Use your own SSL certificates for the Application Manager
From v14260 : Option to create Certificate Signing Request (CSR) and import SSL certificate to Applications Manager are introduced in UI. Please refer Manage Certificates for detailed steps.
Steps for Applications Manager below v14260 :
Question: I would like to use my own SSL certificates for the Application Manager. We have a global certificate with our hosting provider *.ourdomain.com and where can we configure this to use within our Application Manager instance?
Solution:
1. When you purchase SSL certificate,the vendor will provide certificate files which you need to import into a keystore file & the import can be done using any Java installation or OpenSSL installations or Certificate Manager tools.
- Shutdown Applications Manager.
- To change the keystore file which has your SSL Certificate go to the ..\AppManager_home\working\apache\tomcat\ directory and replace the 'appmanager.keystore' file with your keystore file.
- If your keystoreFile name is different then mention that file name with absolute path instead of "KEYSTORE_FILE" in \AppManager_home\working\apache\tomcat\conf\backup\server.xml file . If you have truststore file then add an attribute truststoreFile next to keystoreFile and give its path.
- In this server.xml file find encryptedKeystorePass attribute , change it to keystorePass and give the keystore password. If keystorePass is already present please use it.
- If there is a different certificate for truststore file then add an attribute truststorePass next to the above attribute and give the trustore password.
- Both attributes are strictly case-sensitive.
- Once restarted the attribute(s) will be automatically changed to encrypted format for security reasons.
Note
- Now restart the Applications Manager and try to access it in https scheme and https port.
If Certificates to be imported to OpManager:
- For OpManager Versions older than 123181, the OpManager.truststore file absolute path should be updated in the OpManager-home\AppManager\working\apache\tomcat\conf\backup\server.xml keystoreFile and truststoreFile and its password should be updated in the keystorePass and truststorePass values.
- For OpManager Versions 123181 and newer, the keystore and truststore file locations in OpManager should be obtained and AppManager's server.xml keystoreFile and truststoreFile values should be updated in the backup folder and the respective keystore and truststore passwords in keystorePass and truststorePass respectively. On restart, APM will point to the cert files in OpManager.
2. Alternatively you can also import your certificate into the keystore file used by Applications Manager (..\AppManager_home\working\apache\tomcat\appmanager.keystore) instead of replacing keystore or using a separate keystore file. Please refer this link for the example steps.
3. While generating the CSR include below option (SAN) as well, the <fqdn> should be replaced with the fully qualified domain name for which the certificate is being issued. The Subject Alternative Name field lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate, such as a Multi-Domain (SAN) or Extend Validation Multi-Domain Certificate.
-ext san=dns:<fqdn>
Note:
- Backup the server.xml file and 'appmanager.keystore' files before making changes and restart Applications Manager after making the changes.
- If you are using Microsoft CA , ensure that you do the certificate request using base64 encoded PKCS #10 file or a base64 encoded PKCS #7 file.
- If you are using a .pfx or .p12 file as your keystore then you have to add keystoreType="PKCS12" truststoreType="PKCS12" additionally in the server.xml file mentioned above
- If you are using 2048 bit private key in the new SSL certificate , then additionally download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle website and copy them in AppManager installation.
- We have to use the same keystore file & password in both Admin server and the Managed servers. (Ignore this step if you use Professional edition, it's for Enterprise edition)