Configuring CentraSite Client to Use Two-way SSL
To configure
CentraSite for two-way SSL authentication
1. Using OpenSSL, create a self-signed certificate (centrasite.cer) with the following command:
openssl req -new -x509 -days 2000 -sha1 -newkey rsa:1024 -nodes
-keyout server.key -out server.crt -subj "/O=Company/OU=Unit/CN=localhost"
Whatever is specified in the CN section of the subject must match the hostname of the machine running the Mediator and is used to send requests to the Mediator.
2. Create at least one keystore centrasitekeystore.jks, in PKCS#12 or JKS format, containing a CentraSite key pair to use for SSL.
C:\deploykeystores\new>keytool -v -genkeypair -alias centrasite
-keyalg RSA -validity 1000 -keystore centrasitekeystore.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Enter key password for <centrasite>
<RETURN if same as keystore password>:
[Storing centrasitekeystore.jks]
C:\deploykeystores\new>
3. Create at least one truststore centrasitetruststore.jks, in JKS format, in a desired location on the machine where CentraSite is running.
4. Import the Mediator's self-signed certificate mediator.cer into the above created truststore or Java cacerts.
When prompted for password, the default for truststores is password.
C:\deploykeystores\new>keytool -export -alias mediator
-keystore mediatorkeystore.jks -rfc -file mediator.cer
Enter keystore password:
Certificate stored in file <mediator.cer>
C:\deploykeystores\new>keytool -import -alias mediator
-keystore centrasitetruststore.jks -file mediator.cer
Enter keystore password:
Re-enter new password:
Owner:
Issuer:
Serial number:
Valid from:
Certificate fingerprints:
Trust this certificate? [no]: yes
Certificate was added to keystore
C:\deploykeystores\new>
If opting to import certificate in to Java cacerts, the Java runtime needs to trust the certificates of the Mediator (regardless of whether this is a Tomcat application or a standalone application) in order to establish the SSL connections. To do that, add the certificate to the trusted certificates of Java through the keytool utility that comes with Java. The following command adds the certificate located at a location (for example, c:\temp\server.crt) to the trusted certificates in the Java used by CentraSite:
keytool.exe -import -v -trustcacerts -alias test
-file "C:\temp\server.crt"
-keystore "<JDKInstallDir>\jre\lib\security\cacerts"
When prompted for password, the default for Java is changeit.
5. Export the CentraSite's self-signed certificate centrasite.cer in to the Mediator's truststore.
6. Open the wrapper.conf file located in the directory <CentraSiteInstall_Directory>/profiles/CTP/configuration
7. Go to the section #Java Additional Parameters. Add the following property lines:
wrapper.java.additional.5=-Djavax.net.ssl.keyStore="C:/deploykeystores/new/
centrasitekeystore.jks"
wrapper.java.additional.6=-Djavax.net.ssl.keyStorePassword=password
wrapper.java.additional.7=-Djavax.net.ssl.trustStore="C:/deploykeystores/ne
w/centrasitetruststore.jks"
wrapper.java.additional.8=-Djavax.net.ssl.trustStorePassword=password
8. Set the values as needed:
wrapper.java.additional.5=-Djavax.net.ssl.keyStore= represents the location of a keystore file (say, centrasitekeystore.jks).
wrapper.java.additional.6=-Djavax.net.ssl.keyStorePassword= represents the password for a keystore.
wrapper.java.additional.7=-Djavax.net.ssl.trustStore= represents the location of a truststore file (say, centrasitetruststore.jks).
wrapper.java.additional.8=-Djavax.net.ssl.trustStorePassword= represents the password for a truststore.
9. Save and close the file.
10. Now restart the CentraSite Tomcat. All communication through the Mediator to the database should now be using SSL.