Environment
Novell ZENworks 7.2 Linux Management - ZLM7.2
Situation
ZLM was installed using a self-signed certificate, but now you want to use a trusted 3rd party such as Verisign to sign your certificates.
Resolution
This document explains the procedure to obtain the signature for the ZENworks Linux Management server certificates from a trusted Certification Authority, and to import the same into the server’s Tomcat keystore.
Obtaining the Signature for a ZENworks Linux Management Server Certificate- Include the java bin directory into your PATH.
export PATH=$PATH:/opt/novell/zenworks/lib/java/bin - Shutdown the ZLM server
zlm-config --stop - Take a backup of your existing keystore. You can restore back to this if something goes wrong.
cp /opt/novell/zenworks/share/keystore /opt/novell/zenworks/share/keystore-bck - Remove the keystore file
rm /opt/novell/zenworks/share/keystore - Generate the certificate using the command below. See the Additional Information section for more details on the arguments.
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/novell/zenworks/share/keystore -keypass <keystorepass> -storepass <keystorepass> -validity 3650 -dname "cn=<full hostname of the zlm-server>, o=<organization name>, st=<state>, c=<two digit country name>"
For example:
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/novell/zenworks/share/keystore -keypass xxxxx -storepass xxxxx -validity 3650 -dname "cn=sles-10-sp1.novell.com, o=novell, st=ka, c=in" - Generate the Certificate signing request
keytool -certreq -alias tomcat -keystore /opt/novell/zenworks/share/keystore -storepass<keystorepass> > cert.csr - Sign your certificate through a CA by providing this cert.csr file
- When your certificate is signed, you must import the chain of CAs used to sign this certificate into the keystore before importing your certificate. If your certificate is signed by a intermediate CA, you should import the root-CA certificate along with the intermediate CA certificate.
keytool -import -alias root1 -keystore /opt/novell/zenworks/share/keystore -storepass<keystorepass> -file root-ca.cer
Note: See the Additional Information section for more info on parameters. - Repeat step 8 until all the CAs are imported into the keystore. Note; Alias should be different for every CA.
- Import the signed certificate into the keystore.
keytool -import -alias tomcat -keystore /opt/novell/zenworks/share/keystore -storepass<keystorepass> -file signed-cert.cer
Note: See the Additional Information section for more info on parameters. - Restart the ZLM-server using
zlm-config --restart - On Managed devices do the following:
Copy all the CA's certificates into /etc/zmd/trusted-certs on SLE-10 and /etc/opt/novell/zenworks/zmd/trusted-certs on other platforms on all the managed devices.
Restart ZMD on all the managed devices using the command
/etc/init.d/novell-zmd restart
Additional Information
Reference: Throughout this TID, the following abbreviations are used
Certificate examples:
Intermediate CA Certificate
Owner: CN=VeriSign Trial Secure Server Test CA, OU=Terms of use at https://www.verisign.com/cps/testca (c)05, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 63b1a5cdc59f78801da0636cf975467b
Valid from: Wed Feb 09 05:30:00 IST 2005 until: Mon Feb 09 05:29:59 IST 2015
Certificate fingerprints:
MD5: 8D:E9:89:DB:7F:CC:5E:3B:FD:DE:2C:42:08:13:EF:43
SHA1: D0:A5:BB:56:9E:CE:BE:B3:65:14:00:DE:BF:24:8B:A4:86:8C:7B:D8
Root CA Certificate
Owner: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 20a897aedb8202dec136a04e26bd8773
Valid from: Wed Feb 09 05:30:00 IST 2005 until: Sun Feb 09 05:29:59 IST 2025
Certificate fingerprints:
MD5: B6:9D:A4:40:52:02:50:0D:D5:9C:E1:B8:4B:66:C4:AC
SHA1: 81:A7:B1:CA:51:66:D1:2D:CB:32:CA:00:21:C3:9E:49:54:73:56:65
After Importing the certificates into the keystore, if you use the following command to list the keystore entries
2
keytool -list -v -keystore /opt/novell/zenworks/share/keystore -storepass<keystorepass>
your keystore entries should look like this.
