Hp service Manager Single Sign On Implementation Integration with Integrated Windows Authentication


Creation of HPSM’s SSL-certificates



Download 357.16 Kb.
Page4/6
Date29.07.2017
Size357.16 Kb.
#24225
1   2   3   4   5   6

3.4Creation of HPSM’s SSL-certificates


Starting from HPSM 9.30, HP’s security office decided to enable the SSL prerequisite for a working SSO environment again.

The official instructions to create the SSL-certificates can be followed from this KB article:

http://support.openview.hp.com/selfsolve/document/KM773556 .
For the SSL certificates which will be deployed on the Customers Environment we’ve used automatic scripts to generate them. These scripts are based on the above knowledge base.
In the attached zip-file, the configuration files for the script can be found. To use the script, the zip-file must be extracted.

The following list of actions must be followed to generate the certificates for the other environments. This is based on the User Guide which can also be found in the above ZIP-file.


- set the following Windows Environment variable for the certificates:
OPENSSL_CONF %install_path%\TSO-servlet\DSA\openssl.conf (for DSA type certificates)

- configure the openssl.conf for the [ req_distinguished_name ] section to set the values for

your specific DN for your certificate. Only change the following parameters:
countryName_default

stateOrProvinceName_default

localityName_default

0.organizationName_default

organizationalUnitName_default

commonName_default

emailAddress_default
- open the DSA server batch file (server_cert_gen_DSA_v1.1.bat) and set the following parameters to make the certificate generators work:
set JAVA_HOME=""

set DIST_NAME="CN=, OU=, O=, L=, S=, C=<2 digit country code>"

-the cacerts-file provided in the local JRE-folder will be used; therefore it’s a recommendation to create a backup of your original cacerts-file in case something goes wrong with the certificate creation.

- open the DSA client batch file (client_cert_gen_DSA_v1.1.bat) and set the following parameters to make the certificate generators work:


set JAVA_HOME=""

set DIST_NAME="CN=, OU=, O=, L=, S=, C=<2 digit country code>"

- first run the server certificate generator server_cert_gen_DSA_v1.1.bat.
- when asked for the DN values, either accept the default values as set in the openssl.conf file,

or fill in a user-defined values for each parameter,


- on all other questions answer yes,
- in general, you only need to run the server batch file once per server,
The output from the server script server_cert_gen_DSA_v1.1.bat will look like:
# This version of the SC-SM SSL Certificates Creator is based on OPENSSL 1.0.0e,

# it will not work with prior versions.
C:\SSLacme\SC-SM_Cert_Gen_v2\TSO-servlet\DSALocalhost>REM #cls

Could Not Find C:\SSLacme\SC-SM_Cert_Gen_v2\TSO-servlet\DSALocalhost\key

Could Not Find C:\SSLacme\SC-SM_Cert_Gen_v2\TSO-servlet\DSALocalhost\certs

Could Not Find C:\SSLacme\SC-SM_Cert_Gen_v2\TSO-servlet\DSALocalhost\crs

1 file(s) copied.

1 file(s) copied.

Press any key to continue . . .
_______________________________________________________________________________
Creating a DSA parameter file (dsaparam.pem)
.......+...+..+.....+...+.+..........................+....+++++++++++++++++++++++++++++++++++++++++++++++++++*

..+..+................+..+..+..+..+....+...+...+.........+.........+..........+...............+.............+...+........+.+.+.+.......+....

.........................+....................+...+......+.....+.....+.........................+.................+......+...............+..+

......+.+..............+...................+.+......+..........+.+......+..+.....+...+......+.........+........+.+..............+.........+.

.........+.....+........................................+..............+.......+.........+..+.....+...........+....................+........

...........+.........................+.....+...+.....+.+............+......+.+....+......+.......................+.+....+......+....+.......

