Environment
Sentinel 6.0.xx
Sentinel 6.0.xx Sentinel Server
Sentinel 6.0.xx Sentinel Server
Situation
It may be desirable in an environment to use keys signed by a given
company's Certificate Authority (CA). In cases like these
Sun's own documentation spells out how this can be done using'keytool' but these Sentinel-specific instructions will help those
wanting to do this specifically with Sentinel.
Resolution
To use a certificate signed by a Certificate Authority (CA) in the
Sentinel DAS Proxy service:
The easiest way to do this to generate a Certificate Signing Request (CSR) for the certificate that is automatically generated when DAS_Proxy starts for the first time. Next update the keystore with the CA-signed certificate returned by the CA. Instructions for this this are described below.
NOTE: These instructions are based on the user guide for keytool, which can be found at http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html
1. - $ESEC_HOME/jre/bin/keytool -certreq -alias -keystore $ESEC_HOME/config/.proxyServerKeystore -file
2. - Provide the .csr file to your CA. The CA will reply with a .cer file. The next step will be to import this .cer file into your keystore file, which will replace your self-signed certificate.
3. - $ESEC_HOME/jre/bin/keytool -import -trustcacerts -alias -keystore
$ESEC_HOME/config/.proxyServerKeystore -file
4. - If you get an error that the certificate chain cannot be verified, this means that no valid certificate chain exists between the certificate you are trying to import an a "trusted certificate". To fix this, follow the instructions in the section "Importing a Certificate for the CA" at the URL http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html, using a command similar to the following, then repeat step 3.
4a. - $ESEC_HOME/jre/bin/keytool -import -trustcacerts -alias -keystore $ESEC_HOME/config/.proxyServerKeystore
-file
The easiest way to do this to generate a Certificate Signing Request (CSR) for the certificate that is automatically generated when DAS_Proxy starts for the first time. Next update the keystore with the CA-signed certificate returned by the CA. Instructions for this this are described below.
NOTE: These instructions are based on the user guide for keytool, which can be found at http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html
1. - $ESEC_HOME/jre/bin/keytool -certreq -alias
2. - Provide the .csr file to your CA. The CA will reply with a .cer file. The next step will be to import this .cer file into your keystore file, which will replace your self-signed certificate.
3. - $ESEC_HOME/jre/bin/keytool -import -trustcacerts -alias
4. - If you get an error that the certificate chain cannot be verified, this means that no valid certificate chain exists between the certificate you are trying to import an a "trusted certificate". To fix this, follow the instructions in the section "Importing a Certificate for the CA" at the URL http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html, using a command similar to the following, then repeat step 3.
4a. - $ESEC_HOME/jre/bin/keytool -import -trustcacerts -alias
Additional Information
When the Sentinel Communication Server is started for the first
time, it automatically creates a self-signed certificate that is
used by the DAS_Proxy SSL Server. This certificate and
private key are stored in the file
$ESEC_HOME/config/.proxyServerKeystore. The location of this
file can be modified by editing the property "keystore" in the file
$ESEC_HOME/config/das_proxy.xml.
To view the contents of this file, execute the following command:
$ESEC_HOME/jre/bin/keytool -list -keystore $ESEC_HOME/config/.proxyServerKeystore
Enter keystore password: star1111
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
10.0.0.1, Jan 8, 2008, keyEntry,
Certificate fingerprint (MD5): 22:B4:19:63:AC:2D:F9:C0:66:7F:7C:64:85:68:89:AB
The keyEntry used by the DAS_Proxy SSL Server has a default alias set to the IP of the local machine. In the example above, the alias is "10.0.0.1". To use a different alias, set the"ProxyService" component property "certificateAlias" in the file $ESEC_HOME/config/das_proxy.xml to the desired alias. DAS_Proxy will look for the keyEntry by its alias, so the alias of the keyEntry you want to use must match the value of the"certificateAlias" property or the local IP address (if no value is set for "certificateAlias").
The password of the keystore and keyEntry is, by default, star1111. DAS_Proxy requires that the keystore and keyEntry password match. A custom password may be used by performing the following steps:
1. - $ESEC_HOME/jre/bin/keytool -storepasswd -keystore $ESEC_HOME/config/.proxyServerKeystore
Enter keystore password: star1111
New keystore password:
Re-enter new keystore password:
2. - $ESEC_HOME/jre/bin/keytool -keypasswd -alias -keystore $ESEC_HOME/config/.proxyServerKeystore
Enter keystore password:
Enter key password forstar1111
New key password for:
Re-enter new key password for:
3. - Set the value of the "ProxyService" component property"keystorePassword" to the encrypted and Base 64 form of the new password. To do this:
3a. - cp $ESEC_HOME/config/das_rt.xml $ESEC_HOME/config/das_rt_temp.xml
3b. - $ESEC_HOME/bin/dbconfig -n $ESEC_HOME/config/das_rt_temp.xml -p ""
3c. - Open the file . For example, on UNIX, the following command can be used:
cat $ESEC_HOME/config/temp.xml | grep password
BSEU8ew2JYsxtOt4hYcYNA==
d) Copy the value of the property "password" (e.g.,"BSEU8ew2JYsxtOt4hYcYNA=="), using this as the value for the"ProxyService" component property "keystorePassword".
To view the contents of this file, execute the following command:
$ESEC_HOME/jre/bin/keytool -list -keystore $ESEC_HOME/config/.proxyServerKeystore
Enter keystore password: star1111
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
10.0.0.1, Jan 8, 2008, keyEntry,
Certificate fingerprint (MD5): 22:B4:19:63:AC:2D:F9:C0:66:7F:7C:64:85:68:89:AB
The keyEntry used by the DAS_Proxy SSL Server has a default alias set to the IP of the local machine. In the example above, the alias is "10.0.0.1". To use a different alias, set the"ProxyService" component property "certificateAlias" in the file $ESEC_HOME/config/das_proxy.xml to the desired alias. DAS_Proxy will look for the keyEntry by its alias, so the alias of the keyEntry you want to use must match the value of the"certificateAlias" property or the local IP address (if no value is set for "certificateAlias").
The password of the keystore and keyEntry is, by default, star1111. DAS_Proxy requires that the keystore and keyEntry password match. A custom password may be used by performing the following steps:
1. - $ESEC_HOME/jre/bin/keytool -storepasswd -keystore $ESEC_HOME/config/.proxyServerKeystore
Enter keystore password: star1111
New keystore password:
Re-enter new keystore password:
2. - $ESEC_HOME/jre/bin/keytool -keypasswd -alias
Enter keystore password:
Enter key password for
New key password for
Re-enter new key password for
3. - Set the value of the "ProxyService" component property"keystorePassword" to the encrypted and Base 64 form of the new password. To do this:
3a. - cp $ESEC_HOME/config/das_rt.xml $ESEC_HOME/config/das_rt_temp.xml
3b. - $ESEC_HOME/bin/dbconfig -n $ESEC_HOME/config/das_rt_temp.xml -p "
3c. - Open the file . For example, on UNIX, the following command can be used:
cat $ESEC_HOME/config/temp.xml | grep password
d) Copy the value of the property "password" (e.g.,"BSEU8ew2JYsxtOt4hYcYNA=="), using this as the value for the"ProxyService" component property "keystorePassword".