• Inok Systems

BMC Atrium SSO SSL Implementation and Best Practices – Part 2

會員評等:  / 1
佳 


Last part we discussed, about enabling SSO for BMC BSM Products. In this section we discuss about the SSL certificate creation and configuration.

SSL Configuration procedure

This section describes the simplest approach to generate a self-sgined certificate using java keytool.

Generate keypair

1.   Go to the JRE installed directory and execute the following commands to generate the keypair

keytool -genkeypair -keyalg RSA -alias Atriumsso -sigalg SHA256withRSA -keystore keystore.p12 -keysize 2048 -storepass changeit -storetype
PKCS12 -providername JsafeJCE SAN=myhost.domain.com,dns:mydns.domain.com

Here myhost.domain.com is the host name of my SSO server.Mydns.doamin.com is the DNS name of the server. If are using a different DNS name to access the SSO URL then you have to include this names during certificate generation, else  you will get certificate errors when you access URL. You can add different DNS names separated by comma.

 

2.   When prompted for first and last names, enter the fully qualified domain name (FQDN) of the BMC Atrium Single Sign-On Server. Then enter the organisation unit, organisation name etc.

3.   “keystore.p12” file will be generated in the default user directory eg:C:\Users\Admin

Generate CSR

4.   Generate the csr file and send it for certificate signing by any certification authority

keytool -exportcert -keyalg RSA -alias Atriumsso -sigalg SHA256withRSA -keystore keystore.p12 -storepass changeit -storetype PKCS12 -providername JsafeJCE -v -file Atriumsso.csr SAN=myhost.domain.com,dns:mydns.domain.com

 

5.   The file will be generated in the default user directory with the file name "Atriumsso.csr"

6.   Get this certificate signed by the security authority. Once you receive the certificate signed by the certificate authority imports the certificates. You have to import the root certificate first then you need to import the intermediate and later the certificate.

Import Signed Certificate

7.   Import the Root CA Certificate

keytool -importcert -keyalg RSA -alias rootca -keystore 
keystore.p12 -storepass changeit -storetype PKCS12 -providername
JsafeJCE -file globalsignrootCA.cer
 

8.   Import the Intermediate CA Certificate

keytool -importcert -keyalg RSA -alias caintermediate -keystore 
keystore.p12 -storepass - changeit storetype PKCS12 -providername
JsafeJCE -file intermediateCA.cer
 

9.   Import the CA Certificate

keytool -importcert -keyalg RSA -alias Atriumsso -keystore 
keystore.p12 -storepass changeit -storetype PKCS12 -providername
JsafeJCE -file assosigned.csr
globalsignrootCA.cer, intermediateCA.cer and assosigned.cer are the files provided by CA certification authority.
To list the available certificate from a store use the following commands,

keytool -list -v keystorekeystore.p12 -storepass changeit -storetype PKCS12 -providername JsafeJCE

 

Use the following commands to delete the existing alias entry from keystore:

keytool -delete -alias Atriumsso -keystore keystore.p12 -storepass
changeit -storetype PKCS12 -providername JsafeJCE

List Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Random Blogpost

 

 

 

Firstly you need to have the tools that will help you increase your visibility of your very own IT asset environment.

閱讀全文...