How to install a SSL Certificate in DPA (Linux)


   Article Number:     532113                                   Article Version: 2     Article Type:    How To 




Data Protection Advisor,Data Protection Advisor Family,Data Protection Advisor 6.5,Data Protection Advisor 6.4,Data Protection Advisor 6.3,Data Protection Advisor 18.2,Data Protection Advisor 18.1





The following are general steps to install/import a signed certificate on the DPA Application Server for 6.2.1 and up in a Windows environment. These are general or generic steps that should work in many situations, but there can be variations in some environments that require changes or additions to these steps or a different procedure altogether.   
    1. Make a copy of the apollo.keystore and standalone.xml files from dpa/services/standalone/configuration and the application-service.conf file from dpa/services/executive. In the event that you need to revert back to the original configuration, you can use these files to restore DPA to working order.  Place the copies in a folder on the desktop for safe keeping and to avoid confusion.   
    2. Open the copy of the standalone.xml file and search for 'key-alias'. You should see a line containing the key-alias and password like this:   

      <ssl name="ssl" key-alias="${apollo.keystore.alias:apollokey}" password="apollo"     
      For simplicity sake, please take note of the password and use it in the following steps.     
      Note: It is possible to use a different password if the customer’s environment requires it, but the suggestion is to use this one as it limits issues due to password conflict between the temporary keystore password, alias password, and original keystore password.     
    3. From the  <DPA DIR>/dpa/services/_jre/bin directory and run the following command to generate a new keystore from which we will request the signed certificate:   
      ./keytool -genkey -keyalg RSA -alias emcdpa -keysize 2048 -dname CN=  -keystore new.keystore      
      Note: You will need to change the items in bold to align with the environment. Please see the information below for further detail:     
      The alias can be whatever the end-user wants, but be sure to note the alias used here as you will need it in the next steps. In this case, we are using emcdpa.     
      The dname will be the same as the url you use to access the GUI, i.e. https://<hostname>:9002. For example, if the application server name is dpaapp01, but the URL used to access it is, enter as the first/last name.     
      The keystore path will vary based on where you wish to place the temporary keystore. You can redirect it to another path (i.e. tmp/new.keystore), or you can simply create a new keystore file in /dpa/services/_jre/bin like we did here.     
      **When prompted to enter a password, use the password you extracted from standalone.xml (in this case, apollo)     
      4. Use the following command to generate the certificate request (.csr), use the alias and keystore created in the previous step. The storepass option allows you to enter the keystore password with the command- use the same password from the previous step.      
      ./keytool -certreq -alias emcdpa –ext -keystore new.keystore -storepass apollo -file emcdpa.csr     
      Note: We are adding an option here to specify the dns (–ext san=dns: ) This will be the same as the hostname, but will prevent browser errors as seen in   
      5. At this point, make a copy of temporary keystore as well. This will prevent the need to start from scratch should something go wrong during the import. Place a copy of the temporary keystore with the copies of the original files.     
      6. Open 'emcdpa.csr' as a text file, copy the contents and use it to request the certificate signed by the CA.  They should return a signed certificate (including the full certificate chain) in Base-64 encoded X.509 format.     
      Depending on the format of the signed certificate, the import can happen a few different ways. If the customer receives a file containing the signed certificate and the full certificate chain, you should be able to import the certificate in one step. File types that typically contain all of this information include: .pfx, .pkcs12, .p12, .p7b     
      If you are sure that the signed certificate includes the full certificate chain (to the root certificate) proceed to step 7. If you are unsure or would prefer to do it manually see for more information.     
      7. Import the signed certificate into new.keystore using the following command:   
      ./keytool -import -trustcacerts -alias emcdpa -keystore new.keystore -file emcdpa.p7b -storepass apollo     
      Then, verify that the certificate was imported correctly using:     
      ./keytool -list -v -keystore new.keystore -storepass apollo     
      If the certificate imported properly, you should see- Entry type: PrivateKeyEntry and the certificate chain length should represent the certificate chain accurately (For example, if contains a signed certificate, an intermediate certificate, and the root certificate- the chain length should be 3).   
      8. Once you have successfully imported the signed certificate (and chain) into new.keystore, please import new.keystore into apollo.keystore from dpa/services/bin:     
      ./ app impcert -kf dpa/services/_jre/bin/new.keystore -al emcdpa -pw apollo   
      9. From dpa/services/_jre/bin check the contents of apollo.keystore after importing to make sure the certificate imported properly:   
      ./keytool -list -v -keystore dpa/services/standalone/configuration/apollo.keystore –storepass apollo   
      10. Restart application services and attempt to log into the GUI.   
      ** In the event that restarting services produces an error, app svc fail to start, or you cannot access the GUI at this point:     
      - Open application-service.conf and search for 'apollo.key' you should see that the alias has been updated to the alias you imported (in this case, emcdpa).     
      - Open standalone.xml with a text editor and search for 'key-alias'. You should see a line similar to the one below that shows the alias you imported:     
      If not, you will need to change the key alias to match the one associated with the signed certificate. Also, double check that the password is the same as you've been using throughout.     
      If you need to change the alias or password in these files: stop application services, edit and save the files, and restart services. If the issue persists, contact DPA support.