Updating the Fabric Manager Certificate

 Caution

The Fabric Manager user interface needs a valid certificate in order to start. You must complete the entire procedure before restarting the Fabric Manager.

The Fabric Management Platform is shipped with a default RSA keypair and self-signed certificate in order for initial operations to be secured by Secure Sockets Layer (SSL)/Transport Layer Security (TLS). For best security practices, Unisys recommends that you generate a new RSA keypair and request and install a Certificate Authority (CA) signed certificate to replace the defaults that are shipped with the platform.

Note: In the following procedures, # represents a command prompt. You do not need to type it.

Generating a New RSA Keypair and Certificate Authority-Signed Certificate

To update Fabric Manager with a new RSA keypair and Certificate Authority-signed certificate, refer to the following instructions:

  1. Launch a virtual console from the Fabric Management Platform console and log in as root.

  2. Navigate to the “ssl” directory by entering the following command:

    # cd /usr/local/ffm/apache2/conf/ssl

  3. Enter the following command to set the environment variable to set the Domain Name System (DNS) name in the certificate.

    Note: Angular brackets (< >) are used to represent variable data. Do not include them in the following command.

    # export ALTNAME=DNS:<hostname>,IP:<FMP_IP>,DNS:localhost,IP:127.0.0.1

    where <hostname> is the fully qualified host name of the Fabric Management Platform and <FMP_IP> is the IP address of the Fabric Management Platform.

    The IP address of the Fabric Management Platform depends on what IP address is used to access the Fabric Management Platform remotely. See Fabric Management Platform IP Addresses for the available options.

    Table 1. Fabric Management Platform IP Addresses

    ComponentIP Address

    Customer corporate LAN (public LAN)

    Static:

    • For FMP1 and FMP2, the two IP addresses you previously chose for connection to your management network environment.

      Note: In a high-availability (HA) environment, both FMPs have respective unique static IP addresses.

    Floating:

    • For FMP1 and FMP2, the single IP address you previously chose for when a high-availability (HA) cluster is created.

    ClearPath Forward Management LAN (FM LAN)

    Static:

    • FMP1: 172.29.254.252

    • FMP2: 172.29.253.252

    Floating:

    • FMP1 and FMP2: 172.29.254.60

    Note: The FM LAN IP address subnet (172.29) can be modified by the Fabric Manager administrator, however, the second octet (254.252, 253.252 and 254.60) remains constant. For example, if the FM LAN IP address subnet would change from 172.29 to 172.80, then the static and floating FM LAN IP addresses would change to 172.80.254.252, 172.80.253.252 and 172.80.254.60.


  4. Enter the following command to create the key (localhost.key) and a certificate request (localhost.pem):

    # openssl req -newkey rsa:2048 -keyout localhost.key -out localhost.pem -config /etc/ssl/ffm_openssl.cnf -extensions v3_req

    The two files “localhost.key” and “localhost.pem” are created.

    Notes:

    • If this step required the entry of a passphrase, the passphrase must be removed in order for the key to be used by an autostarted service. To remove the passphrase, continue to step 5.

    • If this step did not require the entry of a passphrase, continue to step 6.

    • If you need to regenerate the public and private keys, use the above command. If you wish to only renew the certificate, use the following command and then continue to step 6:

      # openssl x509 –x509toreq –in localhost.crt –out localhost.pem –signkey localhost.key

  5. Enter the following commands to remove the passphrase from the key:

    • # mv localhost.key localhost.key.org
    • # openssl rsa -in localhost.key.org -out localhost.key

    Note: Enter the passphrase from step 4 when prompted.

  6. Submit the localhost.pem file to an appropriate Certificate Authority, which will then return a localhost.crt file (that is, a certificate).

    Note: The certificate must be in PEM format in order for step 7 and step 10 to work. If the certificate is not in PEM format, use the openssl x509 command to convert the certificate to PEM format.

  7. To create the certificate store for local access, enter the following command to export the certificate received from the Certificate Authority created in step 6 to PKCS12 format:

    # openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt

    The localhost.pfx file is created.

    Note: Do not enter an export password when prompted.

  8. Enter the following command to verify whether the files have been created:

    # ls –l

    The three files “localhost.key”, “localhost.crt”, and “localhost.pfx” are displayed with the date and time of that particular day.

