Hp service Manager Single Sign On Implementation Integration with Integrated Windows Authentication
Creation of HPSM’s SSL-certificates
Download 357.16 Kb.
|
- Navigate this page:
- Service Manager server – RUN directory
3.4Creation of HPSM’s SSL-certificatesStarting from HPSM 9.30, HP’s security office decided to enable the SSL prerequisite for a working SSO environment again. The official instructions to create the SSL-certificates can be followed from this KB article: http://support.openview.hp.com/selfsolve/document/KM773556 .
The following list of actions must be followed to generate the certificates for the other environments. This is based on the User Guide which can also be found in the above ZIP-file. - set the following Windows Environment variable for the certificates: OPENSSL_CONF %install_path%\TSO-servlet\DSA\openssl.conf (for DSA type certificates) - configure the openssl.conf for the [ req_distinguished_name ] section to set the values for your specific DN for your certificate. Only change the following parameters:
stateOrProvinceName_default localityName_default 0.organizationName_default organizationalUnitName_default commonName_default emailAddress_default
set DIST_NAME="CN= -the cacerts-file provided in the local JRE-folder will be used; therefore it’s a recommendation to create a backup of your original cacerts-file in case something goes wrong with the certificate creation. - open the DSA client batch file (client_cert_gen_DSA_v1.1.bat) and set the following parameters to make the certificate generators work: set JAVA_HOME=" set DIST_NAME="CN= - first run the server certificate generator server_cert_gen_DSA_v1.1.bat.
or fill in a user-defined values for each parameter, - on all other questions answer yes, - in general, you only need to run the server batch file once per server, The output from the server script server_cert_gen_DSA_v1.1.bat will look like: # This version of the SC-SM SSL Certificates Creator is based on OPENSSL 1.0.0e, # it will not work with prior versions. C:\SSLacme\SC-SM_Cert_Gen_v2\TSO-servlet\DSALocalhost>REM #cls Could Not Find C:\SSLacme\SC-SM_Cert_Gen_v2\TSO-servlet\DSALocalhost\key Could Not Find C:\SSLacme\SC-SM_Cert_Gen_v2\TSO-servlet\DSALocalhost\certs Could Not Find C:\SSLacme\SC-SM_Cert_Gen_v2\TSO-servlet\DSALocalhost\crs 1 file(s) copied. 1 file(s) copied. Press any key to continue . . . _______________________________________________________________________________ Creating a DSA parameter file (dsaparam.pem) .......+...+..+.....+...+.+..........................+....+++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+................+..+..+..+..+....+...+...+.........+.........+..........+...............+.............+...+........+.+.+.+.......+.... .........................+....................+...+......+.....+.....+.........................+.................+......+...............+..+ ......+.+..............+...................+.+......+..........+.+......+..+.....+...+......+.........+........+.+..............+.........+. .........+.....+........................................+..............+.......+.........+..+.....+...........+....................+........ ...........+.........................+.....+...+.....+.+............+......+.+....+......+.......................+.+....+......+....+....... .......+.+++++++++++++++++++++++++++++++++++++++++++++++++++* _______________________________________________________________________________ Press any key to continue . . . _______________________________________________________________________________ Creating a Self-Signed DSA Certificate (cakey.pem) _______________________________________________________________________________ Press any key to continue . . . _______________________________________________________________________________ Creating the root ca certificate (mycacert.pem) Loading 'screen' into random state - done You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [BE]: State or Province Name (full name) [BHG]: Locality Name (eg, city) [Brussels]: Organization Name (eg, company) [PRTL]: Organizational Unit Name (eg, section) [DTS]: Common Name (eg, YOUR name) [PRTL]: Email Address [brunodg@acme.com]: _______________________________________________________________________________ Press any key to continue . . . _______________________________________________________________________________ Creating the root PKCS12 certificate (mycacert.pfx) Loading 'screen' into random state - done _______________________________________________________________________________ Press any key to continue . . . _______________________________________________________________________________ Importing the certificate into the System-wide keystore (cacerts) Owner: EMAILADDRESS=brunodg@acme.com, CN=PRTL, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE Issuer: EMAILADDRESS=brunodg@acme.com, CN=PRTL, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE Serial number: fe44bf8051ad75cd Valid from: Wed Feb 22 15:32:57 CET 2012 until: Fri Oct 31 15:32:57 CET 2025 Certificate fingerprints: MD5: 3F:5F:1A:17:12:DB:FA:41:0D:D6:31:F6:8C:10:AE:C7 SHA1: AB:46:81:0B:59:DD:B3:86:C6:D6:2C:1D:BA:F6:FE:28:D2:54:C6:16 Signature algorithm name: SHA1withDSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 9C 5F 23 E3 EF 3E 38 6C C6 85 81 FA B4 8C B4 74 ._#..>8l.......t 0010: 70 EF B0 B6 p... ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 9C 5F 23 E3 EF 3E 38 6C C6 85 81 FA B4 8C B4 74 ._#..>8l.......t 0010: 70 EF B0 B6 p... ] [EMAILADDRESS=brunodg@acme.com, CN=PRTL, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE] SerialNumber: [ fe44bf80 51ad75cd] ] Trust this certificate? [no]: y Certificate was added to keystore [Storing certs/cacerts] _______________________________________________________________________________ Press any key to continue . . . 