How To: Install a Trusted SSL Certificate on DynaCenter MWS and DynaCenter Console
Reference Number: AA-00391 Views: 4915 Created: 07-26-2016 17:46 Last Updated: 09-29-2017 13:54

Applies To:

DynaCenter 5.0 and later

Background:

The DynaCenter installation generates a self-signed server certificate to enable encrypted https (port 443) communications between the DynaCenter agent running on the source and the destination servers and the DynaCenter Management Workstation (MWS).

To increase https security, it is recommended that you replace the self-signed certificate with a trusted Certificate Authority (CA) signed SSL server certificate.

Follow your organization’s SSL certificate procurement process to determine which Certificate Authority vendor to purchase from.

Resolution:

1. Generate the SSL Certificate CSR (Certificate Signing Request).

Requesting a CA-signed SSL certificate for your MWS begins with generating the private key and certificate signing request (CSR) file. Follow your IT certificate request process. Apache 2.x typically uses the “openssl req” command, for example:

# openssl req -new -newkey rsa:2048 -nodes -keyout yourcert.key -out yourcert.csr

2. Submit the CSR file to your CA vendor following their SSL certificate enrollment process.

3. Download the CA-signed certificates to a directory on your MWS.

Example

# mkdir -p /etc/httpd/certs
# ls /etc/httpd/certs
your_ca_bundle.crt  yourcert.crt  yourcert.key

Note: It is common for the vendor to provide a certificate bundle CRT file, which includes their intermediate trusted CA certificates, for example, your_ca_bundle.crt.

4. Backup the httpd ssl.conf file:

# cd /etc/httpd/conf.d
# cp -p ssl.conf ssl.conf.orig
 

5. Modify ssl.conf as follows:

ServerName <yourserver.yourdomain>.com:443
SSLCertificateFile /etc/httpd/certs/<yourcert>.crt
SSLCertificateKeyFile /etc/httpd/certs/<yourcert>.key
SSLCertificateChainFile /etc/httpd/certs/<your_ca_bundle>.crt

6. Run the following command to restart the Web Service:

# service httpd restart

7. Backup the DynaCenter console.properties file:

# cd /opt/race/tomcat/apache-tomcat-<version>/webapps/console-services/WEB-INF/classes
# cp -p console.properties console.properties.orig

8. Edit the console.properties file so that the dynacenter_hostname matches the ServerName value in the ssl.conf file, and then comment out the dynacenter_certificate_path line:

Example

# vi console.properties

dynacenter_hostname=<yourserver.yourdomain>.com
#dynacenter_certificate_path=/etc/pki/tls/certs/localhost.crt 

9. Run the following command to restart the Console Service:

# service dcconsole restart

10. In your browser, verify that the DynaCenter and Console URLs resolve to your MWS and that the SSL padlock is closed, which indicates that the certificate is valid. Verify you can login to the console:

https://<yourserver.yourdomain>.com/console

https://<yourserver.yourdomain>.com/agent/get_current_time