To create a signed server certificate
1. Generate a new certificate for use with the SSL protocol’s public key encryption. The key pair includes:
◦ public key published in the certificate
◦ private key accessible only by the server
The following example assumes the current directory is the directory where jdk is installed:
% <JDKInstallDir>/bin/keytool -genkeypair -alias myname -storetype PKCS12
-keystore <ServerInstallDir>/data/tls/certificate.p12 -keyalg RSA
where
◦ -genkeypair specifies to generate a new key pair.
◦ -alias specifies a name to associate with the new key entry in the keystore.
|
Ensure the alias name you specify is written down or memorable because you need to specify it again in the later steps of this procedure.
|
◦ -storetype specifies the format of the keystore. The format must be PKCS12. The server certificate cannot be read from any other type of keystore.
◦ -keystore specifies the pathname to the keystore.
|
At command run, you are prompted to specify additional information, such as the keystore and certificate passwords. The passwords are identical, and must also be specified in the mksis.privatekey.password property of the is.properties file. For more information on presented prompts, consult the keytool documentation.
|
◦ -keyalg prevents any conflicts with higher strength keys. The format must be RSA.
2. Generate a certificate signing request (CSR), and then send the request to a CA, for example:
% <JDKInstallDir>/bin/keytool -certreq -alias myname -storetype PKCS12
-keystore <ServerInstallDir>/data/tls/certificate.p12 -file data/tls/certificate.csr
where
◦ -certreq specifies to generate a CSR.
◦ -alias specifies the name of an existing entry in the store to use to create a CSR. This name is the name specified in step 1.
◦ -file specifies the path of the file to write the CSR to.
The CSR must include the following information:
◦ keystore password
◦ first and last name (this should be the fully-qualified domain name of the host machine)
◦ organizational unit/department name
◦ organization name
◦ city or locality
◦ state or province
◦ two-letter country code (for example, CA or US)
◦ key pair password (if different from keystore)
3. When retrieving the signed certificate from the CA, ensure it is in one of the following formats:
◦ DER encoded binary X.509 (.der / .cer)
◦ Base-64 encoded X.509 (.pem / .cer)
◦ PKCS #7 Certificate (.p7b)
If possible, ensure that all certificates in the certification path are in this format.
If custom Root CAs or custom Intermediate CAs (in the case of Verisign) are being used, do one of the following:
◦ Import the custom Root CA or custom Intermediate CA certificates into the certificate.p12 keystore:
% <JDKInstallDir>/bin/keytool –importcert –alias <alias> -storetype PKCS12
–keystore <ServerInstallDir>/data/tls/certificate.p12 –file <custom_ca_certificate>
where
▪ -importcert specifies to import the certificate response.
▪ -alias specifies the name of the existing entry from which to import. This name is the name specified in step 1.
▪ -file specifies the path from which to read the CA response.
◦ Obtain a PKCS #7 Certificate (.p7b) when the signed server certificate is retrieved.
4. If any custom Root CAs or custom Intermediate CAs were used, import them into the jssecacerts keystore of the Windchill RV&S server’s JDK environment, for example:
% <JDKInstallDir>/bin/keytool –importcert –alias <alias>
–keystore <JDKInstallDir>/lib/security/jssecacerts
–file <custom_ca_certificate>
where
◦ -importcert specifies to import the certificate response.
◦ -alias specifies the name of the existing entry from which to import. This name is the name specified in step 1.
◦ -file specifies the path from which to read the CA response.
|
• This command prompts for a keystore password. If the jssecacerts keystore does not exist, any password may be entered as the initial password. For future references, write down the password in a safe location.
• If the Certification Authority (CA) has updated its own Root CA certificate or Intermediate CA certificates, they must be added to the jssecacerts keystore. Due to the method which Java uses to locate keystores, all relevant CA certificates must be present in the jssecacerts keystore.
|
5. When you receive the certification, import the certificate into the keystore, for example:
% <JDKInstallDir>/bin/keytool –importcert –alias myname -storetype PKCS12
–keystore /data/tls/certificate.p12 -file data/tls/certificate.pem
where
◦ -importcert specifies to import the certificate response.
◦ -alias specifies the name of the existing entry from which to import. This name is the name specified in step 1.
◦ -file specifies the path from which to read the CA response.
6. If any custom Root CAs or custom Intermediate CAs were used, they must be imported into the jssecacerts keystore of the JDK environment for all Windchill RV&S client before connecting to the Windchill RV&S server, for example:
% <JDKInstallDir>/bin/keytool –importcert –alias <alias>
–keystore <JDKInstallDir>/lib/security/jssecacerts
-file <custom_ca_certificate>
|
The JDK installation directory is the JDK used by the Windchill RV&S client. If you are unsure of the path of this JDK, see the LAX.NL.CURRENT.VM property in the Windchill RV&S client lax file.
|
Alternately, you can distribute the jssecacerts keystore on the Windchill RV&S server to each Windchill RV&S client instead of importing the certificates. Copy the jssecacerts keystore to <JDKInstallDir>/lib/security and restart the Windchill RV&S client.
7. Ensure SSL is in effect by checking:
<WindchillRV&S ServerInstallDir>/config/properties/security.properties
If SSL is in effect, the security policy key mks.security.policy.scheme should indicate a private security policy is being used.
|
The security policy key is not set automatically. The system is not secure for all user interfaces until you set a security policy that uses _private.
For the Web client interface, a secure connection is made when users browse to https://<host name>:<ssl port>.
|