How to configure the DAS_Proxy SSL server to use a CA signed certificate

  • 3327313
  • 22-Jan-2008
  • 26-Apr-2012

Environment

Sentinel 6.0.xx
Sentinel 6.0.xx Sentinel Server

Situation

It may be desirable in an environment to use keys signed by a given company's Certificate Authority (CA). In cases like these Sun's own documentation spells out how this can be done using'keytool' but these Sentinel-specific instructions will help those wanting to do this specifically with Sentinel.

Resolution

To use a certificate signed by a Certificate Authority (CA) in the Sentinel DAS Proxy service:

The easiest way to do this to generate a Certificate Signing Request (CSR) for the certificate that is automatically generated when DAS_Proxy starts for the first time. Next update the keystore with the CA-signed certificate returned by the CA. Instructions for this this are described below.

NOTE: These instructions are based on the user guide for keytool, which can be found at http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html

1. - $ESEC_HOME/jre/bin/keytool -certreq -alias -keystore $ESEC_HOME/config/.proxyServerKeystore -file
2. - Provide the .csr file to your CA. The CA will reply with a .cer file. The next step will be to import this .cer file into your keystore file, which will replace your self-signed certificate.
3. - $ESEC_HOME/jre/bin/keytool -import -trustcacerts -alias -keystore $ESEC_HOME/config/.proxyServerKeystore -file
4. - If you get an error that the certificate chain cannot be verified, this means that no valid certificate chain exists between the certificate you are trying to import an a "trusted certificate". To fix this, follow the instructions in the section "Importing a Certificate for the CA" at the URL http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html, using a command similar to the following, then repeat step 3.
4a. - $ESEC_HOME/jre/bin/keytool -import -trustcacerts -alias -keystore $ESEC_HOME/config/.proxyServerKeystore -file

Additional Information

When the Sentinel Communication Server is started for the first time, it automatically creates a self-signed certificate that is used by the DAS_Proxy SSL Server. This certificate and private key are stored in the file $ESEC_HOME/config/.proxyServerKeystore. The location of this file can be modified by editing the property "keystore" in the file $ESEC_HOME/config/das_proxy.xml.

To view the contents of this file, execute the following command:
$ESEC_HOME/jre/bin/keytool -list -keystore $ESEC_HOME/config/.proxyServerKeystore
Enter keystore password: star1111

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

10.0.0.1, Jan 8, 2008, keyEntry,
Certificate fingerprint (MD5): 22:B4:19:63:AC:2D:F9:C0:66:7F:7C:64:85:68:89:AB

The keyEntry used by the DAS_Proxy SSL Server has a default alias set to the IP of the local machine. In the example above, the alias is "10.0.0.1". To use a different alias, set the"ProxyService" component property "certificateAlias" in the file $ESEC_HOME/config/das_proxy.xml to the desired alias. DAS_Proxy will look for the keyEntry by its alias, so the alias of the keyEntry you want to use must match the value of the"certificateAlias" property or the local IP address (if no value is set for "certificateAlias").

The password of the keystore and keyEntry is, by default, star1111. DAS_Proxy requires that the keystore and keyEntry password match. A custom password may be used by performing the following steps:
1. - $ESEC_HOME/jre/bin/keytool -storepasswd -keystore $ESEC_HOME/config/.proxyServerKeystore
Enter keystore password: star1111
New keystore password:
Re-enter new keystore password:

2. - $ESEC_HOME/jre/bin/keytool -keypasswd -alias -keystore $ESEC_HOME/config/.proxyServerKeystore
Enter keystore password:
Enter key password for star1111
New key password for :
Re-enter new key password for :

3. - Set the value of the "ProxyService" component property"keystorePassword" to the encrypted and Base 64 form of the new password. To do this:
3a. - cp $ESEC_HOME/config/das_rt.xml $ESEC_HOME/config/das_rt_temp.xml
3b. - $ESEC_HOME/bin/dbconfig -n $ESEC_HOME/config/das_rt_temp.xml -p ""
3c. - Open the file . For example, on UNIX, the following command can be used:
cat $ESEC_HOME/config/temp.xml | grep password
BSEU8ew2JYsxtOt4hYcYNA==
d) Copy the value of the property "password" (e.g.,"BSEU8ew2JYsxtOt4hYcYNA=="), using this as the value for the"ProxyService" component property "keystorePassword".