Data Loss Prevention

 View Only

  • 1.  Valid SSL certificate on Enforce Server

    Posted Aug 06, 2010 02:10 PM
    Hi folks,

    I'd like to generate a valid certificate for my Enforce server to get rid of that error message of the self signed cert.  We have a CA that I can generate the cert on - does anyone have any instructions on how to install it?  Has anyone else tried to do this?

    Thanks!


  • 2.  RE: Valid SSL certificate on Enforce Server

    Posted Aug 06, 2010 07:04 PM
    Its pretty easy to use a self-signed certificate, please pay attention - if you are using your own CA you wont need to generate a new key as said in this KB, you will just need to import your own.
    See this KB:


    How to create a self-signed SSL certificate

    Applies To
     
      • Enforce 10.0, 8.0, 9.0
    • Vontu Enforce Enforce

     

     

    Problem Summary
     
      How to create a self-signed SSL certificate for the Vontu UI

     

    Solution
     
     

    In general the following steps will generate a clean self-signed SSL certificate:

    1) Delete existing keystore

    >del .keystore

    2) Generate new keystore file with the required parameters and register the certificate

    >keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore .keystore -validity 365 -storepass <PASSWD> -dname <PARAMETER>

    Enter key password for <tomcat>
            (RETURN if same as keystore password):

    >keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass <PASSWD> -file "VontuEnforce.csr"

    3) Sent the VontuEnforce.csr to CA admin , so that they could generate a chained cert file in pcks#7 format
    You can create chained certificates yourself by using services such as https://www.sslshopper.com/ssl-converter.html

    4) Copy the VontuEnforce.p7b chained cert file to the current directory

    5) Import the chained certificate

    >keytool -import -alias tomcat -keystore .keystore -trustcacerts -file VontuEnforce.p7b
    Enter keystore password:  *******

    Top-level certificate in reply:

    Owner: XXXXXX
    Issuer: XXXXXX
    Serial number: XXXXXX
    Valid from: XXXXXX until: XXXXXX
    Certificate fingerprints:
             MD5:  **Deleted**
             SHA1: **Deleted**

    ... is not trusted. Install reply anyway? [no]:  y
    Certificate reply was installed in keystore

    6) Then the .keystore file has to be copied to vontu\protect\tomcat\conf and the "Vontu Manager" service needs to be restarted


    Alternatively you can perform the steps as outlined in: http://www.exampledepot.com/egs/java.security.cert/CreateCert.html

    This example uses the keytool program to create a new key pair and self-signed certificate for the principal Duke. The example generates a 1024-bit Digital Signature Algorithm (DSA) key pair.

        > keytool -genkey -alias alias -keystore .keystore
        Enter keystore password: password
        What is your first and last name?
          [Unknown]: Duke
        What is the name of your organizational unit?
          [Unknown]: JavaSoft
        What is the name of your organization?
          [Unknown]: Sun
        What is the name of your City or Locality?
          [Unknown]: Cupertino
        What is the name of your State or Province?
          [Unknown]: CA
        What is the two-letter country code for this unit?
          [Unknown]: US
        Is <CN=Duke, OU=JavaSoft, O=Sun, L=Cupertino, ST=CA, C=US> correct?
          [no]: yes

    To create a 1024-bit RSA key:

        > keytool -genkey -keyalg RSA -keysize 1024 -alias alias -keystore .keystore


    The above example command should do the following

        * Create a "keystore" file .keystore with an alias.
        * Generate a pair of private key and public key, using the specified algorithm or default if not specified
        * Generate a certificate chain with a single self-signed certificate with the public key.
        * Insert a key entry into the keystore with the private key and the certificate chain.

    The following command shows that we do have a key entry in the keystore file:

    keytool -list -keystore .keystore -storepass <password>


    Kind Regards,
    Naor Penso



  • 3.  RE: Valid SSL certificate on Enforce Server

    Posted Aug 10, 2010 10:38 AM
    Thanks for your info Naor.  I used it along with some info from the Internet and what I experienced with my server to create this procedure.

    1) Get your existing keystore password out of your server.xml file:

        Go To C:\Vontu\Protect\tomcat\conf\server.xml

        Open with a text editor like Notepad.  You will find an entry like this below
        with your existing keystore password.  Tomcat uses this password to unlock the
        keystore whenever it restarts the daemon.  In my example here the password
        is "MyPassword".

    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <Server port="8005" shutdown="SHUTDOWN">
      <Service name="Catalina">
        <Connector URIEncoding="UTF-8" acceptCount="100" clientAuth="false" debug="0"
                   disableUploadTimeout="true" enableLookups="false"
                   keystoreFile="conf/.keystore" keystorePass="MyPassword"
                   maxSpareThreads="75" maxThreads="150" minSpareThreads="25"
                   port="443" scheme="https" secure="true" sslProtocol="TLS"/>

        <Engine debug="0" defaultHost="localhost" name="Catalina">
          <Host appBase="webapps" autoDeploy="false" debug="0" name="localhost"
                unpackWARs="false" xmlNamespaceAware="false" xmlValidation="false">
       
          <Valve className="org.apache.catalina.valves.AccessLogValve"
                 directory="C:\Vontu\Protect\logs\tomcat" pattern="%h %l %u %t &quot;
                 %r&quot; %s %b &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot;
                 %{com.vontu.manager.session.label}s %D" prefix="localhost_access_log."
                 resolveHosts="false" suffix=".txt"/>
          </Host>
        </Engine>
      </Service>
    </Server>

    2) From the same directory, copy out your .keystore file to a safe location in case
         you need to revert back to it.  The Tomcat daemon will not start if this file 
        is missing so you need a backout plan if something goes wrong.

    3) Now you will need to use the keytool.exe utility.  It should be located
         in C:\Vontu\jre\bin and you will probably have to use the full path when
         using it.
      
        Generate a new keystore container with this command:
      
        C:\Vontu\jre\bin\keytool -genkey -alias server_name -keyalg RSA -keysize 1024 -keystore .keystore -validity 365 -storepass MyPassword
      
        *Note that the alias is the fully qualified domain name (FQDN) of your server
         like servername.mydomain.com and that "MyPassword" is just an example.

    4) Now you generate the Certificate Signing Request (CSR) file.

        C:\Vontu\jre\bin\keytool -certreq -alias server_name -keyalg RSA -keystore .keystore -storepass MyPassword -file "VontuEnforce.csr"

        You will be prompted for several pieces of information.  Probably the most
        important is the "First and Last name"  That's where you would put in the
        FQDN of your server.  The rest of the info should be accurate too expecially
        if you are using a commercial Certificate Authority (CA).

    5) Send your CSR file off to a CA and have a PCKS#7 chained certificate generated.

        Copy that file you receive into the same directory.  It should have a .p7b
        extension.  In our case we generated the file on our Microsoft Certificate
        server in-house.  In our example we renamed the file to VontuEnforce.p7b.

    6) Import the chained certificate from file.  You will need your password again.
        C:\Vontu\jre\bin\keytool -import -alias server_name -keystore .keystore -trustcacerts -file VontuEnforce.p7b
        Enter keystore password:  *******

    7) Restart your Vontu Manager service.  If all is well you should now have a valid certificate.