How to configure SSL for NAM Console

If your security policy requires that a signed certificate be used for the NAM Console Server, you can provide your own certificate issued by a trusted authority.

The default certificate provided with the NAM Console Server installation is unsigned.

To provide an officially signed certificate, see the following:

Creating a new keystore

On the system where you have installed the NAM Console Server, open a Command Prompt window.

The Command Prompt application for Windows provides a command-line interface to the operating system.

Ensure that the keytool utility is present and available on the system.

In the Command Prompt window, run the keytool utility without any command line arguments. If the utility is found, the result of running the command is the help output detailing keytool usage. If an error message is displayed instead, indicating that keytool is not recognized as an internal or external command or operable program or batch file, find keytool on the computer or install it. To do this:

Determine if keytool is present on the computer.

keytool is available free as part of the Java Runtime Environment (JRE). Verify if JRE is currently one of the installed programs and where it is installed. If it is installed, locate keytool in the JRE folder and make sure that this folder is in your system-wide PATH environment variable.

If JRE is not installed on the computer, install the latest version.

Perform the installation by following the steps described at www.java.com . When installing the JRE, you may be prompted to un-install older versions of Java. Do this only if you are sure that there is no software on your computer that relies on the particular version or language of the currently installed Java.

Verify that keytool is now available.

After the JRE has been installed, open the Command Prompt window and verify that keytool is now available. If it is still not available, amend the PATH environment variable accordingly and re-try.

Change the current drive to the drive on which the NAM Console Server has been installed.

The default installation drive is C:

Change the current working directory to the folder where the NAM Console Server keystore file resides.

cd <installation_folder>\workspace\configuration\jetty\etc

The default location of the installation folder is: C:\Program Files\Dynatrace\RUM Console\

cd \Program Files\Dynatrace\RUM Console\workspace\configuration\jetty\etc

Delete the current keystore file, named keystore .

del keystore

Execute the command to create a new keystore.

keytool -genkeypair -keyalg RSA -keysize 2048 -keystore keystore

When prompted, enter and confirm the keystore password as jettypasswd.

Note that the password characters do not appear on the screen as you type:

Enter keystore password:
Re-enter new password:

When prompted to enter first and last name, enter the domain name.

This is the domain that is used by the NAM Console Server. For example:

What is your first and last name?
  [Unknown]:  yellow.brick.road
Note

The name for a certificate cannot be an IP address and must be a fully qualified domain name. Due to new CA/Browser Forum changes, internal server names and private IP addresses will not be available for use after July 15, 2015.

When prompted, enter the other required information and confirm your entries, for example:

What is the name of your organizational unit?
  [Unknown]:  Order Processing
What is the name of your organization?
  [Unknown]:   Yellow Paving Supplies
What is the name of your City or Locality?
  [Unknown]:  Sedan
What is the name of your State or Province?
  [Unknown]:  Kansas
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=yellow.brick.road, OU=Order Processing, O=Yellow Paving Supplies, L=Sedan, ST=Kansas, C=US
correct?
  [no]:  yes

When prompted, enter password for mykey as jettypasswd.

Note that the password characters do not appear on the screen as you type, for example:

 Enter key password for <mykey>
        (RETURN if same as keystore password):
Re-enter new password:

Creating and submitting a certificate signing request (CSR)

Use the keytool command to create a CSR file. You are required to enter the password you defined earlier.

keytool –certreq –alias mykey –keyalg RSA –file certReq.csr –keystore keystore

For example:

keytool -certreq -alias mykey -keyalg RSA -file certReq.csr -keystore keystore
Enter keystore password:

As a result of this step, a CSR file is created, named certReq.csr

Use the created CSR file to apply for a signed certificate.

Apply to the appropriate Certificate Authority and provide the CSR file.

Importing the certificates obtained from a certificate authority

Most end-user certificates are issued by intermediate certificate authorities, so you have to import not only the certificate reply, but also add a trusted certificate entry for each certificate in the chain: intermediate and root certificate. Use the keytool command for both types of input operations, noting that if the alias does not point to a key entry, then the keytool command assumes you are adding a trusted certificate entry – one of the certificates in the chain. If the alias points to a key entry, then the keytool command assumes you are importing a certificate reply.

Use the keytool command to add each trusted certificate entry in the chain.

Note that if the alias does already exist, then the keytool command outputs an error, because there is already a trusted certificate for that alias.

keytool –importcert -trustcacerts -alias ca_alias -file cert_file -keystore keystore

where ca_alias is the name of the appropriate intermediate or root certificate and cert_file is the name of the CER certificate file you have received.

Note

First add each trusted certificate in the chain. Do not import the certificate reply until all of the trusted certificates have been added.

If the command is executed successfully for each certificate, the message “Certificate was added to keystore” is displayed.

Use the keytool command to import the certificate reply.

keytool –importcert -trustcacerts -alias mykey -file cert_file -keystore keystore

where cert_file is the name of the CER certificate file you have received.

If the command is executed successfully, the message “Certificate reply was installed in keystore” is displayed.

Restart the NAM Console Server.