Search <book_title>...

Veritas Data Insight Installation Guide

Last Published: 2020-06-17

Product(s): Data Insight (6.1.5)

Generating Management Console certificate

The Management Server provides a web interface (administration console) for reporting and administration purposes. You access this interface with a web browser. The Management Server and browser communicate through an SSL connection.

To ensure confidentiality, all communication between the Management Server and the browser is encrypted using a symmetric key. To initiate a connection, the Management Server and browser negotiate the encryption algorithm (algorithm, key size, and encoding) and encryption key to use.

By default, connections between the Management Server and the browser use a single, self-signed certificate. The Management Server generates the certificate at install time and is unique to your deployment. The certificate is present on the Management Server node in a folder called keys under the data folder. The file is called webserver.keystore. While this certificate is secure, you get a warning message in the browser when accessing the web interface because it is a self-signed certificate. To avoid getting this warning, Veritas recommends that you generate a unique certificate for your organization's installation. This new certificate replaces the default certificate.

To generate a unique Management Console certificate

Collect the following information to generate a certificate request:
- Common name
  The fully qualified DNS name of the Management Server. This name must be the actual name of the server that is accessible by all the clients.
- Organization name
  For example, Veritas, Inc.
- Organizational unit (optional)
- City
  For example, San Francisco
- State
  For example, CA
- Country
  For example, US
- Expiration
  Expiration time in days (90)
Use keytool.exe to create the self-signed certificate (keystore file), which you need to generate the Certificate Signing Request (CSR). keytool.exe is a utility for managing keys and certificates. These items are used in self-authentication or data integrity and authentication services, using digital signatures. Certificates also enable users to cache the public keys of their communicating peers.
To create this file, go to the root directory of the Veritas Data Insight installation and perform the following steps in this order:
- From a command window, go to the installdir\DataInsight\jre\bin directory, where installdir is the directory into which you installed the Management Server.
- Run the following command with the information collected in 1:
```
keytool -genkey -alias tomcat -keyalg RSA -validity 730 -keysize 1024
-keypass changeit -keystore webserver.keystore -storepass changeit 
-storetype JKS -dname cn=common_name,o=organization_name,
ou=organization_unit,l=city,s=state,c=US
```
The -storepass changeit command sets the password to changeit. Enter this password if you are prompted for a password after running the command. This command creates the self-signed certificate (webserver.keystore) in the <installdir>\jre\bin directory.
Note:
Veritas recommends that you set the password as changeit. If you want to use a different password, perform the additional steps mentioned in 11 before you start the DataInsightWeb service.
Generate the certificate signing request (CSR) file. The CSR file is the request that you submit to the Signature Authority to obtain a signed certificate.
From the <installdir>\jre\bin directory and run the following command:
```
keytool -certreq -alias tomcat -keyalg RSA -keystore webserver.keystore 
-storetype JKS -storepass changeit -file "DataInsight.csr"
```
If you are prompted for a password, press Enter. This command creates a file called DataInsight.csr. You submit this file to the Signature Authority.
To generate a certificate you send the .CSR file to a Certified Signature Authority (your own or a third party, such as VeriSign).
To obtain a signed certificate from your internal Signature Authority, contact your system administrator for instructions.
For the VeriSign Signature Authority, perform one of the following actions:
- Current Customers
  If you are a current VeriSign customer, go to the following page and buy an additional certificate: http://www.symantec.com/ssl-certificates/?themeid=verisign-ssl-certificates&inid=vrsn_ss_Index
  You need your Common Name, Order Number, or serial number to begin the transaction, as well as the CSR.
- New customers
  If you are not a current customer and want to purchase the signed certificate from VeriSign, go to the following page: http://www.VeriSign.com/products-services/security-services/ssl/buy-ssl-certificates/index.html.
  To purchase the signed certificate, you need the following information, in addition to the CSR:
  - The length of time for the certificate (one year or two years).
  - The number of servers that host a single domain (up to five servers).
  - The server platform.
  - The organization, organizational unit, country, state, or locality (all spelled without abbreviations).
  - Payment information and a billing contact.
  - The common name. This name is the host name and domain name, such as www.company.com or company.com.
  - An email where VeriSign can reach you to validate the information.
  - Documentation to demonstrate that your organization is legitimate.
To obtain signed certificates from other Signature Authorities, go to their web sites and follow the instructions to enroll and obtain a signed certificate. This process is similar to the VeriSign process. However, check with the organization to identify any additional environment information that may be needed for the certificate.
The certified Signature Authority sends you the signed certificate (this process might take 3-5 days). Internal Signature Authorities must return the root certificate along with the signed certificate.
Place the signed certificate into the directory (<installdir>\jre\bin) with the webserver.keystore file. To email the certificate, paste it into a text document exactly as it appears on the screen. Include the top line and bottom line (-----Begin Certificate----- and -----End Certificate-----). Make sure that no extra lines, spaces, trailing carriage returns, or characters have been inadvertently added. Save this file in the same directory where the webserver.keystore file is located. If the signed certificate is provided as an attachment to an email, copy this file into the same directory where the webserver.keystore file is located.
Keep a copy of both the webserver.keystore file and the signed certificate file in a separate, secure location.

