IBM Support

Configuring SSL connections for Tivoli Endpoint Manager Security and Compliance Analytics

Technote (troubleshooting)


Problem(Abstract)

The following document describes creating SSL connections for different configurations including Java keystores, self-signed certificates, certificates from a CA authority, using PEM files, and using PKCS12 files.

Resolving the problem

IMPORTANT Note: These instructions should ONLY be applied to SCA 1.0.x installations. For instructions on setting up SSL on all later versions of SCA, see the SCA Setup Guide: http://pic.dhe.ibm.com/infocenter/tivihelp/v26r1/topic/com.ibm.tem.doc_9.0/SCA_Setup_Guide_PDF.pdf

  • Carefully review the following document and select the process that best describes your environment.


    I know how to create Java keystores.

    Pre-requisites:
    •You have system access to the TEMA server.
    •The keytool binary from the JDK distribution is in your path.

    Steps:
    1. Let tema.jks refer to your java keystore.
    Let <pw_keystore> refer to your keystore password.
    Let <pw_privatekey> refer to your private key password.

    2. Copy tema.jks to <tema installation directory>\config\keystore

    3. Generate obfuscated passwords for the keystore and private key cd <tema installation directory>\lib
    java -cp jetty-6.1.21.jar;jetty-util-6.1.21.jar org.mortbay.jetty.security.Password <pw_keystore>
    java -cp jetty-6.1.21.jar;jetty-util-6.1.21.jar org.mortbay.jetty.security.Password <pw_privatekey>

    4. Open <tema installation directory>\config\jetty-ssl.xml with a text editor.
    Replace the keystore password with the obfuscated version by changing:
    <Set name="password">bigfix</Set>
    to
    <Set name="password">OBF:________</Set>

    Replace the private key password with the obfuscated version by changing:
    <Set name="keyPassword">bigfix</Set>
    to
    <Set name="keyPassword">OBF:________</Set>

    Save the file.

    5. Open a command prompt and run the commands: cd <tema installation directory>
    tema stop
    tema uninstall
    tema install config\jetty-ssl.xml
    tema start


    I do not know how to create Java keystores AND I want to use a self signed certificate.


    Pre-requisites:
    •You have system access to the TEMA server.
    •The keytool binary from the JDK distribution is in your path.

    Steps:
    1. Create a self signed certificate.
    keytool -genkeypair -alias tema -keyalg RSA -keystore tema.jks
    This will prompt you for a password to protect your keystore. We will refer to this password as <pw_keystore>.

    You will then be prompted for X.500 distinguished name parts.
    For the question: What is your first and last name? you must use the DNS address TEMA clients will use to connect to the application server. For example, tema.example.com.

    Finally, you will be prompted for a password to protect your private key. We will refer to this password as <pw_privatekey>.

    2. Copy tema.jks to <tema installation directory>\config\keystore

    3. Generate obfuscated passwords for the keystore and private key cd <tema installation directory>\lib
    java -cp jetty-6.1.21.jar;jetty-util-6.1.21.jar org.mortbay.jetty.security.Password <pw_keystore>
    java -cp jetty-6.1.21.jar;jetty-util-6.1.21.jar org.mortbay.jetty.security.Password <pw_privatekey>

    4. Open <tema installation directory>\config\jetty-ssl.xml with a text editor.
    Replace the keystore password with the obfuscated version by changing:
    <Set name="password">bigfix</Set>
    to
    <Set name="password">OBF:________</Set>

    Replace the private key password with the obfuscated version by changing:
    <Set name="keyPassword">bigfix</Set>
    to
    <Set name="keyPassword">OBF:________</Set>

    Save the file.

    5. Open a command prompt and run the commands: cd <tema installation directory>
    tema stop
    tema uninstall
    tema install config\jetty-ssl.xml
    tema start


    I do not know how to create Java keystores AND I want to use a signed certificate from a known certificate authority. AND I do not have an existing procedure for creating and signing SSL certificates.


    Pre-requisites:
    •You have system access to the TEMA server.
    •The keytool binary from the JDK distribution is in your path.

    Steps:
    1. Create a private key.
    keytool -genkey -alias tema -keyalg RSA -keystore tema.jks
    This will prompt you for a password to protect your keystore. We will refer to this password as <pw_keystore>.

    You will then be prompted for X.500 distinguished name parts.
    For the question: What is your first and last name? you must use the DNS address TEMA clients will use to connect to the application server. For example, tema.example.com.

    Finally, you will be prompted for a password to protect your private key. We will refer to this password as <pw_privatekey>.

    2. Generate a certificate signing request.
    keytool -certreq -alias tema -keystore tema.jks -file tema.csr
    You will be prompted for the keystore password (<pw_keystore>) and private key password (<pw_privatekey>).

    The file tema.csr is a PEM encoded Certificate Signing Request.
    Submit this file to your desired certificate authority. They should return you a signed certificate. We will refer to the signed certificate file as tema.crt.