1 file(s) copied. _______________________________________________________________________________ Creating the Server keystore (server.keystore) Generating 1,024 bit DSA key pair and self-signed certificate (SHA1withDSA) with a validity of 5,000 days for: CN=ax0541.dbb.dexwired.net, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE Enter key password for (RETURN if same as keystore password): [Storing key/server.keystore] _______________________________________________________________________________ Press any key to continue . . . _______________________________________________________________________________ Generating the Server request certificate (servercert_request.crs) Certification request stored in file Submit this to your CA _______________________________________________________________________________ Press any key to continue . . . _______________________________________________________________________________ Signing the Server request certificate (smservercert.pem) Loading 'screen' into random state - done Signature ok subject=/C=LU/ST=Luxembourg/L=Luxembourg/O=PRTL/OU=DTS/CN=ax0541.dbb.dexwired.net notBefore=Feb 22 14:33:12 2012 GMT notAfter=Oct 31 14:33:12 2025 GMT Getting CA Private Key _______________________________________________________________________________ Press any key to continue . . . ------------------------------------- Stripping all excess info from Client certificate (smserver.pem) _______________________________________________________________________________ Press any key to continue . . . _______________________________________________________________________________ Importing Server certificate into Server keystore Certificate reply was installed in keystore [Storing key/server.keystore] - after having run the server certificate generator, run the client part client_cert_gen_DSA_v1.1.bat for DSA type certificates type certificates. The client batch file needs to be run with an input parameter, %1, that specifies the FQDN of the client machine for which the client certificate is being created. Run the batch file as such: - answer yes to all questions, - run the client batch file as many times as necessary for each client that needs a client certificate. For the web client you only need one certificate per web app server. For the Eclipse client, each individual client machine needs a unique certificate, The output from the client script: Client Key and Certificate creation _______________________________________________________________________________ Creating the Client keystore (DLU0SAPP070T.dbb.acme.com.keystore) Generating 1,024 bit DSA key pair and self-signed certificate (SHA1withDSA) with a validity of 5,000 days for: CN=DLU0SAPP070T.dbb.acme.com, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE Enter key password for (RETURN if same as keystore password): [Storing key/DLU0SAPP070T.dbb.acme.com.keystore] _______________________________________________________________________________ Press any key to continue . . . _______________________________________________________________________________ Generating the Client request certificate (clientcert_request.crs) Certification request stored in file Submit this to your CA _______________________________________________________________________________ Press any key to continue . . . ------------------------------------- Signing the Client request certificate (smclientcert.pem) Loading 'screen' into random state - done Signature ok subject=/C=BE/ST=BHG/L=Brussels/O=PRTL/OU=DTS/CN=DLU0SAPP070T.dbb.acme.com notBefore=Feb 22 14:36:11 2012 GMT notAfter=Oct 31 14:36:11 2025 GMT Getting CA Private Key _______________________________________________________________________________ Press any key to continue . . . ------------------------------------- Stripping all excess info from Client certificate (scclientcert.pem) _______________________________________________________________________________ Press any key to continue . . . _______________________________________________________________________________ Importing Client certificate into Client keystore Certificate reply was installed in keystore [Storing key/DLU0SAPP070T.dbb.acme.com.keystore] _______________________________________________________________________________ Press any key to continue . . . _______________________________________________________________________________ Exporting Client public certificate from Client keystore (clientpubkey.cert) Certificate stored in file _______________________________________________________________________________ Press any key to continue . . . _______________________________________________________________________________ Importing Client public certificate into Trustedclients keystore (trustedclients.keystore) Owner: CN=DLU0SAPP070T.dbb.acme.com, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE Issuer: EMAILADDRESS=brunodg@acme.com, CN=PRTL, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE Serial number: b45d330ed72dbfdc Valid from: Wed Feb 22 15:36:11 CET 2012 until: Fri Oct 31 15:36:11 CET 2025 Certificate fingerprints: MD5: 4F:A5:FF:DA:B4:18:E6:D7:54:64:E9:CC:25:1E:D3:70 SHA1: AC:7B:41:C6:15:42:10:2D:1F:C4:24:0F:2D:6A:DD:4C:C7:15:DE:6B Signature algorithm name: SHA1withDSA Version: 1 Trust this certificate? [no]: y Certificate was added to keystore [Storing key/trustedclients.keystore] - after having run both certificate generators, you will find the appropriate files in the \certs and \key directories of the \DSA folder: \certs cacerts: Java root certificate keystore file \key server.keystore: server keystore with server certificate client keystore with client certificate trustedclients.keystore: trusted clients keystore with all client certificates
cacerts
trustedclients.keystore Web servers – Tomcat Directory \webapps\smbsc \WEBINF cacerts
Figure : location of SSL certficates Directory: hpeb -> attachments -> hpeb hpeb -> Asset Manager Web installation detailed steps hpeb -> Installing the Linux Client System hpeb -> Deploy Operating System toolbar button hpeb -> Pcm-04. 00. 00. 1609-x64. exe Download 357.16 Kb. Share with your friends:
|