We would like to use our own ssl certificates for the Application
Manager. We have a global certificate with our hosting provider
*.ourdomain.com and where can we configure this to use within our
Application Manager instance ?
Solution:
1. When you purchase SSL certificate,the vendor will provide certificate files which you need to import into a keystore file & the import can be done using any Java installation or OpenSSL installations or Certificate Manager tools.
- To change the keystore file which has your SSL Certificate go to the ..\AppManager_home\working\apache\tomcat\ directory and replace the 'appmanager.keystore' file with your keystore file.
- If your keystore file name is different then mention that file name with absolute path instead of "KEYSTORE_FILE" in \AppManager_home\working\apache\tomcat\conf\backup\server.xml file
- In this server.xml file give your keystorePass and truststorePass value instead of "appmanager".
- In case of OpManager-APMPlugin instance point the OpManager.truststore file absolute path and its password in APMPlugin server.xml file mentioned above
2. Alternatively you can also import your certificate into the keystore file used by Applications Manager (..\AppManager_home\working\apache\tomcat\appmanager.keystore) instead of replacing keystore or using a separate keystore file. Please refer this link for the example steps.
3. While generating the CSR include below option (SAN) as well, the <fqdn> should be replaced with the fully qualified domain name for which the certificate is being issued. The Subject Alternative Name field lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate, such as a Multi-Domain (SAN) or Extend Validation Multi-Domain Certificate.
-ext san=dns:<fqdn>
For OpManager Versions 123181 and newer:
- Certificates should be imported in OpManager.
- The
keystore and truststore file locations in OpManager should be obtained
and Applications Manager's server.xml keystoreFile and truststoreFile values
should be updated in the backup folder. On restart, Applications Manager will point to
the cert files in OpManager.
Note:
- Backup the server.xml file and 'appmanager.keystore' files before making changes and restart Applications Manager after making the changes.
- If you are using Microsoft CA , ensure that you do the certificate request using base64 encoded PKCS #10 file or a base64 encoded PKCS #7 file.
- If you are using a .pfx or .p12 file as your keystore then you have to add keystoreType="PKCS12" truststoreType="PKCS12" additionally in the server.xml file mentioned above
- If you are using 2048 bit private key in the new SSL certificate , then additionally download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle website and copy them in AppManager installation.
- We have to use the same keystore file & password in both Admin server and the Managed servers. (Ignore this step if you use Professional edition, it's for Enterprise edition)
Uploading ....