  9. To create the certificate store for remote web services, enter the following command to export the certificate received from the Certificate Authority created in step 6 to PKCS12 format:

    # openssl pkcs12 -export -out ffm_fmws.pfx -inkey localhost.key -in localhost.crt

    The ffm_fmws.pfx file is created.

    Note: Ensure that an export password is entered when prompted. This is required in step 10.

  10. Import the PKCS12 file (ffm_fmws.pfx) to the jetty keystore as follows:

    # keytool -importkeystore -srckeystore ffm_fmws.pfx -srcstoretype PKCS12 -destkeystore ffm_fmws_keystore.jks

    Notes:

    • You will be asked to enter a keystore password. Please use the same password in step 14.

    • If this is for a redundant FMP configuration (HA), ensure that this certificate is installed in both FMPs in the same directory. You may need to copy the file manually to both FMPs and perform steps 11 through 15 before restarting Fabric Manager services.

  11. Navigate to the “etc” directory by entering the following command:

    # cd /usr/local/ffm/jetty/etc

  12. Move the keystore file to /usr/local/ffm/jetty/etc as follows:

    # mv /usr/local/ffm/apache2/conf/ssl/ffm_fmws_keystore.jks ffm_fmws_keystore.jks

  13. Navigate to the “lib” directory by entering the following command:

    # cd /usr/local/ffm/jetty/lib

  14. Generate the OBF password for the password provided in step 10 for jetty keystore.

    Note: Angular brackets (< >) are used to represent variable data. Do not include them in the following command.

    # java -cp jetty-util-7.6.8.v20121106.jar
org.eclipse.jetty.util.security.Password me <keystore password>

    where <keystore password> is the same keystore password entered in step 10.

    The output of the command displays the password in OBF, MD5, and CRYPT format as follows:

    • OBF:19iy19j019j219j419j619j8
    • MD5:e10adc3949ba59abbe56e057f20f883e
    • CRYPT:meYmEekhPnz3w

    Note: This procedure is currently making use of the OBF format. Fabric Manager uses the OBF format only for SSL certificates in a jetty configuration.

  15. Copy and paste the OBF format into the jetty-ssl.xml file (/usr/local/ffm/jetty/etc/jetty-ssl.xml) for the ssl context factory configuration with ID “sslContextFactoryClientAuth” as follows.

    Note: For this particular case, include the angular brackets (<>) in each command line.

    <New id="sslContextFactoryClientAuth" class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="KeyStorePassword"> OBF:19iy19j019j219j419j619j8</Set>
<Set name="KeyManagerPassword"> OBF:19iy19j019j219j419j619j8</Set>
<Set name="TrustStore"><Property name="jetty.home" default="." />/etc/
ffm_fmws_keystore.jks/etc/ffm_fmws_keystore.jks</Set>
<Set name="TrustStorePassword"> OBF:19iy19j019j219j419j619j8</Set>

  16. If you are configuring mutual authentication for web services at this time, do not restart Fabric Manager services yet—proceed to the “Adding Certificate Authorities for Mutual Authentication” subsection, and then restart Fabric Manager services at the end of that subsection.

  17. Enter the following command to restart the Fabric Manager services:

    # rcffmservices restart

    The Fabric Manager services are restarted.

Generating a New RSA Keypair and Self-Signed Certificate for Internal Deployment and Testing

 Caution

The Fabric Manager user interface needs a valid certificate in order to start. You must complete the entire procedure before restarting the Fabric Manager.

For best security practices, Unisys recommends that you generate a new RSA keypair and request and install a Certificate Authority (CA) signed certificate to replace the defaults that are shipped with the platform. However, you may request and install a self-signed certificate for internal deployment and testing. The self-signed certificate should be replaced with a Certificate Authority-signed certificate before any production deployment occurs. See “Generating a New RSA Keypair and Certificate Authority-Signed Certificate” at the beginning of this section to replace the certificate.

To update Fabric Manager with a new RSA keypair and self-signed certificate, refer to the following instructions:

  1. Launch a virtual console from the Fabric Management Platform console and log in as root.

  2. Navigate to the “ssl” directory by entering the following command:

    # cd /usr/local/ffm/apache2/conf/ssl

  3. Enter the following command to set the environment variable to set the DNS name in the certificate.

    Note: Angular brackets (< >) are used to represent variable data. Do not include them in the following command.