.......+.+++++++++++++++++++++++++++++++++++++++++++++++++++*
_______________________________________________________________________________
Press any key to continue . . .
_______________________________________________________________________________
Creating a Self-Signed DSA Certificate (cakey.pem)

_______________________________________________________________________________
Press any key to continue . . .
_______________________________________________________________________________
Creating the root ca certificate (mycacert.pem)
Loading 'screen' into random state - done

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [BE]:

State or Province Name (full name) [BHG]:

Locality Name (eg, city) [Brussels]:

Organization Name (eg, company) [PRTL]:

Organizational Unit Name (eg, section) [DTS]:

Common Name (eg, YOUR name) [PRTL]:

Email Address [brunodg@acme.com]:
_______________________________________________________________________________
Press any key to continue . . .
_______________________________________________________________________________
Creating the root PKCS12 certificate (mycacert.pfx)

Loading 'screen' into random state - done
_______________________________________________________________________________
Press any key to continue . . .
_______________________________________________________________________________
Importing the certificate into the System-wide keystore (cacerts)
Owner: EMAILADDRESS=brunodg@acme.com, CN=PRTL, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE

Issuer: EMAILADDRESS=brunodg@acme.com, CN=PRTL, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE

Serial number: fe44bf8051ad75cd

Valid from: Wed Feb 22 15:32:57 CET 2012 until: Fri Oct 31 15:32:57 CET 2025

Certificate fingerprints:

MD5: 3F:5F:1A:17:12:DB:FA:41:0D:D6:31:F6:8C:10:AE:C7

SHA1: AB:46:81:0B:59:DD:B3:86:C6:D6:2C:1D:BA:F6:FE:28:D2:54:C6:16

Signature algorithm name: SHA1withDSA

Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 9C 5F 23 E3 EF 3E 38 6C C6 85 81 FA B4 8C B4 74 ._#..>8l.......t

0010: 70 EF B0 B6 p...

]

]
#2: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[

CA:true

PathLen:2147483647

]
#3: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 9C 5F 23 E3 EF 3E 38 6C C6 85 81 FA B4 8C B4 74 ._#..>8l.......t

0010: 70 EF B0 B6 p...

]
[EMAILADDRESS=brunodg@acme.com, CN=PRTL, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE]

SerialNumber: [ fe44bf80 51ad75cd]

]
Trust this certificate? [no]: y

Certificate was added to keystore

[Storing certs/cacerts]
_______________________________________________________________________________
Press any key to continue . . .

1 file(s) copied.
_______________________________________________________________________________
Creating the Server keystore (server.keystore)
Generating 1,024 bit DSA key pair and self-signed certificate (SHA1withDSA) with a validity of 5,000 days

for: CN=ax0541.dbb.dexwired.net, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE

Enter key password for

(RETURN if same as keystore password):

[Storing key/server.keystore]
_______________________________________________________________________________
Press any key to continue . . .
_______________________________________________________________________________
Generating the Server request certificate (servercert_request.crs)
Certification request stored in file

Submit this to your CA
_______________________________________________________________________________
Press any key to continue . . .
_______________________________________________________________________________
Signing the Server request certificate (smservercert.pem)
Loading 'screen' into random state - done

Signature ok

subject=/C=LU/ST=Luxembourg/L=Luxembourg/O=PRTL/OU=DTS/CN=ax0541.dbb.dexwired.net

notBefore=Feb 22 14:33:12 2012 GMT

notAfter=Oct 31 14:33:12 2025 GMT

Getting CA Private Key
_______________________________________________________________________________
Press any key to continue . . .
-------------------------------------
Stripping all excess info from Client certificate (smserver.pem)

_______________________________________________________________________________
Press any key to continue . . .
_______________________________________________________________________________
Importing Server certificate into Server keystore
Certificate reply was installed in keystore

[Storing key/server.keystore]

- after having run the server certificate generator, run the client part client_cert_gen_DSA_v1.1.bat for DSA type certificates type certificates. The client batch file needs to be run with an input parameter, %1, that specifies the FQDN of the client machine for which the client certificate is being created.



