|Article Number: 532113||Article Version: 2||Article Type: How To|
Data Protection Advisor,Data Protection Advisor Family,Data Protection Advisor 6.5,Data Protection Advisor 6.4,Data Protection Advisor 6.3,Data Protection Advisor 18.2,Data Protection Advisor 18.1
The following are general steps to install/import a signed certificate on the DPA Application Server for 6.2.1 and up in a Windows environment. These are general or generic steps that should work in many situations, but there can be variations in some environments that require changes or additions to these steps or a different procedure altogether.
1. Make a copy of the apollo.keystore and standalone.xml files from dpa/services/standalone/configuration and the application-service.conf file from dpa/services/executive. In the event that you need to revert back to the original configuration, you can use these files to restore DPA to working order. Place the copies in a folder on the desktop for safe keeping and to avoid confusion.
2. Open the copy of the standalone.xml file and search for 'key-alias'. You should see a line containing the key-alias and password like this:
For simplicity sake, please take note of the password and use it in the following steps.
Note: It is possible to use a different password if the customer’s environment requires it, but the suggestion is to use this one as it limits issues due to password conflict between the temporary keystore password, alias password, and original keystore password.
./keytool -genkey -keyalg RSA -alias emcdpa -keysize 2048 -dname CN= dpaapp01.emc.corp.com -keystore new.keystore
Note: You will need to change the items in bold to align with the environment. Please see the information below for further detail:
The alias can be whatever the end-user wants, but be sure to note the alias used here as you will need it in the next steps. In this case, we are using emcdpa.
The dname will be the same as the url you use to access the GUI, i.e. https://<hostname>:9002. For example, if the application server name is dpaapp01, but the URL used to access it is http://dpaapp01.emc.corp.com:9002, enter dpaapp01.emc.corp.com as the first/last name.
The keystore path will vary based on where you wish to place the temporary keystore. You can redirect it to another path (i.e. tmp/new.keystore), or you can simply create a new keystore file in /dpa/services/_jre/bin like we did here.
**When prompted to enter a password, use the password you extracted from standalone.xml (in this case, apollo)
Note: We are adding an option here to specify the dns (–ext san=dns: ) This will be the same as the hostname, but will prevent browser errors as seen in https://support.emc.com/kb/524905.
6. Open 'emcdpa.csr' as a text file, copy the contents and use it to request the certificate signed by the CA. They should return a signed certificate (including the full certificate chain) in Base-64 encoded X.509 format.
Depending on the format of the signed certificate, the import can happen a few different ways. If the customer receives a file containing the signed certificate and the full certificate chain, you should be able to import the certificate in one step. File types that typically contain all of this information include: .pfx, .pkcs12, .p12, .p7b
If you are sure that the signed certificate includes the full certificate chain (to the root certificate) proceed to step 7. If you are unsure or would prefer to do it manually, see https://support.emc.com/kb/532108 for more information.
7. Import the signed certificate into new.keystore using the following command:
Then, verify that the certificate was imported correctly using:
./keytool -list -v -keystore new.keystore -storepass apollo
If the certificate imported properly, you should see- Entry type: PrivateKeyEntry and the certificate chain length should represent the certificate chain accurately (For example, if dpaapp01.emc.corp.com contains a signed certificate, an intermediate certificate, and the root certificate- the chain length should be 3).
8. Once you have successfully imported the signed certificate (and chain) into new.keystore, please import new.keystore into apollo.keystore from dpa/services/bin:
9. From dpa/services/_jre/bin check the contents of apollo.keystore after importing to make sure the certificate imported properly:
./keytool -list -v -keystore dpa/services/standalone/configuration/apollo.keystore –storepass apollo
10. Restart application services and attempt to log into the GUI.
- Open application-service.conf and search for 'apollo.key' you should see that the alias has been updated to the alias you imported (in this case, emcdpa).
- Open standalone.xml with a text editor and search for 'key-alias'. You should see a line similar to the one below that shows the alias you imported:
If not, you will need to change the key alias to match the one associated with the signed certificate. Also, double check that the password is the same as you've been using throughout.
If you need to change the alias or password in these files: stop application services, edit and save the files, and restart services. If the issue persists, contact DPA support.