Keystore type: jks
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: root2
Creation date: Nov 23, 2008
Entry type: trustedCertEntry
Owner: CN=VeriSign Trial Secure Server Test CA, OU=Terms of use at https://www.verisign.com/cps/testca (c)05, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 63b1a5cdc59f78801da0636cf975467b
Valid from: Wed Feb 09 05:30:00 IST 2005 until: Mon Feb 09 05:29:59 IST 2015
Certificate fingerprints:
MD5: 8D:E9:89:DB:7F:CC:5E:3B:FD:DE:2C:42:08:13:EF:43
SHA1: D0:A5:BB:56:9E:CE:BE:B3:65:14:00:DE:BF:24:8B:A4:86:8C:7B:D8
*******************************************
*******************************************
Alias name: root
Creation date: Nov 23, 2008
Entry type: trustedCertEntry
Owner: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 20a897aedb8202dec136a04e26bd8773
Valid from: Wed Feb 09 05:30:00 IST 2005 until: Sun Feb 09 05:29:59 IST 2025
Certificate fingerprints:
MD5: B6:9D:A4:40:52:02:50:0D:D5:9C:E1:B8:4B:66:C4:AC
SHA1: 81:A7:B1:CA:51:66:D1:2D:CB:32:CA:00:21:C3:9E:49:54:73:56:65
*******************************************
*******************************************
Alias name: tomcat
Creation date: Nov 23, 2008
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=sles-10-sp1.novell.com, OU=Terms of use at www.verisign.com/cps/testca (c)05, O=novell, ST=ka, C=in
Issuer: CN=VeriSign Trial Secure Server Test CA, OU=Terms of use at https://www.verisign.com/cps/testca (c)05, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 6157045bf74582c0f41e81cad46c7906
Valid from: Fri Nov 21 05:30:00 IST 2008 until: Sat Dec 06 05:29:59 IST 2008
Certificate fingerprints:
MD5: 2D:1B:6C:B8:EB:C3:05:12:0E:4D:9B:23:89:FB:11:4F
SHA1: 57:64:F3:43:9D:DE:95:BB:AD:49:07:A3:12:70:72:DB:14:03:09:53
Certificate[2]:
Owner: CN=VeriSign Trial Secure Server Test CA, OU=Terms of use at https://www.verisign.com/cps/testca (c)05, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 63b1a5cdc59f78801da0636cf975467b
Valid from: Wed Feb 09 05:30:00 IST 2005 until: Mon Feb 09 05:29:59 IST 2015
Certificate fingerprints:
MD5: 8D:E9:89:DB:7F:CC:5E:3B:FD:DE:2C:42:08:13:EF:43
SHA1: D0:A5:BB:56:9E:CE:BE:B3:65:14:00:DE:BF:24:8B:A4:86:8C:7B:D8
Certificate[3]:
Owner: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 20a897aedb8202dec136a04e26bd8773
Valid from: Wed Feb 09 05:30:00 IST 2005 until: Sun Feb 09 05:29:59 IST 2025
Certificate fingerprints:
MD5: B6:9D:A4:40:52:02:50:0D:D5:9C:E1:B8:4B:66:C4:AC
SHA1: 81:A7:B1:CA:51:66:D1:2D:CB:32:CA:00:21:C3:9E:49:54:73:56:65
*******************************************
*******************************************
<keystorepass>: Keystore pass is the password used to protect the keystore file by the zlm-server. Use the following command to get the keystorepass of the keystore file:
grep keystorePass /etc/opt/novell/zenworks/tomcat/base/server.xml | awk -F '=' '{print $2}'
grep keystorePass /etc/opt/novell/zenworks/tomcat/base/server.xml | awk -F '=' '{print $2}'
<Hostname of the zlm-server>:This is the hostname of the ZLM-server through which the agents register.
E.G.: www.novell.com
E.G.: www.novell.com
<O>: Organization name.
E.G.: Novell
E.G.: Novell
<St>: State
E.G.: CA
E.G.: CA
<C>: First Two letters of the Country Name
E.G.: IN (for INDIA)
E.G.: IN (for INDIA)
CA ( Certificate Authority ): Trusted authority who can sign the certificate.
E.G.: Verisign
E.G.: Verisign
Certificate examples:
Certificate signed by Intermediate CA
Owner: CN=sles-10-sp1.novell.com, OU=Terms of use at www.verisign.com/cps/testca (c)05, O=novell, ST=ka, C=in
Issuer: CN=VeriSign Trial Secure Server Test CA, OU=Terms of use at https://www.verisign.com/cps/testca (c)05, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 6157045bf74582c0f41e81cad46c7906
Valid from: Fri Nov 21 05:30:00 IST 2008 until: Sat Dec 06 05:29:59 IST 2008
Certificate fingerprints:
MD5: 2D:1B:6C:B8:EB:C3:05:12:0E:4D:9B:23:89:FB:11:4F
SHA1: 57:64:F3:43:9D:DE:95:BB:AD:49:07:A3:12:70:72:DB:14:03:09:53
Owner: CN=sles-10-sp1.novell.com, OU=Terms of use at www.verisign.com/cps/testca (c)05, O=novell, ST=ka, C=in