    3. Add the certificate to the keystore.
    keytool -import -alias tema -keystore tema.jks -file tema.crt -trustcacerts

    4. Copy tema.jks to <tema installation directory>\config\keystore

    5. Generate obfuscated passwords for the keystore and private key cd <tema installation directory>\lib
    java -cp jetty-6.1.21.jar;jetty-util-6.1.21.jar org.mortbay.jetty.security.Password <pw_keystore>
    java -cp jetty-6.1.21.jar;jetty-util-6.1.21.jar org.mortbay.jetty.security.Password <pw_privatekey>

    6. Open <tema installation directory>\config\jetty-ssl.xml with a text editor.
    Replace the keystore password with the obfuscated version by changing:
    <Set name="password">bigfix</Set>
    to
    <Set name="password">OBF:________</Set>

    Replace the private key password with the obfuscated version by changing:
    <Set name="keyPassword">bigfix</Set>
    to
    <Set name="keyPassword">OBF:________</Set>

    Save the file.

    7. Open a command prompt and run the commands: cd <tema installation directory>
    tema stop
    tema uninstall
    tema install config\jetty-ssl.xml
    tema start


    I do not know how to create Java keystores AND I want to use a signed certificate from a known certificate authority. AND I have an existing procedure for creating and signing SSL certificates. AND I have a PEM encoded private key and certificate.


    Pre-requisites:
    •You have system access to the TEMA server.
    •The keytool binary from the JDK distribution is in your path.

    Steps:
    1. Combine the key and cert into a PKCS12 file.
    In order to complete this step, you need access to a machine with openssl installed. It does not have to be installed on the TEMA server.
    Let tema.key refer to your private key and tema.crt refer to your certificate. openssl pkcs12 -inkey tema.key -in tema.crt -export -out tema.pkcs12

    2. Convert PKCS12 into a keystore.
    keytool -importkeystore -srckeystore tema.pkcs12 -srcstoretype PKCS12 -destkeystore tema.jks

    3. Copy tema.jks to <tema installation directory>\config\keystore

    4. Generate obfuscated passwords for the keystore and private key cd <tema installation directory>\lib
    java -cp jetty-6.1.21.jar;jetty-util-6.1.21.jar org.mortbay.jetty.security.Password <pw_keystore>
    java -cp jetty-6.1.21.jar;jetty-util-6.1.21.jar org.mortbay.jetty.security.Password <pw_privatekey>

    5. Open <tema installation directory>\config\jetty-ssl.xml with a text editor.
    Replace the keystore password with the obfuscated version by changing:
    <Set name="password">bigfix</Set>
    to
    <Set name="password">OBF:________</Set>

    Replace the private key password with the obfuscated version by changing:
    <Set name="keyPassword">bigfix</Set>
    to
    <Set name="keyPassword">OBF:________</Set>

    Save the file.

    6. Open a command prompt and run the commands: cd <tema installation directory>
    tema stop
    tema uninstall
    tema install config\jetty-ssl.xml
    tema start


    I do not know how to create Java keystores AND I want to use a signed certificate from a known certificate authority. AND I have an existing procedure for creating and signing SSL certificates. AND I have PKCS12 combined private key and certificate


    Pre-requisites:
    •You have system access to the TEMA server.
    •The keytool binary from the JDK distribution is in your path.

    Steps:
    1. Convert PKCS12 into a keystore.
    Let tema.pkcs12 refer to your PKCS12 file. keytool -importkeystore -srckeystore tema.pkcs12 -srcstoretype PKCS12 -destkeystore tema.jks

    2. Copy tema.jks to <tema installation directory>\config\keystore

    3. Generate obfuscated passwords for the keystore and private key cd <tema installation directory>\lib
    java -cp jetty-6.1.21.jar;jetty-util-6.1.21.jar org.mortbay.jetty.security.Password <pw_keystore>
    java -cp jetty-6.1.21.jar;jetty-util-6.1.21.jar org.mortbay.jetty.security.Password <pw_privatekey>

    4. Open <tema installation directory>\config\jetty-ssl.xml with a text editor.
    Replace the keystore password with the obfuscated version by changing:
    <Set name="password">bigfix</Set>
    to
    <Set name="password">OBF:________</Set>

    Replace the private key password with the obfuscated version by changing:
    <Set name="keyPassword">bigfix</Set>
    to
    <Set name="keyPassword">OBF:________</Set>

    Save the file.

    5. Open a command prompt and run the commands: cd <tema installation directory>
    tema stop
    tema uninstall
    tema install config\jetty-ssl.xml
    tema start

  • Historical Number

    1783

    Document information

    More support for: IBM BigFix family

    Software version: All Versions

    Operating system(s): Platform Independent

    Reference #: 1506244

    Modified date: 01 November 2011


    Translate this page: