Using Certificate Authority (CA) approved certificates for SSL in NetFlow Analyzer Enterprise

Using Certificate Authority (CA) approved certificates for SSL in NetFlow Analyzer Enterprise

NetFlow Analyzer Enterprise edition uses SSL for communication between collectors and central server and also for web server connectivity to central server. The product provides options for using 3rd party security certificates for SSL connectivity as many organizations prefers their own certificates approved by any certificate authority.

Steps to be followed for installing certificate from Certificate Authority (CA) for NetFlow Analyzer Enterprise is given below:

NOTE: The steps are for NetFlow Analyzer Enterprise edition. If you are trying to enable SSL for NetFlow Analyzer Professional edition, please email the technical team at  netflowanalyzer-support@manageengine.com





  1. Generate a keystore


    • Open a command prompt and navigate to ManageEngine/NetFlowCentral/jre/bin directory
    • Type the following command:
      keytool -keyalg RSA  -keystore server.keystore -genkey -alias ServerKey

      where server.keystore is the user defined name for the keystore and ServerKey is the alias name. The name of the keystore is user defined and this exact name needs to be specified in server.xml present under ManageEngine/NetFlowCentral/conf directory. In this example, we are generating a keystore named as server.keystore for the Central server.


    • Once prompted, enter the information required to generate a CSR. A sample key generation section follows.
            Enter keystore password:passwd            [password is user defined and needs to be specified in server.xml]
            What is your first and last name?

            [Unknown]:symphony                               [Replace this with the name of your host name where NetFlow Central server will be installed]
            What is the name of your organizational unit?

            [Unknown]:NETFLOWENTERPRISE  
               [Rest of the fields are user defined]
            what is the name of your organization?
            [Unknown]:ZOHO       

            What is the name of your City or Locality?
            [Unknown]:Chennai       

            What is the name of your State or Province?
            [Unknown]:TamilNadu    
            What is the two-letter country code for this unit?
            [Unknown]:IN           
            Is CN=symphony, OU=NETFLOWENTERPRISE, O=ZOHO, L=Chennai, ST=TamilNadu, C=IN correct?
            [no]: yes
            Enter key password for
                (RETURN if same as keystore password):passwd
            Re-enter new password:passwd

      This operation creates a KeyStore file named server.keystore in the current working directory. ie. ManageEngine/NetFlowCentral/jre/bin directory.

      You must specify a Fully Qualified Domain Name (FQDN) for the “first and last name” question. The reason for this is that some CA such as VeriSign expect this property to be a FQDN. There are CAs that do not require a FQDN, but it is recommended to use a FQDN for the sake of portability. All the other information given must be valid. If the information cannot be validated, a CA will not sign a generated CSR for this entry.
















  2. Create a local CSR file


    This KeyStore has an alias name ServerKey which was defined by the user when generating the keystore. To generate a CSR, follow the steps as below:


    • From the same directory (ManageEngine/NetFlowCentral/jre/bin), execute the following command:

      keytool -keystore server.keystore -certreq -alias ServerKey -keyalg RSA -file self.csr  

      Once the command is executed, you will be prompted for password.
      Enter keystore password:passwd  
           [The same password entered for the generation of keystore, here "passwd"]

      This command generates a certificate signing request (CSR), in our case self.csr, which can be provided to a CA for a certificate request. The self.csr file will be created in the same directory. ie. ManageEngine/NetFlowCentral/jre/bin








  3. Import CA certificate to keystore

    Once the CSR is provided to the CA authority, we will be provided certificates depending on the CA and they are usually the root certificate, chained certificate and CA certificate. These certificates needs to be imported into the already generated keystore (in our case, server.keystore). The files needs to be imported to the keystore in the exact sequence as provided by the CA, the steps for which are below. The import should be done from ManageEngine/NetFlowCentral/jre/bin directory.




    • Import the Root File: The following command imports the root certificate to the keystore. Here, assume that the CA’s root certificate is in the file CARoot.cer . Copy it to the ManageEngine/NetFlowCentral/jre/bin directory and execute the following command from the command prompt:

       keytool -import -trustcacerts -keystore server.keystore -file CARoot.cer -alias Root

      Once the command is executed, you will be prompted for password.

      Enter keystore password:passwd        [The same password entered for the generation of keystore,here "passwd"]

      ........
      ........
      Trust this certificate? [no]:YES












    • Import the Chained trusted file: This command imports the chained certificate to the keystore. Here, assume that the CA’s chained certificate is in the file chain.cer and copy it to the ManageEngine/NetFlowCentral/jre/bin directory and execute the following command from the prompt:

       keytool -import  -trustcacerts -keystore server.keystore -file chain.cer -alias Chain

      Once the command is executed, you will be prompted for password.

      Enter keystore password:passwd        [The same password entered for the generation of keystore,here "passwd"]

      If you receive more than one chained certificate from CA repeat the same procedure by replacing 'Chain' as 'Chain1' , 'Chain2 '  and etc.











    • Import the Third Party Certificate: This command imports the CA certificate to the keystore. Here, assume that the CA’s certificate is in the file CAcert.cer and copy it to the ManageEngine/NetFlowCentral/jre/bin directory and execute the following command from the prompt:

        keytool -import -keystore server.keystore -file CAcert.cer -alias ServerKey    [The same name and alias used when generating the keystore is to be used here]

      Once the command is executed, you will be prompted for password.

