Environment
NetIQ Change Guardian 4.0.1
NetIQ Change Guardian 4.0
NetIQ Change Guardian 4.1
Situation
SSL Certificate does not have the exact server name as the Change Guardian Server.
Signed Certificate imported into Change Guardian does not resolve the access error.
Resolution
1. Login as ‘root’.
2. Set Path to keytool [OPTIONAL]
a. PATH=$PATH:/opt/novell/sentinel/jre/bin/
b. export PATH
3. Go to the directory where .webserverkeytore.jks is located.
2. Set Path to keytool [OPTIONAL]
a. PATH=$PATH:/opt/novell/sentinel/jre/bin/
b. export PATH
3. Go to the directory where .webserverkeytore.jks is located.
a. cd /etc/opt/novell/sentinel/config
b. ls –l .webserverkeystore.jks (just to make sure it is there.)
4. View .webserverkeytore.jks [OPTIONAL] If you omitted step 2.
b. ls –l .webserverkeystore.jks (just to make sure it is there.)
4. View .webserverkeytore.jks [OPTIONAL] If you omitted step 2.
a. /opt/novell/sentinel/jre/bin/keytool –list –v –keystore .webserverkeystore.jks
b. Review the file format displayed to become familiar with what is displayed.
5. keytool -genkey -alias webserver -keyalg RSA -keystore mykeystore.jks -keysize 2048
a. In the command above please note: you must use webserver for your –alias argument. Mykeystore is what has been chosen to use for this step.
6. Enter Password for mykeystore.jks You are setting the password here.
7. You are now going to be prompted to enter information for mykeystore.jks
• “Enter First and Last Name” – This is where you will enter the FQDN of the machine at the prompt – houqecg000.us.houqe.lab for example.
• “What is the name of your Organizational Unit” – Leave Blank <ENTER>
• “What is the name of your Organization” – webserver (this is to remain *somewhat* consistent with the .webserverkeystore.jks file we are going to replace.)
• The other fields you are prompted for should be blank
• When prompted to verify if information is correct type “yes” and hit <ENTER>
• When prompted for password for webserver hit <ENTER>
8. Verify file has been created and observe ownership #ls –l mykeystore.jks
a. Notice that the owner and group are both root
b. -rw-r--r-- 1 root root 2282 Feb 20 16:41 mykeystore.jks
9. Change owner and group properties of file
a. chown novell mykeystore.jks
b. chgrp novell mykeystore.jks
c. ls –l mykeystore.jks to verify it looks similar to this
d. -rw-r--r-- 1 novell novell 2282 Feb 20 16:41 .mykeystore.jks
10. Copy\Move mykeystore.jks over .webserverkeystore.jks
b. Review the file format displayed to become familiar with what is displayed.
5. keytool -genkey -alias webserver -keyalg RSA -keystore mykeystore.jks -keysize 2048
a. In the command above please note: you must use webserver for your –alias argument. Mykeystore is what has been chosen to use for this step.
6. Enter Password for mykeystore.jks You are setting the password here.
7. You are now going to be prompted to enter information for mykeystore.jks
• “Enter First and Last Name” – This is where you will enter the FQDN of the machine at the prompt – houqecg000.us.houqe.lab for example.
• “What is the name of your Organizational Unit” – Leave Blank <ENTER>
• “What is the name of your Organization” – webserver (this is to remain *somewhat* consistent with the .webserverkeystore.jks file we are going to replace.)
• The other fields you are prompted for should be blank
• When prompted to verify if information is correct type “yes” and hit <ENTER>
• When prompted for password for webserver hit <ENTER>
8. Verify file has been created and observe ownership #ls –l mykeystore.jks
a. Notice that the owner and group are both root
b. -rw-r--r-- 1 root root 2282 Feb 20 16:41 mykeystore.jks
9. Change owner and group properties of file
a. chown novell mykeystore.jks
b. chgrp novell mykeystore.jks
c. ls –l mykeystore.jks to verify it looks similar to this
d. -rw-r--r-- 1 novell novell 2282 Feb 20 16:41 .mykeystore.jks
10. Copy\Move mykeystore.jks over .webserverkeystore.jks
a. Actual command is : mv mykeystore.jks .webserverkeystore.jks
11. Verify time and date reflects changes
11. Verify time and date reflects changes
a. Actual command is : ls –l .webserverkeystore.jks
At this time, you can now run through the certificate install process from the documentation.
Cause
The keystore file can be corrupted and cause the failure of a certificate that was signed and imported.