Archived Content: This information is no longer maintained and is provided "as is" for your convenience.
Summary
Question
I imported a signed CA certificate and it's chain using the admin manual but yet when I run ./arcsight tempca -i
I get the following:
Manager Server Keystore
Key Store config/jetty/keystore
Type JKS
Certificate N/A
Host Name <none>
Valid N/A
From N/A
To N/A
Answer
Step 1:
Backups (Please note we use the backup in the last step so don't skip):
#For Web
cp -r /opt/arcsight/web/config/jetty/ /opt/arcsight/web/config/jetty.bak/
cp /opt/arcsight/web/jre/lib/security/cacerts /opt/arcsight/web/jre/lib/security/cacerts.bak
#For Manager
cp -r /opt/arcsight/manager/config/jetty/ /opt/arcsight/manager/config/jetty.bak/
cp /opt/arcsight/manager/jre/lib/security/cacerts /opt/arcsight/manager/jre/lib/security/cacerts.bak
Step 2:
you should use mykey as the private key alias , here is how you check what your current private key alias is.
#Check Alias
/opt/arcsight/manager/bin/arcsight keytool -store managerkeys -list
This should have an output similar to this:
/opt/arcsight/manager/bin/arcsight keytool -store managerkeys -list
Assuming ARCSIGHT_HOME: /opt/arcsight/manager
Assuming JAVA_HOME: /opt/arcsight/manager/jre
ArcSight Keytool Wrapper starting...
ArcSight Keytool Wrapper 6.9.1.2340.4
Registered default configuration as NGPropertiesFileConfiguration [_defaultsFileName=config/server.properties, _localFileName=config/server.defaults.properties]
Using key store: /opt/arcsight/manager/config/jetty/keystore (JKS)
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
mykey, Apr 14, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): BA:7A:A7:C0:B6:77:00:B7:E1:F6:A5:AA:92:6F:01:1D:7F:25:45:A8
Notice there is only one entry in the keystore and the alias is mykey.
*****If the name of the private key is not mykey make sure to use alias name in this step for step3 ****
Step 3.
Did you check the alias name in step 2? If not, go home.
#Request Renewal CSR
/opt/arcsight/manager/bin/arcsight keytool -store managerkeys -certreq -alias mykey -file /tmp/certrequest.csr
Step 4.
#Send CSR to your Cert Vendor
Step 5.
#If the new Cert has a different Root, Intermediate, or Issuing CAs you will need to import the new certs to the cacerts
This assumes only the issuing and intermediate servers changed, the Issuing Cert is in /tmp/IssuingCA.cer, the Intermediate cert is /tmp/InterCA.cer, and the alias you want to use are NEW_ISSUING_CA and NEW_INTER_CA
/opt/arcsight/manager/bin/arcsight keytool -importcert -alias NEW_ISSUING_CA -file /tmp/IssuingCA.cer -store clientcerts -keystore /opt/arcsight/manager/jre/lib/security/cacerts
/opt/arcsight/manager/bin/arcsight keytool -importcert -alias NEW_INTER_CA -file /tmp/InterCA.cer -store clientcerts -keystore /opt/arcsight/manager/jre/lib/security/cacerts
Step 6.
#Import new received Cert
/opt/arcsight/manager/bin/arcsight keytool -importcert -alias mykey -trustcacerts -file /tmp/careply.cer -store managerkeys -keystore /opt/arcsight/manager/config/jetty/keystore
Step 7.
#Updating Web Certs, Removing old CAcerts file and replacing with new one (This step only needed if you made changes to the managers cacerts file)
rm /opt/arcsight/web/jre/lib/security/cacerts
cp /opt/arcsight/manager/jre/lib/security/cacerts /opt/arcsight/web/jre/lib/security/cacerts
Step 8.
#Remove old web jetty folder and copy from manager jetty (Backup already created)
rm -rf /opt/arcsight/web/config/jetty
cp -r /opt/arcsight/manager/config/jetty/ /opt/arcsight/web/config/jetty
Step 9.
#Update names for web to use it:
mv /opt/arcsight/web/config/jetty/keystore /opt/arcsight/web/config/jetty/webkeystore
mv /opt/arcsight/web/config/jetty/truststore /opt/arcsight/web/config/jetty/webtruststore
mv /opt/arcsight/web/config/jetty/nssdb /opt/arcsight/web/config/jetty/webnssdb
Step 10.
#Need webserver.xml file from backup
cp /opt/arcsight/web/config/jetty.bak/webserver.xml /opt/arcsight/web/config/jetty/.
Step 11.
Restart the arcsight services.