Applies To:
DynaCenter 5.0 and later
Background:
The DynaCenter installation generates a self-signed server
certificate to enable encrypted https (port 443) communications between the
DynaCenter agent running on the source and the destination servers and the
DynaCenter Management Workstation (MWS).
To increase https security, it is recommended that you replace
the self-signed certificate with a trusted Certificate Authority (CA) signed
SSL server certificate.
Follow your organization’s SSL certificate procurement process to
determine which Certificate Authority vendor to purchase from.
Resolution:
1. Generate the SSL Certificate CSR (Certificate
Signing Request).
Requesting a CA-signed SSL certificate for your MWS
begins with generating the private key and certificate signing request (CSR)
file. Follow your IT certificate request process. Apache 2.x typically uses the
“openssl
req” command, for example:
# openssl req -new -newkey
rsa:2048 -nodes -keyout yourcert.key -out yourcert.csr
2. Submit the CSR file to your CA vendor following
their SSL certificate enrollment process.
3. Download the CA-signed certificates to a
directory on your MWS.
Example
# mkdir -p
/etc/httpd/certs
# ls /etc/httpd/certs
your_ca_bundle.crt yourcert.crt
yourcert.key
Note: It is common for the vendor to provide
a certificate bundle CRT file, which includes their intermediate trusted CA
certificates, for example, your_ca_bundle.crt.
4. Backup the httpd ssl.conf
file:
# cd /etc/httpd/conf.d
# cp -p ssl.conf ssl.conf.orig
5. Modify ssl.conf as follows:
ServerName <yourserver.yourdomain>.com:443
SSLCertificateFile
/etc/httpd/certs/<yourcert>.crt
SSLCertificateKeyFile
/etc/httpd/certs/<yourcert>.key
SSLCertificateChainFile
/etc/httpd/certs/<your_ca_bundle>.crt
6. Run the following command to restart the Web
Service:
# service httpd
restart
7. Backup the DynaCenter console.properties file:
# cd
/opt/race/tomcat/apache-tomcat-<version>/webapps/console-services/WEB-INF/classes
# cp -p console.properties
console.properties.orig
8. Edit the console.properties
file so that the dynacenter_hostname matches
the ServerName value in the ssl.conf file, and
then comment out the dynacenter_certificate_path
line:
Example
# vi console.properties
dynacenter_hostname=<yourserver.yourdomain>.com
#dynacenter_certificate_path=/etc/pki/tls/certs/localhost.crt
9. Run the following command to restart the Console
Service:
# service dcconsole
restart
10. In
your browser, verify that the DynaCenter and Console URLs resolve to your MWS
and that the SSL padlock is closed, which indicates that the certificate is
valid. Verify you can login to the console:
https://<yourserver.yourdomain>.com/console
https://<yourserver.yourdomain>.com/agent/get_current_time