Here are all required steps to use an external signed certificate in the FMS and connect FGLAM clients to FMS via HTTPS:
The commands used here are based on Linux, Windows command will be similar
$FMS_HOME is where FMS is installed.
If you already have an wildcard certificate and want reuse it in Foglight, please refer to KB227620
There are multiple keystores used by Foglight.
1. Change directories to the following path: $FMS_HOME/config/
2. Backup the existing $FMS_HOME/config/tomcat.keystore and $FMS_HOME/jre/lib/security/cacerts files.
3. Delete the existing tomcat key from the tomcat.keystore directory using the following command:
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -delete -alias tomcat
4. Create a new key under the tomcat alias using the following command:
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -keyalg RSA -keysize 2048 -genkeypair -validity [number of days] -dname "CN=[your_fmsserver_dns_name],OU=[your_organizational_unit_name],O=[your_organization_name],L=[your_city_name],ST=[your_state_name],C=[your_two-letter_country_code]" -ext SAN=dns:[your_fmsserver_dns_name],ip:[your_fmsserver_ip]
5. Generate a Certificate Signing Request (CSR) using the following command:
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -certreq -validity [number of days] -ext SAN=dns:[your_fmsserver_dns_name],ip:[your_fmsserver_ip] -file foglight.csr
6. The CSR file must be signed by a Certification Authority (CA).
7. Import the signed certificate back to the tomcat.keystore using the following command (may need to import the root certificates first; refer to section 'Import CA's root and intermediate certificates' of this KB article.)
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -validity [number of days] -trustcacerts -import -file [ca signed certificate]
or
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -validity [number of days] -importcert -file [ca signed certificate chain in p7b format]
8. Restart the FMS.
Example:
--- Delete key after completing backups
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -delete -alias tomcat
--- Create new key
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -keyalg RSA -keysize 2048 -genkeypair -validity 730 -dname "CN=servername.domain.com,OU=IT,O=Your Company,L=Your City,ST=Your State,C=US" -ext SAN=dns:servername.domain.com,dns:serveralias.domain.com
--- Generate CSR
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -certreq -validity 730 -ext SAN=dns:servername.domain.com,dns:serveralias.domain.com -file foglight.csr
--- Import signed certificate
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -validity 730 -trustcacerts -import -file foglight.cer
If the private key and the signed certificate is available already they only need to be imported into the keystore. The private key and the signed certificate need to be merged otherwise they cannot be imported. Often you need to import a root and/or intermediate certificate too.
2. Merge the certificate and private key. The below stesp implies they are PEM files and not DER files (binary format):
cat [YourPublicKey.cer] [YourPrivateKey.pem] > [YourKeyPair.pem]
3. Import the set into your keystore:
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -import -trustcacerts -alias tomcat -file [YourKeyPair.pem]
4. Finally you can list the keystore content to control the import
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -list -v > MyKeysList.txt
Note: If the certificate is available in PFX format, please review import steps in section Importing a PKCS #12 (pfx) format certificate from any of the Foglight Installation and Setup Guide for supported platforms.
In environments where an in-house certificate granting authority (CA) is in use, the CA’s certificate may need to be added as trusted certificates to the keystore; otherwise errors such as keytool error: java.lang.Exception: Failed to establish chain from reply will prevent the import of the signed certificate.
1. Import the root certificate:
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -import -trustcacerts -alias rootca -file [YourRootCA.cer]
2. Import the intermediate certificate(s) if necessary:
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -import -trustcacerts -alias intermediateca -file [YourIntermediateCA.cer]
$FglAM_HOME is where FglAM is installed.
A. Switch FglAM to FMS from http to https via UI
B. Manual switch FglAM to FMS from http to https via
Modify the "http-upstream url" entry as follows:
From:
config:http-upstream ssl-allow-self-signed="true" ssl-cert-common-name="quest.com" url="https://yourFMS_FQDN:8443"
To:
config:http-upstream url="https://yourFMS_FQDN:8443"
$FglAM_HOME/bin/fglam --add-certificate YourCertAlias=/path/certificate_filename
YourCertAlias is not important. Just use something unique.
For additional information refer to section Configuring Foglight to use the HTTPS port in any of the Foglight installation setup guides available in the Support Portal (E.g.: Foglight - Installing Foglight on a UNIX System with an Embedded PostgreSQL Database).
Generate Private Key
keytool -keystore %FMS_HOME\Foglight\config\tomcat.keystore -storepass nitrogen -alias tomcat -validity 1095 -certreq -file Request.csr
Note: Remember these two formats for different OS types:
Windows: %FMS_HOME\bin\
UNIX: $FMS_HOME/bin/
Futher helpful links about merging keys and importing certificates:
How to import an existing SSL certificate for use in Tomcat
Import private key and certificate into java keystore
© ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center