Use your own SSL certificates for the Application Manager

Use your own SSL certificates for the Application Manager

From v14260 : Option to create Certificate Signing Request (CSR) and import SSL certificate to Applications Manager are introduced in UI. Please refer Manage Certificates for detailed steps.

Steps for Applications Manager below v14260 : 

Question: I would like to use my own SSL certificates for the Application Manager. We have a global certificate with our hosting provider *.ourdomain.com and where can we configure this to use within our  Application Manager instance?

Solution:

1. When you purchase SSL certificate,the vendor will provide certificate files which you need to import into a keystore file & the import can be done using any Java installation or OpenSSL installations or Certificate Manager tools.
  • Shutdown Applications Manager.
  • To change the keystore file which has your SSL Certificate go to the ..\AppManager_home\working\apache\tomcat\ directory and replace the 'appmanager.keystore' file with your keystore file. 
  • If your keystoreFile name is different then mention that file name with absolute path instead of  "KEYSTORE_FILE" in \AppManager_home\working\apache\tomcat\conf\backup\server.xml file . If you have truststore file then add an attribute truststoreFile next to keystoreFile and give its path.
  • In this server.xml file find encryptedKeystorePass attribute , change it to keystorePass and give the keystore password. If keystorePass is already present please use it.
  • Note
     
    • If there is a different certificate for truststore file then add an attribute truststorePass next to the above attribute and give the trustore password.
    • Both attributes are strictly case-sensitive.
    • Once restarted the attribute(s) will be automatically changed to encrypted format for security reasons.
  1. Now restart the Applications Manager and try to access it in https scheme and https port.

       If Certificates to be imported to OpManager:
  • For OpManager Versions older than 123181, the OpManager.truststore file absolute path should be updated in the OpManager-home\AppManager\working\apache\tomcat\conf\backup\server.xml keystoreFile and truststoreFile and its password should be updated in the keystorePass and truststorePass values.
  • For OpManager Versions 123181 and newer, the keystore and truststore file locations in OpManager should be obtained and AppManager's server.xml keystoreFile and truststoreFile values should be updated in the backup folder and the respective keystore and truststore passwords in keystorePass and truststorePass respectively. On restart, APM will point to the cert files in OpManager.

2. Alternatively you can also import your certificate into the keystore file used by Applications Manager (..\AppManager_home\working\apache\tomcat\appmanager.keystore) instead of replacing keystore or using a separate keystore file. Please refer this link for the example steps. 


3. While generating the CSR include below option (SAN) as well, the <fqdn> should be replaced with the fully qualified domain name for which the certificate is being issued. The Subject Alternative Name field lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate, such as a Multi-Domain (SAN) or Extend Validation Multi-Domain Certificate.
 -ext san=dns:<fqdn> 

Note:
  • Backup the server.xml file and 'appmanager.keystore' files before making changes and restart Applications Manager after making the changes.
  • If you are using Microsoft CA  , ensure that you do the certificate request using base64 encoded PKCS #10 file or a base64 encoded PKCS #7 file.
  • If you are using a .pfx or .p12 file as your keystore then you have to add keystoreType="PKCS12" truststoreType="PKCS12" additionally in the server.xml file mentioned above
  • If you are using 2048 bit private key in the new SSL certificate , then additionally download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle website and copy them in AppManager installation. 
  • We have to use the same keystore file & password in both Admin server and the Managed servers. (Ignore this step if you use Professional edition, it's for Enterprise edition)

                  New to ADSelfService Plus?

                    • Related Articles

                    • How to import certificates for monitoring DB2 Server with SSL authentication?

                      By default, if you want to use self-signed certificates for SSL connection then the certificate generated by the DB2 server will be db2server.arm. But our AppManager doesn't support arm files. So it has to be renamed as the db2server.cer and then ...
                    • How to import certificates for monitoring Postgres Server with SSL authentication?

                      Error Message: The connection attempt failed! Reason: This error occurs when you are trying to add an SSL enabled server but the certificates which are used for SSL connection are not present in the cacerts. Solution:       To import certificates, ...
                    • How to import certificates for monitoring Oracle database with SSL authentication?

                      For users using Applications Manager version 14250 and below: One-way SSL: (Client authentication disabled) 1. Open the command prompt using 'Run as administrator' option and navigate to the Applications Manager installation directory. 2. Import your ...
                    • LDAP - Unable to find valid SSL Certificate

                      If there is an error while adding LDAP Server Monitor with the message "Unable to find valid SSL Certificate", then please try the below steps to troubleshoot the issue. When the error occurs we can find the below traces in the "stderr.txt.*" log ...
                    • Troubleshooting SSL Handshake Error

                      SSL Handshake Error SSL Handshake error occurs when a secure connection cannot be established to the URL added for monitoring. Common reasons for it are wrong SSL protocol version, incompatible ciphers, and invalid/missing client-side certificate.  ...