Just can’t get
enough satisfaction from doing SSL certificates so got to do another one! Here
I use a Windows Server 2008 R2 Certification Authority to replace the
Self-Signed cert for WFA 3.1. Semi following the “OnCommand Workflow Automation
3.1 Installation and Setup Guide for Windows” SSL bits...
Part 1)
Replacing the default SSL Certificate
1.1) Log on to
the WFA server
1.2) From a
DOS prompt, run the following commands to stop the WFA services>
net stop
NA_WFA_SRV
net stop
NA_WFA_DB
1.3) Delete (better
- backup*) the wfa.keystore file
from the following location**: C:\Program
Files\NetApp\WFA \jboss\standalone\configuration\keystore
*If this screws up,
stop WFA services; put the original wfa.keystore file back exactly where it was,
restart WFA services, and all’s well.
**The manual says .\configuration,
but on my WFA 3.1 box it was in .\configuration\keystore
1.4) From a
DOS prompt, change directory>
cd
"C:\Program Files\NetApp\WFA\jre\bin"
1.5) Enter the
following to obtain the database key:
keytool
-keysize 2048 -genkey -alias "ssl keystore" -keyalg RSA -keystore
"C:\Program Files\NetApp\WFA\jboss\standalone\configuration\wfa.keystore"
-validity 3650
Note: Validity is
in days.
You will be prompted for:
- Enter keystore
password (use the default which is changeit)***
- What if your first and last name? (this is the WFA website name e.g. wfa.lab.priv)
- What is the name of your organizational unit?
- What is the name of your organization?
- What is the name of your City or Locality?
- What is the name of your State or Province?
- What is the two-letter country code for this unit?
Image: Obtaining
the database key
*** You can change
the default password according to the IaSG, but it mentioned changing the
password attribute in the standalone-full.xml file, and I could not find the referred
to location in the file. Otherwise, it doesn’t work without using changeit.
Note: The wfa.keystore file might get created in
the wrong folder (it did for me), so move it from - C:\Program Files\NetApp\WFA \jboss\standalone\configuration - to - C:\Program Files\NetApp\WFA
\jboss\standalone\configuration\keystore
1.6) Restart
the WFA services:
net
start NA_WFA_SRV
Part 2)
Creating a certificate signing request for Workflow Automation
Continuing from
above ...
2.1) From a
DOS prompt, change directory>
cd
"C:\Program Files\NetApp\WFA\jre\bin"
2.2) Enter the
following to create a CSR:
keytool
-certreq -keystore "C:\Program Files\NetApp\WFA\jboss\standalone\configuration\keystore\wfa.keystore"
-alias "ssl keystore" -file C:\WFA_CERT.csr
Note: Again using
password changeit
Part 3)
Generating the CER and P7B
3.1) Take WFA_CERT.csr from earlier and process it
on the Certificate Authority server using the following from the Command
Prompt>
certreq
-attrib "CertificateTemplate:WebServer" WFA_CERT.csr WFA_CERT.cer
This generates the WFA_CERT.cer
file.
Note: Check
out this post if you want to add Subject Alternative Names (SAN) to the cert
- for example>
certreq -attrib
"CertificateTemplate:WebServer\nSAN:DNS=wfa&DNS=wfa.lab.priv&DNS=10.0.1.35&IPAddress=10.0.1.35&DNS=mswfa1&DNS=mswfa1.lab.priv"
WFA_CERT.csr WFA_CERT.cer
3.2) Double-click
the WFA_CERT.cer file
Image: The
generated CER
3.3) Go to the
Details tab
3.4) Click “Copy to File....”
3.5) In the ‘Certificate
Export Wizard’ select to export the file as .P7B and ‘Include all certificates
in the certification path if possible’
Image: Exporting as
P7B
3.6) Save as
say WFA_CERT.p7b
Part 4)
Installing the Certificate
4.1) From a DOS prompt, change directory>
cd "C:\Program Files\NetApp\WFA\jre\bin"
4.2) Run this
command to import the certificate chain>
keytool -import
-alias "ssl keystore" -keystore "C:\Program
Files\NetApp\WFA\jboss\standalone\configuration\keystore\wfa.keystore"
-trustcacerts -file C:\WFA_CERT.p7b
Note: Again using
password changeit
4.3) Finally,
restart the WFA Services>
net stop
NA_WFA_SRV
net stop
NA_WFA_DB
net
start NA_WFA_SRV
4.4) And
verify the certificate is working!
Image: A happy
padlock
Comments
Post a Comment