Confirm the signed certificate is correct. Open a command prompt and run the following command to view the certificate's fingerprint(s)

keytool -printcert -file signed_certificate_filename

The following is an example output:

Owner: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll

Issuer: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll

Serial Number: 59092b34

Valid from: Thu Sep 25 18:01:13 PDT 1997 until: Wed Dec 24 17:01:13

PST 1997

Certificate Fingerprints:

MD5: 11:81:AD:92:C8:E5:0E:A2:01:2E:D4:7A:D7:5F:07:6F SHA1: 
20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37 37:13:0E:5E:FE

Call or email the person who sent the certificate and compare the fingerprint(s) you see with the fingerprint(s) they sent you. If the fingerprint(s) are not exactly equivalent, the certificate may have been replaced in transit by an attacker's certificate.
If you used an Internal Signing Authority, also view the fingerprint(s) of the root certificate using the same -printcert command.
keytool -printcert -file
name_of_root_certificate_provided_by_internal_signature_authority
Compare the displayed fingerprint with the well-known fingerprint (obtained from a newspaper or the root CA's web page). Contact the certificate's issuer if you have questions.
When you execute the command, the -importcert command prints out the certificate information and prompts you to verify it.
Return to the <installdir>jre\bin directory and update the local webserver.keystore file with the signed certificate as follows:
- Internal signature authority
  Use the following command to update the webserver.keystore file with the root certificate:
```
<installdir>\jre\bin\keytool.exe -importcert -file 
root_certificate_filename -keystore webserver.keystore 
-storepass changeit
 
```
  Use the following command to update the webserver.keystore file with the signed certificate:
```
<installdir>\jre\bin\keytool 
-importcert -alias tomcat -keystore webserver.keystore -trustcacerts 
-file signed_certificate_filename
```
- VeriSign or third-party signature authority
  Use the following command to update the local webserver .keystore file with the signed certificate:
```
<installdir>\jre\bin\keytool 
-importcert -alias tomcat -keystore webserver.keystore -trustcacerts
-file signed_certificate_filename
```
Copy the updated webserver.keystore file into the $datadir\keys directory. By default, $datadir is located at C:\DataInsight\data. Note that this operation overwrites an existing file of the same name in that location. Rename the existing file if you want to keep it.
If you have used a password other than changeit in 2, perform the following additional steps:
- Log into the Management Server with Administrator privileges.
- Open a command prompt window, and change to the bin directory in the installation folder for Data Insight. By default, the bin directory is located at C:\Program Files\DataInsight\bin.
- Execute the following command:
  configcli.exe keystore_password webserver <new password>
Restart the Data Insight web service by performing the following steps in the specified order:
- net stop DataInsightWeb
- net start DataInsightWeb