Perform the following tasks on the Ecosystem Manager Client and all clients that need to be configured with SSL. If multiple clients point to the Ecosystem Manager server, add a suffix or prefix <hostname-of-EM-client> to the generated keystore and truststore files on each client.
- Create and navigate to a folder named /home/em where you will place the keystore files.
Create a certificate/keystore for both Active and Standby Ecosystem Manager servers:
keytool -genkey -alias <hostname-of-EM-client> -keyalg RSA -keystore server.ks
The system prompts for the following information:Make sure that the keystore file is created on all participating EM client systems.
Enter your keystore password: What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit: [Unknown]: Is CN-Unknown, OU=Unknown, O=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for <hostname-of-EM-client> (RETURN if same as keystore password):
Copy the broker_cert1 and broker_cert2 files from the Ecosystem Manager servers to the client and then execute the following command on the client:
Keytool -import -alias <hostname-of-EM-server1 or 2> -keystore client.ts -file broker_cert
Replace <hostname-of-EM-server1 > with the hostname of the Active EM server, and <hostname-of-EM-server 2> with the hostname of the Standby EM server.
Use the same password that used to create the broker key file.
Enter keystore password: Re-enter new password: Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 300263d1 Valid from: Tue Jun 23 18:18:11 UTC 2015 until: Mon Sep 21 18:18:11 UTC 2015 Certificate fingerprints: MD5: C1:1C:8C:C0:9B:A5:42:60:A0:A8:CC:CF:62:65:52:0D SHA1: 43:79:D8:32:AD:F2:B0:F9:3A:F6:96:FE:8E:F3:BE:13:71:6B:6B:F2 SHA256: 83:23:00:9F:4B:19:01:1A:1E:21:78:72:9E:2D:E5:C2:C6:04:9C:1C:58:64:2C:A3:C3:C4:CE:CF:0C:07:0D:D2 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 220.127.116.11 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 83 75 6D 0E A2 76 EE 16 84 09 13 40 AF F4 88 8A .um..v.....@.... 0010: 50 65 D2 03 Pe.. ] ] Trust this certificate? [no]: yes Certificate was added to keystoreThis creates a truststore and sets the client trusts the broker.
For both Ecosystem Manager servers, export the client's certificate, so it can be shared with the broker.
keytool -export -alias <hostname-of_EM-client> -keystore client.ks -file client_cert
Enter keystore password: Certificate stored in file <client_cert>Make sure the client_cert file is created.
- Copy the client_certificate to the Ecosystem Manager servers.
- Give 777 access rights to /home/em and all files within it.