SSPR 4.x Certificate Configuration

  • Document ID:7018545
  • Creation Date:27-Jan-2017
  • Modified Date:01-May-2017
    • Micro Focus Products:
      Self Service Password Reset

Environment

Self Service Password Reset
SSPR 4.x
SSPR 4 Appliance

Situation

Understanding certificates used with SSPR
How to SSL'ize SSPR communication
How to configure certs for SSPR encryption
Creating and importing SSPR certificates

Resolution

There are four primary certifiates used with SSPR4. Each has a specific purpose and each is configured in a different place in the SSPR management utilities.      
  
1.    The appliance cert.  This certificate provides SSL encryption over port 9443 to the SSPR appliance configuration page. It is only used for the appliance itself, not for the SSPR application, and is only available with the appliance installation. To administer the appliance certificate go to the appliance configuration tool at https://<dns-name>:9443, and open “Digital Certificates.”  Use the file menu to generate a key pair, import a trusted certificate or key pair, etc.  Again, certificates generated in the appliance configuration tool are only for use with appliance itself.  These are for port 9443 only, and do not work as the HTTPS certificate mentioned next. 

2.    The HTTPS (aka Tomcat or browser) cert.  This is the certificate for the browser. It encrypts traffic between the SSPR webserver and the user's browser. With the SSPR 4 appliance install, ssl'ized traffic uses port 443. With the Windows msi or .war file installations secure traffic goes over port 8443 as it did with SSPR 3.x.   If using the Appliance or Windows MSI install, this cert is administered in SSPR Configuration Editor -> Settings ->HTTPS Server -> Certificate. (This setting is not available with the .zip / .war install.)  Import a  PKCS12 / PFX or java key store certificate from a commercially signed certificate.     TID 7018852 explains how to create a signed SSL certificate using Open SSL.  See "Note 3" in the "additional information" section below for more detail.  

3.     The LDAP cert.  This certificate is used to encrypt traffic between the the SSPR server and the LDAP directory server. The tree CA's trusted root certificate and each LDAP server certificate is stored here.  Administer through SSPR Configuration Editor ->  LDAP -> LDAP Directories -> <LDAP Profile> -> LDAP Certificates.  Import the certificate(s) from the LDAP server(s).  Import the  tree CA's trusted root certificate and each LDAP server certificate.


4. Syslog Audit Server Certificates.  The server certificates for an external auditing server. Audit events that can be captured can be seen in the SSPR documentation link from the home administration page at https://<dnsname>/sspr/public/reference/tables.jsp#auditEvents.  Administer this certificate through 
SSPR Configuration editor -> Settings -> Auditing -> Audit Forwarding -> Syslog Audit Server Certificates


Additional Information

Note 1 - This article discusses the primary certificates used by SSPR 4.  Other certificates may also come into play, depending on your environment.  For example, IDM will use other certificates with SSPR.

Note 2 - Certificates imported via the SSPR configuration editor are not actually copied to the SSPR server certificate store. They are written into the SSPRConfiguration.xml file, and will not be present in the in the cacerts file.

Note 3 -  The help text for the HTTPS certificate in  SSPR Configuration Editor -> Settings ->HTTPS Server -> Certificate  states the following: 
"The private key & certificate used by the SSPR HTTPS web server. If this setting does not have a value, the SSPR HTTPS web server will use an auto-generated value based on Settings ⇨ Application ⇨ Application ⇨ Site URL and other current configuration data."   

In other words, SSPR generates a self-signed certificate that is used unless a commercial certificate is imported.  SSPR 4.1 does not have a tool to generate a CSR (Certificate Signing Request) for a commercial certificate.  If a commercial certificate is desired this setting allows one to be imported, not created.  

This setting allows two types of files to be imported: 
 -  A PKCS12 also known as PFX file. This is a common format for backing up and transferring an X.509 Public Key Certificate and it's matching Private Key, along with the root certificate(s).

 -  A Java/Tomcat key file.  This is commonly used by Java applications to store  X.509 Public Key Certificates, Private keys and root certificates.   There is no standard file extension used for java certificates, and these files will often have no extension at all.

We rely on the customer to create these files outside of the SSPR application.  With SSPR 4.1 we provide the means to import them into SSPR.   Both files need to have an x.509 Public/Private key-pair and the corresponding X.509 certificate, along with all the root certificate(s) in the key chain (i.e. include the server certificate and keypair, plus the CA certificate and any intermediate CA certificates).
 
Several options are available to create a key file or a PKCS12 (PFX) file.  Including:
 
- Using OpenSSL to create a key file: https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
 
- Using OpenSSL to create a PKCS12/PFX file: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl
 
- Using eDirectory to create a custom server certificate (i.e. use the desired dnsname and/or IP address and use the external CA method sign the certificate, then backup the certificate (to a PKCS12/PFX) file.
https://www.netiq.com/documentation/edir88/crtadmin88/data/a5bwnsj.html
 
Other methods can be found on the on the internet. Here is an article that might be helpful:
https://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html

After obtaining he PKCS12/PFX or Key file, simply import it using the Import button from the 
   Configuration Editor -> Settings -> HTTPS Server setting.