SXI Forum

A place to collect usefull tips, tricks and implementation strategies.

You are not logged in.

#1 21-11-2018 16:22:39

SeanR
Administrator
Registered: 20-11-2018
Posts: 147

Security: Tomcat Certificates

For Tomcat follow any of these links -

Tomcat SSL howto

Installing Tomcat

X-ServiceBroker uses a local java keystore to store certificates it uses for it's connectors and their SSL connections, this is located in the file X-ServiceBroker/resource/sxi.jks. The Keystore is protected with a password of "The default SXI animal password"

Typically one would want to add new certificates to this keystore as new connectors are used or URL's changed, to do this, one would use the java Keytool utility, located in the java/bin directory.

The certificates:

For a new connector, you would typically be given 2 certficates (sometimes 3). These would be:

  1. The private certificate - this is the main certificate with the full URL and details

  2. Intermediate certificate (wont always have this one) - Links the root and private certificate

  3. Root certificate - issued by the certificate authority

Installing the certificates into the keysyore:

Copy the keystore file (sxi.jks) to the java/bin directory (purely to make relative paths and filenames easier)

Then run the following commands:

keytool -import -alias root -keystore sxi.jks -trustcacerts -file nameOfRootCerFile.cer

keytool -import -alias inter -keystore sxi.jks -trustcacerts -file nameOfIntermediateCertificateFile.cer (If such certificate is given)

keytool -import -alias private  -keystore sxi.jks -file nameOfPrivateCertficateFile.cer

The alias is just the name of the certificate in the keystore, this can be anything as long as it is unique and doesn't conflict with an existing certificate

When prompted for a password, use "The default SXI animal password"

After the following the above steps, the certificates should be imported into the keystore and ready for use, all that's left is to copy the keystore back to X-ServiceBroker/resource/ and restart the X-ServiceBroker

Offline

#2 22-11-2018 07:53:22

SeanR
Administrator
Registered: 20-11-2018
Posts: 147

Re: Security: Tomcat Certificates

Please view the following short video to see step by step how to extract a cert from a url using chrome.

How to extract a certificate from a URL using Chrome

Offline

#3 22-11-2018 08:08:57

SeanR
Administrator
Registered: 20-11-2018
Posts: 147

Re: Security: Tomcat Certificates

X-EventCollector

X-EventCollector uses the cacerts keystore found in the C:\Program Files\SXI\jre\lib\security directory.

to update the cacerts keystore using a .pfx file.

  1. extract the public key certificate from the .pfx file, using a tool called OpenSSL

  2. From a cmd prompt, run the following command (from the openssl install directory)

      
    openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
  3. Import the public key into the cacerts file
       

    1. Copy cacerts from C:\Program Files\SXI\jre\lib\security directory to C:\Program Files\SXI\jre\bin
         

    2. Paste cert.pem into C:\Program Files\SXI\jre\bin
         

    3. Using cmd, run the following commands (from the SXI\jre\bin derectory)
         

      	keytool -import -alias root -keystore cacerts -trustcacerts -file cert.pem
      	keytool -import -alias inter -keystore cacerts -trustcacerts -file cert.pem
      	keytool -import -alias private -keystore cacerts -trustcacerts -file cert.pem
      	

          (password for cacerts is "changeit")
         

  4. Move cacerts file back to  C:\Program Files\SXI\jre\lib\security directory

  5. Restart X-EventCollector

Offline

#4 22-11-2018 08:09:55

SeanR
Administrator
Registered: 20-11-2018
Posts: 147

Re: Security: Tomcat Certificates

There is a simpler way to import a certificate for XLayer

Copy the certificate.pfx file to C:\Program Files\SXI\X-ServiceBroker\resource

Inside the C:\Program Files\SXI\jre\bin directory run the following

keytool.exe -importkeystore -srckeystore ..\..\X-ServiceBroker\resource\certificate.pfx -srcstoretype pkcs12 -destkeystore ..\..\X-ServiceBroker\resource\sxi.jks -deststoretype JKS

Next you will be asked for a Destination password: This is the password for SXI.JKS

Then you will be asked for a Source keystore password:  This is the password given to you by the person supplying the certificate

Enter and you should see the following
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Offline

Board footer

Powered by FluxBB