|Article Number: 532109||Article Version: 3||Article Type: How To|
Data Protection Advisor,Data Protection Advisor Family,Data Protection Advisor 18.1,Data Protection Advisor 18.2,Data Protection Advisor 6.3,Data Protection Advisor 6.4,Data Protection Advisor 6.5
In some cases a customer’s CA (Certificate Authority) will have already provided a signed certificate. Some customer’s procedures require that they generate\retrieve a certificate in this way. It typically happens when the CA is issuing a wildcard certificate or when a sever goes by multiple domain names.
In these cases, it may be possible to simply import the signed certificate into apollo.keystore, if and only if, the signed certificate they’ve received contains the full certificate chain and private key.
Certificate formats which can contain the private key are listed below:
PKCS#12 (.pfx or .p12)- can store the server certificate, the intermediate certificate and the private key in a single .pfx file with password protection. Since these files contain the full chain and the private key, you will be able to import it directly into apollo.keystore, but remember you will need the alias and alias password to do so (the owner of the certificate should have this information).
PEM (.pem, .crt, .cer, or .key)- can include the server certificate, the intermediate certificate and the private key in a single file. The server certificate and intermediate certificate can also be in a separate .crt or .cer files and the private key can be in a .key file. If the server\intermediate certificates and key are separate, this will not suffice to import directly.
You can check by opening the certificate file in a text editor. Each certificate is contained between the ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements. The private key is contained between the ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- statements. Ensure that the number of certificates contained in ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements matches the number of certificates in the chain (server and intermediate) and ends with ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY. If the file does not contain the full certificate chain and private key, the certificate will need to be imported into the keystore it was generated from. If you are unsure about the certificate chain see https://support.emc.com/kb/532108
Once you have verified that you have the full certificate chain and private key are in one file, you should have everything you need to import the certificate into DPA via the following steps:
1. Make a copy of the apollo.keystore and standalone.xml files from dpa\services\standalone\configuration and the application-service.conf file from dpa\services\executive. In the event that you need to revert back to the original configuration, you can use these files to restore DPA to working order. Place the copies in a folder on the desktop for safe keeping and to avoid confusion.
2. Open the copy of the standalone.xml file and search for 'key-alias'. You should see a line containing the key-alias and password like this:
keytool -importkeystore -srckeystore "c:\Program files\emc\dpa\services\standalone\configuration\wildcard.pfx" -srcstoretype pkcs12 -destkeystore "c:\Program files\emc\dpa\services\standalone\configuration\apollo.keystore" -deststoretype JKS
Note: You will need to specify the correct location of the signed certificate file (srckeystore) and apollo.keystore (destkeystore). See the example below for more information on what you will be asked to enter:
Enter destination keystore password: (apollo.keystore password- check standalone.xml)
Enter source keystore password: (alias password-owner of certificate will know this)
Entry for alias my_alias successfully imported.
Import command completed:1 entries successfully imported, 0 entries failed or cancelled
(Enter the apollo.keystore password)
- Open standalone.xml with a text editor and search for 'key-alias'. You should see a line similar to the one below that shows the alias you imported:
If not, you will need to change the key alias to match the one associated with the signed certificate. Also, double check that the password is the same as you've been using throughout.
If you need to change the alias or password in these files then:
A. Stop application services,
B. Edit and save the files.
C. Restart services.
D. If the issue persists, contact DPA support.
Proceed to run the 'dpa app impcert' command as per Installation and Administration Guide to import the certificate and private key previously imported in the apollo.keystore file, into the DPA App server:
C:\Program Files\EMC\DPA\services\bin>dpa app impcert -kf "C:\Program Files\EMC\DPA\services\standalone\configuration\apollo.keystore" -al xxx -pw yyy
EMC Data Protection Advisor
Certificate import complete. Please restart the app server for changes to take effect.
Command completed successfully.
Completed in : 1.4secs
To run that command get the alias xxx for the ‘-al’ switch from the output of the keytool command in #4 above to list the content of the apollo.keystore file:
keytool -list -v -keystore "c:\Program files\emc\dpa\services\standalone\configuration\apollo.keystore"
Search by ‘Alias name:’
and the password yyy for the ‘-pw’ switch from the <install_dir>\services\standalone\configuration\standalone.xml file. Search by ‘password=’
Finally restart the App services and launch DPA Gui. The browser should show the certificate correctly