Run the batch file as such:
client_cert_gen_DSA_v1.1.bat
- answer yes to all questions,
- run the client batch file as many times as necessary for each client that needs a client certificate. For the web client you only need one certificate per web app server. For the Eclipse client, each individual client machine needs a unique certificate,
The output from the client script:

Client Key and Certificate creation
_______________________________________________________________________________
Creating the Client keystore (DLU0SAPP070T.dbb.acme.com.keystore)
Generating 1,024 bit DSA key pair and self-signed certificate (SHA1withDSA) with a validity of 5,000 days

for: CN=DLU0SAPP070T.dbb.acme.com, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE

Enter key password for

(RETURN if same as keystore password):

[Storing key/DLU0SAPP070T.dbb.acme.com.keystore]
_______________________________________________________________________________
Press any key to continue . . .
_______________________________________________________________________________
Generating the Client request certificate (clientcert_request.crs)
Certification request stored in file

Submit this to your CA
_______________________________________________________________________________
Press any key to continue . . .
-------------------------------------
Signing the Client request certificate (smclientcert.pem)
Loading 'screen' into random state - done

Signature ok

subject=/C=BE/ST=BHG/L=Brussels/O=PRTL/OU=DTS/CN=DLU0SAPP070T.dbb.acme.com

notBefore=Feb 22 14:36:11 2012 GMT

notAfter=Oct 31 14:36:11 2025 GMT

Getting CA Private Key
_______________________________________________________________________________
Press any key to continue . . .
-------------------------------------
Stripping all excess info from Client certificate (scclientcert.pem)

_______________________________________________________________________________
Press any key to continue . . .
_______________________________________________________________________________
Importing Client certificate into Client keystore
Certificate reply was installed in keystore

[Storing key/DLU0SAPP070T.dbb.acme.com.keystore]
_______________________________________________________________________________
Press any key to continue . . .
_______________________________________________________________________________
Exporting Client public certificate from Client keystore (clientpubkey.cert)
Certificate stored in file
_______________________________________________________________________________
Press any key to continue . . .
_______________________________________________________________________________
Importing Client public certificate into Trustedclients keystore (trustedclients.keystore)
Owner: CN=DLU0SAPP070T.dbb.acme.com, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE

Issuer: EMAILADDRESS=brunodg@acme.com, CN=PRTL, OU=DTS, O=PRTL, L=Brussels, ST=BHG, C=BE

Serial number: b45d330ed72dbfdc

Valid from: Wed Feb 22 15:36:11 CET 2012 until: Fri Oct 31 15:36:11 CET 2025

Certificate fingerprints:

MD5: 4F:A5:FF:DA:B4:18:E6:D7:54:64:E9:CC:25:1E:D3:70

SHA1: AC:7B:41:C6:15:42:10:2D:1F:C4:24:0F:2D:6A:DD:4C:C7:15:DE:6B

Signature algorithm name: SHA1withDSA

Version: 1

Trust this certificate? [no]: y

Certificate was added to keystore

[Storing key/trustedclients.keystore]

- after having run both certificate generators, you will find the appropriate files in the \certs and \key directories of the \DSA folder:

\certs

cacerts: Java root certificate keystore file



\key

server.keystore: server keystore with server certificate



.keystore:

client keystore with client certificate

trustedclients.keystore: trusted clients keystore with all client certificates
Copy the files to the following locations:

Service Manager server – RUN directory

cacerts


trustedclients.keystore

.keystore

Web servers – Tomcat Directory \webapps\smbsc \WEBINF

cacerts


.keystore
c:\users\degraevb\documents\hp\docs_sc-sm\sso-singlesignon\bdg docs sso\schema\hp sm workflow create certificates ssl.jpg

Figure : location of SSL certficates




Download 357.16 Kb.

Share with your friends:
1   2   3   4   5   6




The database is protected by copyright ©ininet.org 2024
send message

    Main page