Last part we discussed, about enabling SSO for BMC BSM Products. In this section we discuss about the SSL certificate creation and configuration.
Last part we discussed, about enabling SSO for BMC BSM Products. In this section we discuss about the SSL certificate creation and configuration.
SSL Configuration procedure
This section describes the simplest approach to generate a self-sgined certificate using java keytool.
Generate keypair
1. Go to the JRE installed directory and execute the following commands to generate the keypair
keytool -genkeypair -keyalg RSA -alias Atriumsso -sigalg SHA256withRSA -keystore keystore.p12 -keysize 2048 -storepass changeit -storetype
PKCS12 -providername JsafeJCE SAN=myhost.domain.com,dns:mydns.domain.com
Here myhost.domain.com is the host name of my SSO server.Mydns.doamin.com is the DNS name of the server. If are using a different DNS name to access the SSO URL then you have to include this names during certificate generation, else you will get certificate errors when you access URL. You can add different DNS names separated by comma.
2. When prompted for first and last names, enter the fully qualified domain name (FQDN) of the BMC Atrium Single Sign-On Server. Then enter the organisation unit, organisation name etc.
3. “keystore.p12” file will be generated in the default user directory eg:C:\Users\Admin
Generate CSR
4. Generate the csr file and send it for certificate signing by any certification authority
keytool -exportcert -keyalg RSA -alias Atriumsso -sigalg SHA256withRSA -keystore keystore.p12 -storepass changeit -storetype PKCS12 -providername JsafeJCE -v -file Atriumsso.csr SAN=myhost.domain.com,dns:mydns.domain.com
5. The file will be generated in the default user directory with the file name “Atriumsso.csr”
6. Get this certificate signed by the security authority. Once you receive the certificate signed by the certificate authority imports the certificates. You have to import the root certificate first then you need to import the intermediate and later the certificate.
Import Signed Certificate
7. Import the Root CA Certificate
keytool -importcert -keyalg RSA -alias rootca -keystore
keystore.p12 -storepass changeit -storetype PKCS12 -providername
JsafeJCE -file globalsignrootCA.cer
8. Import the Intermediate CA Certificate
keytool -importcert -keyalg RSA -alias caintermediate -keystore
keystore.p12 -storepass - changeit storetype PKCS12 -providername
JsafeJCE -file intermediateCA.cer
9. Import the CA Certificate
keytool -importcert -keyalg RSA -alias Atriumsso -keystore
keystore.p12 -storepass changeit -storetype PKCS12 -providername
JsafeJCE -file assosigned.csr
globalsignrootCA.cer, intermediateCA.cer and assosigned.cer are the files provided by CA certification authority.
To list the available certificate from a store use the following commands,
keytool -list -v –keystorekeystore.p12 -storepass changeit -storetype PKCS12 -providername JsafeJCE
Use the following commands to delete the existing alias entry from keystore:
keytool -delete -alias Atriumsso -keystore keystore.p12 -storepass
changeit -storetype PKCS12 -providername JsafeJCE
List Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts