question

Filip K. avatar image
Filip K. asked ·

DCRUM CAS ssl configuration

Where can I find documentation on how to configure CAS to accept https connections.

nam server
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Dariusz K. avatar image
Dariusz K. answered ·

Depending on how you obtained the certificate and the private key, please follow the procedure below.

If you're about to create the key and certificate key to get it signed - please start from beginning, if you're expecting to get certificate(s) and the key from your team please start from 4 - in this case please also make sure that the key is saved in RSA format.

RSA private key should contain the following string in it:

-----BEGIN RSA PRIVATE KEY-----

So, here's the meat:

1. Create key (if you haven't received they key and cert from issuer and you will be generating key and cert request):

keytool -genkeypair -keyalg rsa -keystore [keystorename].jks -storepass [keystorepassword] -alias [alias]

2. Create cert request using names defined in previous step:

keytool -certreq -alias [alias] -keystore [keystorename].jks -storepass [keystorepassword] -file my_new_cert.csr -validity[number of days]

3. Send certificate request file (my_new_cert.csr in this example) out to sign

4. Make sure your certificate is in Base64 X509 format, if not - make proper conversion:

(a) In case you received your signed cert from root CA:

  • Right-click on the certificate chain file (for example, signed_cert.p7b) and select Open.
  • The certificate should open in Window's Certificates tool. If not - open certmgr.msc and use import tool.
  • In the left pane, expand Certificates - Current User > Certificates. You will see imported certificate.
  • Export certificate into Base64 X509 by right-clicking on each certificate and selecting All Tasks > Export .
  • Click Next.
  • Enter the name of the exported file, for example, signed_cert.cer for the root certificate.
  • Click Finish.

(b) In case you received your signed cert from non-root CA:

  • Right-click on the certificate chain file (for example, signed_cert.p7b) and select Open.
  • The certificate should open in Window's Certificates tool. If not - open certmgr.msc and use import tool.
  • In the left pane, expand Certificates - Current User > Certificates. You will see imported certificate.
  • Export certificate into Base64 X509 by right-clicking on each certificate and selecting All Tasks > Export .
  • Click Next.
  • Enter the name of the exported file, for example, signed_cert.cer for the root certificate.
  • Click Finish.
  • Repeat procedure for all Intermediate (there can be more than one) and Root certificates (e.g. root.cer & intermediate.cer).

If the certificate was not issued by a trusted CA, the connecting device will then check to see if the certificate of the issuing CA was issued by a trusted CA,
and so on until either a trusted CA is found. In case the trusted CA is not found - warning message is being displayed. Chain file provides correct certificate path.

  • Create certificates chain file that will contain all certificates in one file with following order:
    Signed certificate -> Intermediate certificate (from the bottom to the top of the chain, if multiple) -> Root certificate

In our example following command will create the chain:

type signed_cert.cer intermediate.cer root.cer > chain.txt

5. Convert exported PKCS12 binary file to PEM format (or convert from whatever format you got it from your issuer if you got it along with certificate)

openssl.exe pkcs12 -in [path.to]pkey.p12 -nodes -nocerts -out [path.to]pkey.pem"

6. Configure the following settings in the common.properties file:

Point connector.ssl.SSLCertificateFile to the signed certificate file converted to X509 (signed_cert.cer)
Point connector.ssl.SSLCertificateKeyFile to the key you generated using the keytool, for example pkey.pem.
Point connector.ssl.SSLCertificateChainFile to the chain of certificates, that is chain.txt you created by joining the contents of cer files.

7. Set the key password.

  • In Windows, go to Program and Features > Uninstall a program, select Dynatrace Central Analysis Server and click Uninstall/Change.
  • In CAS installation dialog, select Change HTTP and SSL Server settings and click Next.
  • Select Use HTTPS (HTTP over SSL) and Use custom key and certificate, and click Next.
  • Read the on-screen information, type and confirm the password and click Next. The key password is updated.
  • Restart the CAS service.

I hope this will clarify the SSL certificate installation a bit.

1 comment Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Hi Dariusz,

Appreciate your effort in breaking down the steps. It's more clear this way. May I ask:

1) I have 3 files received from customer. How can I distinguish root and non-root CA? Which files do I need to convert?
2) To create certificate chain, can I just simply type in the command in cmd?
3) What does PKCS12 binary file referring to? is it referring to the output file in step 4?

Thanks!

0 Likes 0 · ·
Adam P. avatar image
Adam P. answered ·
1 comment Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Exactly, tanks!

0 Likes 0 · ·
Vlad S. avatar image
Vlad S. answered ·

Hi gents!

Need your help here. I've done the same procedurer for CAS as described here but faced with the error java.lang.exception: cannot create new ssl.

Basically TCP443 is open,

What I've not done is the step #5. Which certificate should I convert to PEM and why its needed, if common.properties file contains link only to CER, chain and private key

Looking forward for your help

Thanks in advance

1 comment Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Hi Vlad,

These are the settings we use at Optum for SSL Certificates on ADS/CAS.

common.properties --> connector.ssl.enabled=true
common.properties --> connector.ssl.SSLEnabled=true

common.properties --> connector.ssl.SSLCertificateFile
dcrum-optum.cer = Certificate Only (No Root Chain, No Private Key) Base64 (OpenSSL)

common.properties --> connector.ssl.SSLCertificateKeyFile
dcrum-optum.key = RSA Private Key (no password) Base64 (OpenSSL)

common.properties --> connector.ssl.SSLCertificateChainFile
dcrum-optum.pem = Root Chain Only, Base64 (OpenSSL)

Rename CAS\wwwroot\WEB-INF\notInclude-web-redirection.xml to web-redirection.xml for HTTP 80 to HTTPS 443 redirection.

Restart ADS/CAS Service

For RUM Console
dcrum-optum.pfx = Certificate, Private Key, and Root Chain PKCS#12, alias = jetty
Use keytool to delete the existing mykey and/or jetty alias

"RUM Console\jre\bin\keytool" -keystore "RUM Console\workspace\configuration\jetty\etc\keystore" -delete -alias mykey -storepass jettypasswd
"RUM Console\jre\bin\keytool" -keystore "RUM Console\workspace\configuration\jetty\etc\keystore" -delete -alias jetty -storepass jettypasswd
Use keytool to import the new PKCS12 dcrum-optum.pfx file into the JKS.
"RUM Console\jre\bin\keytool" -importkeystore -deststorepass jettypasswd -destkeypass jettypasswd -destkeystore "RUM Console\workspace\configuration\jetty\etc\keystore" -srckeystore $pfx -srcstoretype PKCS12 -alias jetty

Restart RUM Console Service

0 Likes 0 · ·
Babar Q. avatar image
Babar Q. answered ·

Hello @Adam P. and @Ulf T.

Can we have a step-by-step guide for this configuration?

We have only a production environment, therefore, can't do this exercise to know the consequences.

Regards,

Babar

6 comments Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Hello Adam,

Thank you for your prompt reply.

I had gone through with the provided link and also the following link but I have some confusion e.g.

  • Secure connection configuration in Apache Tomcat.
  • OpenSSL tool, which can be used for the SSL key and certificate generation, conversions, and management etc...

https://community.dynatrace.com/community/display/DCRUM123/Configuring+Report+Server+to+Use+Private+Keys+and+Certificates

Can you share some other valuable notes beside the documentation or the best practices to handle this change carefully and flawlessly?

Regards,

Babar

0 Likes 0 · ·

We will provide more info on Monday/Tuesday.

0 Likes 0 · ·

Hello @Adam P.

Will be really grateful for this kindness.

Regards,

Babar

0 Likes 0 · ·

eagerly awaiting the forementioned info :-)

0 Likes 0 · ·

Hello Babar,

Are you about to create your own, self-signed certificate or get one signed by authorised CA?

Steps you will need to take depend on question I asked above.

Kind regards,

Darek

0 Likes 0 · ·
Ulf T. avatar image
Ulf T. answered ·
Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Ulf T. avatar image
Ulf T. answered ·

As per the more recent releases, all Communication is by default SSL.

What part is it that you want to change from ordianry HTTP to HTTP(s)?

1 comment Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

The actual client browser communication/login to the CAS reporting GUI.

0 Likes 0 · ·