Replacing SSL Certificates in Analyzer

Overview

Analyzer SSL Certificates have expired, as detected in a vulnerability scan. New certificates need to be requested and replaced.

 

Solution

  • First request the certificates as explained in Requesting and Configuring New SSL Certificates.
  • Enter the following command to locate the <tomcat_password>. Save the value that is presented for use later whenever the <tomcat_password> value is:
root@p2prod:/root/cert
12:10:00 #
cat /opt/tomcat/conf/server.xml | grep keystorePass
keystoreFile="/opt/tomcat/conf/.keystore" keystorePass="<tomcat_password>"
  • Enter the following command to make a copy of the keystore file:
cp /opt/tomcat/conf/.keystore /tmp/.keystore_`date +%Y%m%dT%H%M%S`
  • Enter the following command to convert the .PFX file to a jks keystore file. Enter the new keystore password and old keystore passwords. Make note of the alias that will be printed in the same spot as <alias>. The <alias> will look like this: fb8c96b7-575f-4fcc-a498-2610b0d2049a
root@p2prod:/root/cert
11:41:24 #
keytool -importkeystore -srckeystore <cert file name>.pfx -srcstoretype pkcs12
-destkeystore .keystore -deststoretype JKS
Enter destination keystore password: <tomcat_password>
Re-enter new password: <tomcat_password>
Enter source keystore password: <pfx_password>
Entry for alias <key_alias> successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
  • Reset the key entry password for the alias above. Enter the current and new keystore passwords:
root@p2prod:/root/cert
12:05:23 #
keytool -keypasswd -alias <key_alias> -keystore .keystore
Enter keystore password: <tomcat_password>
Enter key password for <key_alias> <pfx_password>
New key password for <key_alias>: <tomcat_password>
Re-enter new key password for <key_alias>: <tomcat_password>
  • Place the new keystore in the correct location for it to be used:
17:00:44 # cp .keystore /opt/tomcat/conf/.keystore
cp: overwrite `/opt/tomcat/conf/.keystore'? y
  • Confirm that the keystore configuration in /opt/sensage/etc/tomcat/server.xmlhas the correct new password and not the default keystore password. If there's a mismatch, Analyzer will not start. Read the keystore certificates with the /usr/java/jdk1.8.0_202-amd64/bin/keytool -list -keystore /opt/sensage/etc/tomcat/.keystore​ command and configure the correct password in the server.xml file.
  • Restart tomcat:
service tomcat restart 

Comments

0 comments

Please sign in to leave a comment.