SERVICE MANAGER

Home Release notes Get started Install Upgrade Integrate Administer

Use Troubleshoot Develop

      
Administer > System security > Secure Sockets Layer (SSL) encryption and server
certificates > Secure Sockets Layer (SSL) configuration options > Requirements for
required SSL encryption and trusted clients > Example: Generating a server certificate
Requirements for required SSL
encryption and trusted clients with OpenSSL
Example: Enabling required SSL

Example: Generating a
encryption and trusted clients
Example: Generating a client
certificate with OpenSSL
Example: Generating a server
certificate with OpenSSL
server certificate with
Example: Viewing the contents of a
cacerts file OpenSSL
Add a client certificate to the Web
tier The following example describes how to create a signed server certificate using
Update the cacerts keystore file the OpenSSL toolkit as a private certificate authority. This example also uses the
Use keytool to create a certificate keytool utility available with the Sun Microsystems™ standard Java Development
request Kit. You can use a server certificate to enable SSL encryption from the Service
Manager server.
Use keytool to create a private key

 Note
The information contained in this example regarding OpenSSL technology is
provided as a courtesy to our customers and partners. This documentation does not
replace an OpenSSL reference, and we encourage you to conduct additional
research regarding OpenSSL technology by consulting with sources outside of this
document. We hereby disclaims all liability associated with the use and accuracy of
this information. As OpenSSL technology evolves, we may or may not update this
reference.

1. Obtain and install a Java platform on the server you want to use as your private
certificate authority. See the Sun Microsystems™ Java Technology site for the
necessary software and documentation.
2. Obtain and install OpenSSL on the server you want to use as your private
certificate authority. See the OpenSSL Web site for the necessary software
 and
documentation.

 Caution
  Micro Focus strongly recommends that you do not install your private certificate authority on the same server as
your Service Manager production server.

3. Create and configure an openssl.conf file in the bin folder of your OpenSSL installation.
4. Open the operating system's command prompt on the private certificate authority server.
5. Change directories to the OpenSSL bin folder.
6. Type the following command to create the private key for your private certificate authority:

openssl genrsa -des3 -out cakey.pem 2048

7. When OpenSSL prompts you, type the password phrase you want to use to protect your certificate authority's
private key file (cakey.pem). For example, CAKeyPassword.

You must use the same password phrase each time you sign a certificate request with your private certificate
authority. If you forget this password, you must repeat the steps to create another certificate authority private
key.
8. Type the following command to create a public certificate for your private certificate authority:

openssl req -new -key cakey.pem -sha256 -x509 -days 1095 -out mycacert.pem -
config .\openssl.conf

9. Change directories to the Java platform's bin folder.

10. Type the following command to import your private certificate authority's certificate into the Java cacerts file
that you will publish to the rest of your network.

keytool -import -keystore ./cacerts -trustcacerts -file mycacert.pem -storepass

changeit

11. When keytool prompts you, type y to trust the private certificate authority's certificate.
12. Install the updated Java cacerts file on the Service Manager server. Copy the cacerts file to the RUN folder of
the Service Manager server. You can also copy the cacerts file to the JRE\lib\security folder of your Java Run
Time Environment (RTE) or Java Development Kit (JDK).
13. Install the updated Java cacerts file on the Service Manager web tier. Copy the cacerts file to the <web
application server installation path>\WEB-INF folder of the Service Manager web tier.

14. Install the updated Java cacerts file on the Service Manager Windows client. Copy the cacerts file to the
<Windows client installation path>\plugins\com.hp.ov.sm.client.common_x.xx folder of
the Service Manager Windows client.
15. Change directories to the Java platform's bin folder.
16. Type the following command to create a private key and keystore for your Service Manager server.
keytool -genkey -keyalg RSA -alias myserver -keystore servercert.keystore


 Note
We recommend that the keyalg parameter use a value of RSA rather than the default of DSA. Doing so allows
your TLS communications to use the stronger ECDHE cipher suites which are not vulnerable to Logjam attacks
(CVE-2015-4000).
17. When keytool prompts you, type the password phrase you want to use to protect your Service Manager server's
keystore file. For example, SMServerKeyPassword.

 Note
Do not use the same password as your private certificate authority key password.

18. When keytool prompts you for your first and last name, type the fully qualified host name of your Service
Manager server system.

 Note
This is the same name your clients will use to connect to the Service Manager server.

19. When keytool prompts you for the organization unit, organization, city or locality, state or province, and two-
letter country code, type the identification information for your company.
20. Verify the information you provided and type yes if it is correct.
21. When keytool prompts you for the password phrase to use for your Service Manager server's private key, press
ENTER to use the same password as you created for the keystore.

 Note
The password for the private key must match the password for the keystore file.

22. Type the following command to create a certificate request for your Service Manager server. For example, to
create a certificate request for your Service Manager server type:
keytool -certreq -alias myserver -keystore servercert.keystore -file smse

23. When keytool prompts you, type the password for the Service Manager server's keystore file (from step 17). For
example, SMServerKeyPassword.
24. Copy the Service Manager server's certificate request (For example, smserver_certrequest.crs) to the
OpenSSL bin folder.
25. Change directories to the OpenSSL bin folder.
26. Type the following command to sign the Service Manager server's certificate request with your private
certificate authority:

openssl x509 -req -days 365 -sha256 -in smserver_certrequest.crs -CA mycacert.pem
-CAkey cakey.pem -CAcreateserial -out smserver_cert.pem

27. When OpenSSL prompts you, type the password for your certificate authority's private key. For example,
CAKeyPassword.

OpenSSL stores the new signed certificate (smserver_cert.pem) in the newcerts directory.

 Tip
To view the contents of the signed certificate, you can type following command:
 openssl x509 -in smserver_cert.pem -text -noout

28. Copy the signed client certificate (smserver_cert.pem) to the OpenSSL server's Java platform bin folder.
29. Open the operating system's command prompt.
30. Change directories to the Java platform's bin folder.
31. Type the following command to import the Service Manager server's signed certificate into the server keystore.

keytool -import -trustcacerts -alias myservercert -keystore ./servercert.keystore

-file smserver_cert.pem

32. When keytool prompts you to trust the private certificate authority's certificate, type y.
33. When keytool prompts you, type the password to your server's keystore file. For example,
SMServerKeyPassword.

Related topics
Example: Enabling required SSL encryption

Example: Enabling required SSL encryption and client authentication

Example: Enabling required SSL encryption and trusted clients

Example: Enabling trusted sign-on

Example: Viewing the contents of a cacerts file

Java Technology Web site

OpenSSL Web site"

Secure Sockets Layer (SSL) encryption and server certificates

What areConnect
PEM files?
Learn Contact
What is aMicro
cacerts file?
Focus Marketplace Software Support Online Submit Service Request
ITSM Blog for IT Service Management Software Support Downloads View Service Requests
Related topics
ITSM Community Software Education Services
Documentation
Update the Forum file
cacerts keystore
© 1994 - 2018 Micro Focus or one of its affiliates