      Enter keystore password:passwd        [The same password entered for the generation of keystore,here "passwd"]









  4. Generate trust certificate from server.keystore


    • Execute the following command.

       keytool  -export -alias ServerKey -file server.cer  -keystore server.keystore


      Once the command is executed we will be prompted for password.

      Enter keystore password:passwd     [The same password entered for the generation of server.keystore,here "passwd"]

      This command will export the ServerKey trust store into the server.cer











  5. Import the trust certificate to the client.keystore


    • Execute the following command.

      keytool -import -alias CentralKey -file server.cer -keystore client.keystore -noprompt

      Once the command is executed we will be prompted for password.

      Enter keystore password:passwd  [password is user defined and needs to be specified as detailed below]
      Re-enter new password:passwd

      where client.keystore is the user defined name for the keystore and CentralKey is the alias name. The name of the keystore is user defined and this exact name needs to be specified as detailed below.











Finally two keystore will be present under ManageEngine/NetFlowCentral/jre/bin directory.

1) Copy the server.keystore from ManageEngine/NetFlowCentral/jre/bin to the ManageEngine/NetFlowCentral/conf/ directory

2) Copy the client.keystore from ManageEngine/NetFlowCentral/jre/bin to all the collectors under ManageEngine/NetFlowCollector/conf/ directory

On Central Server Side:
If you have changed the keystore name or password while generating server.keystore for Central Server, then open ManageEngine/NetFlowCentral/conf/server.xml and edit the given parameters under the category:

<!--  Define a SSL Coyote HTTP/1.1 Connector on port 8443  -->
    <Connector acceptCount="100" clientAuth="false" connectionTimeout="-1" debug="4" disableUploadTimeout="true" enableLookups="false" keystoreFile="conf/server.keystore" keystorePass="passwd" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="443" scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="true"/>

In the parameter keystoreFile="conf/server.keystore"  , use the name of your keystore instead of server.keystore.
In the parameter keystorePass="passwd" , use the your password for the keystore.

On Collector Side:

Add the below parameters in ManageEngine/NetFlowCollector/bin/run.bat (.sh for Linux) for the collector
Add the parameter under set JAVA_OPTS

-Djavax.net.ssl.trustStore=../conf/client.keystore [use the name of your keystore instead of client.keystore, if you changed it while importing the trust certificate.]
-Djavax.net.ssl.trustStorePassword=passwd [use your password, if you changed it while importing the trust certificate.]

So the modified lines should look as below:

For Windows: run.bat

set JAVA_OPTS= -Dcatalina.home="%SERVER_HOME%" -Dserver.home="%SERVER_HOME%" -Dserver.stats=10000  -Djava.util.logging.manager=com.adventnet.logging.LogManager -Djava.util.logging.config.file="%SERVER_HOME%\conf\logging.xml" -Djava.util.logging.config.class=com.adventnet.logging.LoggingScanner -Dlog.dir="%SERVER_HOME%" -Ddb.home="%DB_HOME%" -Djava.library.path="%SERVER_HOME%\lib\native" -Dcheck.tomcatport="true" -DDBStartupRetries=120 -Djavax.net.ssl.trustStore=..\conf\client.keystore -Djavax.net.ssl.trustStorePassword=passwd

For LINUX: run.sh

JAVA_OPTS="-Dcatalina.home=$SERVER_HOME -Dserver.home=$SERVER_HOME -Dserver.stats=10000 -Djava.util.logging.manager=com.adventnet.logging.LogManager -Djava.util.logging.config.file=$SERVER_HOME/conf/logging.xml -Djava.util.logging.config.class=com.adventnet.logging.LoggingScanner -Dlog.dir=$SERVER_HOME -Ddb.home=$DB_HOME -Dcheck.tomcatport=true -DDBStartupRetries=120 -Djavax.net.ssl.trustStore=../conf/client123.keystore -Djavax.net.ssl.trustStorePassword=passwd123"

Add the below parameter in ManageEngine/NetFlowCollector/conf/wrapper.conf under # Java Additional Parameters

wrapper.java.additional.18=-Djavax.net.ssl.trustStore=../conf/client.keystore    [use the name of your keystore instead of client.keystore, if you changed it while importing the trust certificate.]
wrapper.java.additional.19=-Djavax.net.ssl.trustStorePassword=passwd              [use your password, if you changed it while importing the trust certificate.]

So the modified lines should look as below (Same for Windows and Linux):

# Java Additional Parameters
..
..
wrapper.java.additional.16=-DstartingAsService=true
wrapper.java.additional.17=-DDBStartupRetries=120
wrapper.java.additional.18=-Djavax.net.ssl.trustStore=../conf/client.keystore         [use the name of your keystore instead of client.keystore, if you changed it while importing the trust certificate.]
wrapper.java.additional.19=-Djavax.net.ssl.trustStorePassword=passwd                [use your password, if you changed it while importing the trust certificate.]

Do check this out and let us know if you have any questions on using 3rd party certificates for SSL in NetFlow Analyzer Enterprise edition. You can reach the Enterprise technical team at  netflowanalyzer-eesupport@manageengine.com

Regards,
Don Thomas Jacob





















































                New to ADSelfService Plus?