Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Database Performance Analyzer (DPA) > Configure DPA to use a custom certificate for SSL/TLS

Configure DPA to use a custom certificate for SSL/TLS

Updated February 27, 2017

Overview

By default, DPA 9.2 and later automatically generates a self-signed certificate that is used to establish secure communication over HTTPS. This article describes how to replace the self-signed certificate with a custom certificate.

SolarWinds allows you to configure custom certificates. However, SolarWinds Support does not provide configuration assistance. If you need assistance, please contact the vendor who provided your certificate.

Before you begin, you must contact your administrator to determine the certificates required for your environment.

This certificate can be a wildcard certificate, and can be signed by a public Certification Authority (CA) or by a CA specific to your company.

This article uses an application called Portecle for managing key stores. Download Portecle from:

Environment

  • DPA 9.2 and later

Steps

Make a backup of the DPA key store file. The default location is:

<DPA-dir>/iwc/tomcat/conf/.keystore

You can run Portecle using the embedded Java Runtime (JRE) that is included with DPA as follows:

  • Windows: <DPA-dir>\iwc\jre\bin\java.exe -jar <Portecle-dir>\portecle.jar
  • Linux: <DPA-dir>/iwc/jre_linux/bin/java -jar <Portecle-dir>/portecle.jar

You may have manually overridden the key store location or the password in the <DPA-dir>/iwc/tomcat/conf/server.xml file using the keystoreFile and keystorePass attributes.

Follow steps based on what files do you already have.

  • If you have a keystore prepared from your administrator (with an extension of .jks, .p12, .pfx, or without an extension named .keystore), follow the step in Case A.
  • If you have a signed certificate from your administrator (with an extension of .cer, .p7b, .crt, .der), you will also need the trusted certificate chain in separate files (usually with an extension of .cer, .p7b, .crt, .der), follow the steps in Case B.
  • If you do not have anything prepared from your administrator, follow the steps in Case C.

Case A

  1. Open the keystore by clicking File > Open Keystore File.
  2. Enter the password provided by your administrator.
  3. If the type of keystore is not JKS, click Tools > Change Keystore Type > JKS. Enter the password provided by your administrator.
  4. You should see more entries, one entry on one row. One of them is the signed certificate (it should have an con with two keys on the left).

    You can make sure that it is the certificate you need by:

    1. Right-click the certificate, and click Certificate Details.
    2. Check the host name in the Subject field (For example, "CN=hostname, O=organization").
    3. Right-click the entry, and click Rename.
    4. Enter the alias tomcat and click OK.

    If the certificate entry is incorrect, you cannot use the keystore file. Follow the steps in Case C to continue.

  5. Click File > Save Keystore, and save it to <DPA-dir>/iwc/tomcat/conf/.keystore.
  6. If the password provided by your administrator is not the default (changeit), you must:
    1. Edit the <DPA-dir>/iwc/tomcat/conf/server.xml file.
    2. Add the following attributes to the tomcat connector:

      keystorePass=<KEYSTORE_PASSWORD> keyPass=<CERTIFICATE_KEY_PASSWORD>

      The certificate key password is usually the same as the keystore password.

  7. Restart DPA.

Case B

  1. Open the DPA key store by clicking File > Open Key Store File.

    By default, the DPA keystore is located at <DPA-dir>/iwc/tomcat/conf/.keystore.

  2. Enter the password provided by your administrator.
  3. If a key pair with Alias Name tomcat exists in the keystore, right-click it and select Delete.

    DeleteTomcatCert.png

  4. Click Tools > Import Trusted Certificate to import the whole trust chain of your server certificate, starting from the Root CA certificate and progressing down the chain. Typically this means importing the Root CA certificate and one or more intermediate certificates.

    When importing the Root CA certificate, Portecle may ask you to accept the certificate as trusted in the following dialog:

    ImportTrustedCertificate.png

    If this prompt appears for any certificate other than the Root CA certificate, it indicates that you are importing the wrong certificates and HTTPS connections may not work correctly.

  5. Import the file that holds the server certificate and the related private key.
    1. Click Tools > Import Key Pair.

      ImportKeyPair.png

      If the private key is protected by a password, retrieve it from your administrator.

    2. On the next dialog, select a key pair to import. There should only be one.
    3. On the next dialog, make sure to alias the key pair as tomcat, and enter the same password that you entered for the keystore.

      The default password is changeit.

    4. If the password you entered is not the default, you must edit the <DPA-dir>/iwc/tomcat/conf/server.xml file and add the following attribute to the Tomcat Connector:

      keystorePass=<KEYSTORE_PASSWORD> keyPass=<CERTIFICATE_KEY_PASSWORD>

      The certificate key password is usually the same as the keystore password.

  6. Click File > Save Keystore.
  7. Close Portecle, and restart DPA.

Case C

  1. Open the DPA key store by clicking File > Open Key Store File.

    By default, the DPA keystore is located at <DPA-dir>/iwc/tomcat/conf/.keystore.

  2. Enter the password. The DPA default password is changeit.
  3. If a key pair with Alias Name tomcat exists in the keystore, right-click it and select Delete.

    DeleteTomcatCert.png

  4. Create a new key pair.
    1. Click Tools > Generate Key Pair.
    2. Adjust the properties based on your requirements (SolarWinds recommends RSA with 2048bit key size), and click OK.
    3. Fill in the fields you want to be containted in your certificate. Make sure you use domain name as the CN, and click OK.
    4. Enter tomcat as the alias, and click OK.
    5. As a password for the key pair, use the same as the password for the keystore file. This password is changeit by default.
  5. Generate a Certificate Signing Request (CSR) by right-clicking the tomcat key pair, and selecting Generate Certification Request.

    CSReq.png

  6. Submit the CSR to your CA.

    Your CA should give you a signed certificate (with an extension of .cer, .p7b, .crt, .der). You will also need the trusted certificate chain in separate files (usually with an extension of .cer, .p7b, .crt, .der). If you do not have it, ask your administrator.

  7. Click Tools > Import Trusted Certificate to import the whole trust chain of your server certificate, starting from the Root CA certificate and progressing down the chain. Typically this means importing the Root CA certificate and one or more intermediate certificates. For every imported certificate, you must choose a unique alias.

    When importing the Root CA certificate, Portecle may ask you to accept the certificate as trusted in the following dialog:

    ImportTrustedCertificate.png

    If this prompt appears for any certificate other than the Root CA certificate, it indicates that you are importing the wrong certificates (or in the wrong order) and HTTPS connections may not work correctly.

  8. Import the signed certificate by right-clicking the tomcat key pair, and selecting Import CA Reply.

    CSRes.png

  9. Click File > Save Keystore.
  10. Close Portecle, and restart DPA.

 

Last modified
11:04, 1 Aug 2017

Tags

Classifications

Public