When you upgrade the server, you can upgrade the SSL encryption.
About this task
This upgrade is optional, but it strengthens server security. The
keytool application is included in the Java™ developer kit and is not part of HCL DevOps Deploy (Deploy).
Procedure
- Upgrade the HTTPS certificate for the server:
- On the server, open a command-line window to the server_install/opt/tomcat/conf folder,
where server_install is the server installation
folder.
- Delete the existing certificate with the following command:
keytool -delete
-alias tomcat
-keystore tomcat.keystore
-storepass changeit
Note: Each command in
this example must be written on one line. Also, the commands in the
following examples must be written on one line. The commands are written
on multiple lines for clarity.
- Create a certificate with the following command:
keytool -genkey
-alias tomcat
-storepass changeit
-keypass changeit
-keyalg RSA
-sigalg SHA256withRSA
-keysize 2048
-validity 7305
-dname CN=host_name
-keystore tomcat.keystore
For host_name
,
use the host name of the server.
-
Go to the folder app_data/conf.
- Delete the existing entry to the keystore with the following
command:
keytool -delete
-alias server
-keystore server.keystore
-storepass changeit
- Create an entry to the keystore with the following command:
keytool -genkey
-alias server
-storepass changeit
-keypass changeit
-keyalg RSA
-sigalg SHA256withRSA
-keysize 2048
-validity 7305
-dname CN=host_name
-keystore server.keystore
For host_name
,
use the host name of the server.
- For each of your agent relays, upgrade the encryption with
the following steps:
- In a command-line window, go to the relay_install/conf/jms-relay folder,
where relay_install is the relay installation folder.
- Delete the existing entry in the keystore for the agent
relay with the following command:
keytool -delete
-alias agentrelay
-keystore agentrelay.keystore
-storepass changeit
- Add an entry with the new encryption level with the
following command:
keytool -genkey
-alias agentrelay
-keystore agentrelay.keystore
-storepass changeit
-keypass changeit
-keyalg RSA
-sigalg SHA256withRSA
-keysize 2048
-validity 7305
-dname CN=host_name
For host_name
,
use the host name of the server.
- If you are using mutual encryption between servers and
agents, upgrade the encryption on each agent:
- In a command-line window, go to the agent_install/conf/jms-relay folder,
where agent_install is the agent installation folder.
- Delete the existing entry in the keystore for the agent
with the following command:
keytool -delete
-alias alias
-keystore keystore_file
-storepass changeit
Replace the
alias variable with the alias of the
server certificate in the agent keystore. The
keystore_file
variable represents the keystore file. The default name of the keystore file is
agent.keystore. To find the alias, run the following command,
and look for the alias name in the
output:
keytool -list -v -keystore keystore_file
Note:
Although agents and relays that use the JMS communication protocol cannot establish
connections with HCL DevOps Deploy (Deploy) v7.2.0 and
later, the references to JMS persist in some file names, property names, folder names,
and directory names.
For example, the following names that are associated with JMS are still used in
Deploy v7.2 and later: agentrelay.jms_proxy.name, agentrelay.jms_proxy.id,
jms-relay.log directory, and jms-relay folder.