    # export ALTNAME=DNS:<hostname>,IP:<FMP_IP>,DNS:localhost,IP:127.0.0.1

    where <hostname> is the fully qualified host name of the Fabric Management Platform and <FMP_IP> is the IP address of the Fabric Management Platform.

    The IP address of the Fabric Management Platform depends on what IP address is used to access the Fabric Management Platform remotely. See Fabric Management Platform IP Addresses for the available options.

  4. Enter the following command to create the key (localhost.key) and a certificate request (localhost.crt):

    # openssl req -x509 -sha512 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config /etc/ssl/ffm_openssl.cnf -extensions v3_req

    The two files “localhost.key” and “localhost.crt” are created.

    Notes:

    • If this step required the entry of a passphrase, the passphrase must be removed in order for the key to be used by an autostarted service. To remove the passphrase, continue to step 5.

    • If this step did not require the entry of a passphrase, continue to step 6.

  5. Enter the following commands to remove the passphrase from the key:

    • # mv localhost.key localhost.key.org
    • # openssl rsa -in localhost.key.org -out localhost.key

    Note: Enter the passphrase from step 4 when prompted.

  6. To create the certificate store for remote web services, enter the following command to export the certificate received from the self-signed certificate to PKCS12 format:

    # openssl pkcs12 -export -out ffm_fmws.pfx -inkey localhost.key -in localhost.crt

    The ffm_fmws.pfx file is created.

    Note: Ensure that an export password is entered when prompted. This is required in step 8.

  7. Import the source keystore to a keystore of type PKCS12:

    # keytool -importkeystore -srckeystore ffm_fmws.pfx -srcstoretype PKCS12

  8. Import the PKCS12 file (ffm_fmws.pfx) to the jetty keystore as follows:

    # keytool -importkeystore -srckeystore ffm_fmws.pfx -srcstoretype PKCS12 -destkeystore ffm_fmws_keystore.jks

    Notes:

    • You will be asked to enter a keystore password. Please use the same password in step 12.

    • If this is for a redundant FMP configuration (HA), ensure that this certificate is installed in both FMPs in the same directory. You may need to copy the file manually to both FMPs and perform steps 9 through 13 before restarting Fabric Manager services.

  9. Navigate to the “etc” directory by entering the following command:

    # cd /usr/local/ffm/jetty/etc

  10. Move the keystore file to /usr/local/ffm/jetty/lib as follows:

    # cp /usr/local/ffm/apache2/conf/ssl/ffm_fmws_keystore.jks .

  11. Navigate to the “lib” directory by entering the following command:

    # cd /usr/local/ffm/jetty/lib

  12. Generate the OBF password for the password provided in step 8 for jetty keystore.

    Note: Angular brackets (< >) are used to represent variable data. Do not include them in the following command.

    # java -cp jetty-util-7.6.8.v20121106.jar
org.eclipse.jetty.util.security.Password me <keystore password>

    where <keystore password> is the same keystore password entered in step 8.

    The output of the command displays the password in OBF format as follows:

    OBF:1x7w1ta81vup1vul1ta61x8y

    Note: Fabric Manager uses the OBF format only for SSL certificates in a jetty configuration.

  13. Copy and paste the OBF format into the jetty-ssl.xml file (/usr/local/ffm/jetty/etc/jetty-ssl.xml) for the ssl context factory configuration with ID “sslContextFactoryClientAuth” as follows.

    Note: For this particular case, include the angular brackets (<>) in each command line.

    <New id="sslContextFactoryClientAuth" class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="KeyStorePassword"> OBF:1x7w1ta81vup1vul1ta61x8y</Set>
<Set name="KeyManagerPassword"> OBF:1x7w1ta81vup1vul1ta61x8y</Set>
<Set name="TrustStore"><Property name="jetty.home" default="." />/etc/
ffm_fmws_keystore.jks/etc/ffm_fmws_keystore.jks</Set>
<Set name="TrustStorePassword"> OBF:1x7w1ta81vup1vul1ta61x8y</Set>

  14. If you are configuring mutual authentication for web services at this time, do not restart Fabric Manager services yet—proceed to the “Adding Certificate Authorities for Mutual Authentication” subsection, and then restart Fabric Manager services at the end of that subsection.

  15. Enter the following command to restart the Fabric Manager services:

    # rcffmservices restart

    The Fabric Manager services are restarted.