Installing a certificate

To install a certificate in BigFix® Remote Control, you can either use an existing P12 or JKS keystore or import an existing certificate into the existing keystore.

About this task

Any changes that are made to the certificate configuration are overwritten if you reinstall or upgrade the BigFix® Remote Control server. Choose the appropriate method to install a certificate for BigFix® Remote Control. You can also configure the SSL certificate by using the server installer. For more information about configuring the SSL certificate during installation, see the BigFix® Remote Control Installation Guide

Procedure

  1. To use an existing keystore, complete the following steps:
    1. Edit the ssl.xml file.
    2. Locate the <keystore/> parameter.
      Set appropriate values for your certificate keystore.
      ID
      The default value is defaultKeyStore. You can change the value to an ID of your choice or keep the default value.
      Password
      The default value is TrCWebAS. Replace the password with the password for the existing certificate store. You can enter the password in plain text, or encode the password by using the securityUtility tool. Use the following command to encode your password. For example, on a Windows system use securityUtility.bat.

      [installdir]\wlp\bin\securityUtility encode

      Where [installdir] is the BigFix® Remote Control server installation directory. Enter your password. Use the generated string for the password parameter.

      Location
      Enter the absolute path to the existing keystore. The value can be the path to a jks file or a p12 file.
      Type
      Determines the type of keystore file. If you are using a p12 file use PKCS12. If you are using a jks file, you do not need to define a type value.
    3. Save the file.
    4. Restart the BigFix® Remote Control server.
  2. To generate a signed certificate, complete the following steps:
    1. Open a command line window.
    2. Go to the BigFix® Remote Control installation directory.
    3. Change to the java\jre\bin subdirectory on a Windows system or the java/jre/bin subdirectory on a Linux system.
    4. Run ikeyman.sh on a Linux system or ikeyman.exe on a Windows system.
    5. In the GUI window, select Key Database File > Open.
    1. Go to the \[installdir]\/wlp/usr/servers/trcserver/resources/security directory, where [installdir] is the BigFix® Remote Control installation directory.
    2. Select key.jks. This file is the default keystore.
    3. Click open.
    4. Enter the password TrCWebAS.
    5. Complete the appropriate procedure to install the certificate.
      • Create a certificate request
        1. Select Create > Create New Certificate Request.
        2. Provide a Key Label name. The name is displayed in the GUI.
        3. Type in any additional information.
        4. Click OK.
        5. A certreq.arm file is generated and saved to the location specified. This file must be sent to the certificate authority to be signed and a cert.arm file is returned.
        6. When you receive the signed certificate, select Receive.
        7. Browse to your cert.arm signed file.
        8. Click OK.
      • Externally sign the existing certificate
        1. Select Recreate Request.
        2. A certreq.arm file is generated and saved to the location specified. This file must be sent to the certificate authority to be signed and a cert.arm file is returned.
        3. When you receive the signed certificate, select Receive.
        4. Browse to your cert.arm signed file.
        5. Click OK.
  3. You can see a second certificate listed. Delete the default certificate.
  4. Save and overwrite the key.jks file. When you are prompted for the password, type TrCWebAS.
  5. Restart the server. The https port is signed with the correct certificate.