Issuer: CN=VeriSign Trial Secure Server Test CA, OU=Terms of use at https://www.verisign.com/cps/testca (c)05, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 6157045bf74582c0f41e81cad46c7906
Valid from: Fri Nov 21 05:30:00 IST 2008 until: Sat Dec 06 05:29:59 IST 2008
Certificate fingerprints:
MD5: 2D:1B:6C:B8:EB:C3:05:12:0E:4D:9B:23:89:FB:11:4F
SHA1: 57:64:F3:43:9D:DE:95:BB:AD:49:07:A3:12:70:72:DB:14:03:09:53
Intermediate CA Certificate
Owner: CN=VeriSign Trial Secure Server Test CA, OU=Terms of use at https://www.verisign.com/cps/testca (c)05, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 63b1a5cdc59f78801da0636cf975467b
Valid from: Wed Feb 09 05:30:00 IST 2005 until: Mon Feb 09 05:29:59 IST 2015
Certificate fingerprints:
MD5: 8D:E9:89:DB:7F:CC:5E:3B:FD:DE:2C:42:08:13:EF:43
SHA1: D0:A5:BB:56:9E:CE:BE:B3:65:14:00:DE:BF:24:8B:A4:86:8C:7B:D8
Root CA Certificate
Owner: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 20a897aedb8202dec136a04e26bd8773
Valid from: Wed Feb 09 05:30:00 IST 2005 until: Sun Feb 09 05:29:59 IST 2025
Certificate fingerprints:
MD5: B6:9D:A4:40:52:02:50:0D:D5:9C:E1:B8:4B:66:C4:AC
SHA1: 81:A7:B1:CA:51:66:D1:2D:CB:32:CA:00:21:C3:9E:49:54:73:56:65
After Importing the certificates into the keystore, if you use the following command to list the keystore entries
2
keytool -list -v -keystore /opt/novell/zenworks/share/keystore -storepass<keystorepass>
your keystore entries should look like this.
Keystore type: jks
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: root2
Creation date: Nov 23, 2008
Entry type: trustedCertEntry
Owner: CN=VeriSign Trial Secure Server Test CA, OU=Terms of use at https://www.verisign.com/cps/testca (c)05, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 63b1a5cdc59f78801da0636cf975467b
Valid from: Wed Feb 09 05:30:00 IST 2005 until: Mon Feb 09 05:29:59 IST 2015
Certificate fingerprints:
MD5: 8D:E9:89:DB:7F:CC:5E:3B:FD:DE:2C:42:08:13:EF:43
SHA1: D0:A5:BB:56:9E:CE:BE:B3:65:14:00:DE:BF:24:8B:A4:86:8C:7B:D8
*******************************************
*******************************************
Alias name: root
Creation date: Nov 23, 2008
Entry type: trustedCertEntry
Owner: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 20a897aedb8202dec136a04e26bd8773
Valid from: Wed Feb 09 05:30:00 IST 2005 until: Sun Feb 09 05:29:59 IST 2025
Certificate fingerprints:
MD5: B6:9D:A4:40:52:02:50:0D:D5:9C:E1:B8:4B:66:C4:AC
SHA1: 81:A7:B1:CA:51:66:D1:2D:CB:32:CA:00:21:C3:9E:49:54:73:56:65
*******************************************
*******************************************
Alias name: tomcat
Creation date: Nov 23, 2008
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=sles-10-sp1.novell.com, OU=Terms of use at www.verisign.com/cps/testca (c)05, O=novell, ST=ka, C=in
Issuer: CN=VeriSign Trial Secure Server Test CA, OU=Terms of use at https://www.verisign.com/cps/testca (c)05, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 6157045bf74582c0f41e81cad46c7906
Valid from: Fri Nov 21 05:30:00 IST 2008 until: Sat Dec 06 05:29:59 IST 2008
Certificate fingerprints:
MD5: 2D:1B:6C:B8:EB:C3:05:12:0E:4D:9B:23:89:FB:11:4F
SHA1: 57:64:F3:43:9D:DE:95:BB:AD:49:07:A3:12:70:72:DB:14:03:09:53
Certificate[2]:
Owner: CN=VeriSign Trial Secure Server Test CA, OU=Terms of use at https://www.verisign.com/cps/testca (c)05, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 63b1a5cdc59f78801da0636cf975467b
Valid from: Wed Feb 09 05:30:00 IST 2005 until: Mon Feb 09 05:29:59 IST 2015
Certificate fingerprints:
MD5: 8D:E9:89:DB:7F:CC:5E:3B:FD:DE:2C:42:08:13:EF:43
SHA1: D0:A5:BB:56:9E:CE:BE:B3:65:14:00:DE:BF:24:8B:A4:86:8C:7B:D8
Certificate[3]:
Owner: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Trial Secure Server Test Root CA, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 20a897aedb8202dec136a04e26bd8773
Valid from: Wed Feb 09 05:30:00 IST 2005 until: Sun Feb 09 05:29:59 IST 2025
Certificate fingerprints:
MD5: B6:9D:A4:40:52:02:50:0D:D5:9C:E1:B8:4B:66:C4:AC
SHA1: 81:A7:B1:CA:51:66:D1:2D:CB:32:CA:00:21:C3:9E:49:54:73:56:65
*******************************************
*******************************************