago too :) ..

 

Now heres a new one for you... v5 SP1, has this changed as it looks like it... Is the new keystore file "newks" instead of "keystore"?

 

It appears that just using the previous cert keystore that I've been using with all the previous versions doesn't work if you just use it like before...

 

Any advice or knowledge of the changes to the certs in SP1?

 

Cheers!

Please use plain text.
Honored Contributor
LindsayHill
Posts: 716
Registered: ‎11-16-2011
Message 4 of 9 (898 Views)

Re: Certificate in iMC

You've probably worked it out by now, but yeah, it seems that newks is now used, and that the default storepass is now iMCV500R001

 

Look in C:\Progam Files\iMC\client\conf\applicationContexts.xml. That defines the keystore to be used, and the password.

 

I'll be digging into this some more tomorrow.

CCIE 36708 | @northlandboy | lkhill.com
Please use plain text.
Occasional Advisor
Papageno
Posts: 7
Registered: ‎02-20-2013
Message 5 of 9 (779 Views)

Re: Certificate in iMC

I've just been down this path, and thought I'd followed it religiously, but the jserver process starts with errors and there is now no IMC web service, though ports 8080 and 8443 are listening.  Any ideas?

 

The IMC Monitoring Agent says the jserver process status is "Error occurred in process startup.  For details see the log."  What log?

 

A listing of the keystore is attached.

 

Any help gratefully received.

 

 

 

 

 

Please use plain text.
Occasional Advisor
Papageno
Posts: 7
Registered: ‎02-20-2013
Message 6 of 9 (778 Views)

Re: Certificate in iMC

Thought I'd added an attachment but it seems to have got lost.  Here it is below...

 

C:\Program Files\iMC\client\security>keytool -list -v -keystore .\newks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: 1
Creation date: Jun 7, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=win2k-imc.aarons.net, O=Aarons Inc, ST=GB, C=UK
Issuer: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Serial number: 6
Valid from: Fri Jun 07 10:32:08 GMT 2013 until: Sat Jun 07 10:32:08 GMT 2014
Certificate fingerprints:
         MD5:  19:D4:95:7D:DF:B0:C5:B7:EE:F2:B2:6B:E3:9F:F5:A9
         SHA1: 9F:2D:E6:47:A7:A8:57:4B:D0:0D:E2:FE:CB:FA:CF:A7:48:55:F3:47
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]

]

Certificate[2]:
Owner: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Issuer: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Serial number: dc00dde55cfcd0f9
Valid from: Thu Mar 28 13:19:55 GMT 2013 until: Wed Mar 28 13:19:55 GMT 2018
Certificate fingerprints:
         MD5:  A3:56:C1:B6:2E:52:B4:27:37:6A:48:85:B8:E0:67:8F
         SHA1: A0:33:D5:5D:96:7E:06:FC:8F:FA:C5:9D:50:87:B2:14:E2:27:BA:AD
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]

[CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK]
SerialNumber: [    dc00dde5 5cfcd0f9]
]



*******************************************
*******************************************


Alias name: imc
Creation date: Jun 7, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=win2k-imc.aarons.net, O=Aarons Inc, ST=GB, C=UK
Issuer: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Serial number: 6
Valid from: Fri Jun 07 10:32:08 GMT 2013 until: Sat Jun 07 10:32:08 GMT 2014
Certificate fingerprints:
         MD5:  19:D4:95:7D:DF:B0:C5:B7:EE:F2:B2:6B:E3:9F:F5:A9
         SHA1: 9F:2D:E6:47:A7:A8:57:4B:D0:0D:E2:FE:CB:FA:CF:A7:48:55:F3:47
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]

]

Certificate[2]:
Owner: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Issuer: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Serial number: dc00dde55cfcd0f9
Valid from: Thu Mar 28 13:19:55 GMT 2013 until: Wed Mar 28 13:19:55 GMT 2018
Certificate fingerprints:
         MD5:  A3:56:C1:B6:2E:52:B4:27:37:6A:48:85:B8:E0:67:8F
         SHA1: A0:33:D5:5D:96:7E:06:FC:8F:FA:C5:9D:50:87:B2:14:E2:27:BA:AD
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]

[CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK]
SerialNumber: [    dc00dde5 5cfcd0f9]
]



*******************************************
*******************************************



C:\Program Files\iMC\client\security>

 

Please use plain text.
Honored Contributor
LindsayHill
Posts: 716
Registered: ‎11-16-2011
Message 7 of 9 (770 Views)

Re: Certificate in iMC

Hi Papageno

Sorry I don't have time to investigate this more closely, but you could check this post I made a while ago that covers setting up a custom certificate: http://www.netopscommunity.net/en_GB/forums/-/message_boards/view_message/48010#_19_message_48010

The logfile you need is somewhere under the client directory. - off the top of my head it's called imcforeground.log.
CCIE 36708 | @northlandboy | lkhill.com
Please use plain text.
Occasional Advisor
Papageno
Posts: 7
Registered: ‎02-20-2013
Message 8 of 9 (743 Views)

Re: Certificate in iMC

Hi LindsayHill

 

Thanks for the pointer.  I finally tracked the issue down to my pfx package for transferring the server and CA trust chain certificates.  It contained all the right certificates and keys, but the keytool import just didn't generate the trust chain.  I finally built a working keystore using the process below.  May be helpful for other folks, who knows?

 

•Generate a Java keystore and key pair
keytool -genkey -alias imc -keyalg RSA -keystore newks -keysize 2048 -storepass iMCV500R001

•Generate a certificate signing request (CSR) for the keystore
keytool -certreq -alias imc-server.papageno-home.net -keystore newks -file imc-server.papageno-home.net.csr -storepass iMCV500R001

•Sign CSR from OpenSSL
sudo openssl ca -in imc-server.papageno-home.net.csr  -out imc-server.papageno-home.net.crt  -days 365

•Keytool barfs on the full crt file, so strip out the certificate to just the lines begining and ending with "---BEGIN/END CERTIFICATE---" as imc-server.papageno-home.net.crt.modified

•Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias papageno-home.net -file ca.crt -keystore newks -storepass iMCV500R001

•Import a signed primary certificate to an existing Java keystore with alias "imc" ('cos IMC expects it so)
keytool -import -trustcacerts -alias imc -file imc-server.aarons.net.crt.modified -keystore newks -storepass iMCV500R001

•Set key password to same as store password
keytool.exe -keypasswd -alias imc -keypass keypassword -new iMCV500R001 -keystore newks -storepass iMCV500R001

 

 

Please use plain text.
Honored Contributor
LindsayHill
Posts: 716
Registered: ‎11-16-2011
Message 9 of 9 (741 Views)

Re: Certificate in iMC

Good to hear you got it working - and thanks for posting back here to let us know how you did it. Might help someone else in future.

CCIE 36708 | @northlandboy | lkhill.com
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation