Overview
Analyzer SSL Certificates have expired, as detected in a vulnerability scan. New certificates need to be requested and replaced.
Solution
- First request the certificates as explained in Requesting and Configuring New SSL Certificates.
- Enter the following command to locate the <tomcat_password>. Save the value that is presented for use later whenever the <tomcat_password> value is:
root@p2prod:/root/cert
12:10:00 # cat /opt/tomcat/conf/server.xml | grep keystorePass
keystoreFile="/opt/tomcat/conf/.keystore" keystorePass="<tomcat_password>"
- Enter the following command to make a copy of the keystore file:
cp /opt/tomcat/conf/.keystore /tmp/.keystore_`date +%Y%m%dT%H%M%S`
- Enter the following command to convert the .PFX file to a jks keystore file. Enter the new keystore password and old keystore passwords. Make note of the alias that will be printed in the same spot as <alias>. The <alias> will look like this: fb8c96b7-575f-4fcc-a498-2610b0d2049a
root@p2prod:/root/cert
11:41:24 # keytool -importkeystore -srckeystore <cert file name>.pfx -srcstoretype pkcs12
-destkeystore .keystore -deststoretype JKS
Enter destination keystore password: <tomcat_password>
Re-enter new password: <tomcat_password>
Enter source keystore password: <pfx_password>
Entry for alias <key_alias> successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
- Reset the key entry password for the alias above. Enter the current and new keystore passwords:
root@p2prod:/root/cert
12:05:23 # keytool -keypasswd -alias <key_alias> -keystore .keystore
Enter keystore password: <tomcat_password>
Enter key password for <key_alias> <pfx_password>
New key password for <key_alias>: <tomcat_password>
Re-enter new key password for <key_alias>: <tomcat_password>
- Place the new keystore in the correct location for it to be used:
17:00:44 # cp .keystore /opt/tomcat/conf/.keystore
cp: overwrite `/opt/tomcat/conf/.keystore'? y
- Confirm that the keystore configuration in
/opt/sensage/etc/tomcat/server.xml
has the correct new password and not the default keystore password. If there's a mismatch, Analyzer will not start. Read the keystore certificates with the/usr/java/jdk1.8.0_202-amd64/bin/keytool -list -keystore /opt/sensage/etc/tomcat/.keystore
command and configure the correct password in theserver.xml
file. - Restart tomcat:
service tomcat restart
Comments
0 comments
Please sign in to leave a comment.