Import a Secure Sockets Layer (SSL) Certificate

This section provides procedures to import a SSL certificate.

Note: Quantum recommends you review your specific SSL Certificate Authority vendor requirements to upload/submit your Certificate Signed Request to purchase a certificate.

Important

The procedures must be executed on each node of your system where StorNext runs an Apache Tomcat server.

Use the CLI commands below to manage your SSL certificates.

Prerequisites

  • You must have StorNext 7.0.2 (or later) installed on your system.

  • You must have the StorNext User Interface (UUI) packages installed on your system.

For an initial installation, you can use /opt/quantum/uui-ssl/bin/quantum-uui-ssl-shared-cert.el7.centos.noarch.rpm, which installs an SSL certificate and key file in /opt/quantum/uui-ssl/nginx/nginx.crt and /opt/quantum/uui-ssl/nginx/nginx.key.

If you save your own SSL certificate file and key file as /opt/quantum/uui-ssl/nginx/nginx.crt and /opt/quantum/uui-ssl/nginx/nginx.key, your system uses these files and it is not necessary to run the uuissl load commands or the uuissl new command.

Do the following to view the version of your UUI SSL package:

  1. Open an SSH connection to your system and log in.

  2. At the prompt, enter the following:

    /opt/quantum/uui-ssl/bin/uuissl version

    Example Output

    quantum-uui-ssl-shared-cert-7.0.2.4-1.el7.centos.noarch

Note: If you have a multi-node system, then perform the following procedure on both the primary and secondary MDC nodes.

  1. Open an SSH connection to your system and log in.
  2. At the prompt, enter the following:
    3. /opt/quantum/uui-ssl/bin/uuissl load

    (Optional)

    Enter the following command if you do not want to be prompted with the steps below:

    /opt/quantum/uui-ssl/bin/uuissl load [certfile] [keyfile]

    Where, [certfile] and [keyfile] is the location for the certificate file and the key file, respectively.

  3. At the prompt, enter the location of the certificate file. For example:

    4. /opt/quantum/uui-ssl/nginx/mysslcertificate.crt

  4. At the prompt, enter the location of the key file: For example:

    /opt/quantum/uui-ssl/nginx/mysslkey.key

    5. Example Output

    Restarting Unified StorNext UI API Gateway...

    Remove cron to check running version matches rpm ...

    -- Logs begin at Wed 2021-10-13 08:27:28 CDT. --

    Oct 13 13:50:38 my-appliance-hostname systemd[1]: Started Quantum StorNext Unified UI Container API-Gateway.

    Oct 13 14:38:41 my-appliance-hostname systemd[1]: Stopping Quantum StorNext Unified UI Container API-Gateway...

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Remove cron to check running version matches rpm ...

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Stopping docker quantum-api stack

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_endpoint-database

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_gateway-admin-api

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_keycloak-database

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_keycloak-server

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_kong-database

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_kong-server

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_license-aggregator

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_license-sender

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-appliance-controller-hosts

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-atfs-controller-hosts

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-datamovers

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-filesystems

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-flexsync-hosts

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-fseries-hosts

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-hosts

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-hseries-hosts

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-metadata-controllers

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-name-servers

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-qxs-hosts

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-unified-connector-hosts

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-aggregator-usbe-hosts

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-fs-create

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-registrar

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_rest-templates

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing service quantum-api_user-management-api

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing network quantum-api-external-net

    Oct 13 14:38:41 my-appliance-hostname apigw[10750]: Removing network quantum-api-net

    Oct 13 14:38:56 my-appliance-hostname apigw[10750]: docker quantum-api stack stopped

    Oct 13 14:38:56 my-appliance-hostname systemd[1]: Stopped Quantum StorNext Unified UI Container API-Gateway.

    Docker stack quantum_api IS NOT running.

    UUI autostart enabled

    -- Logs begin at Wed 2021-10-13 08:27:28 CDT. --

    Oct 13 14:38:56 my-appliance-hostname systemd[1]: Stopped Quantum StorNext Unified UI Container API-Gateway.

    Oct 13 14:38:56 my-appliance-hostname systemd[1]: Starting Quantum StorNext Unified UI Container API-Gateway...

    Oct 13 14:38:57 my-appliance-hostname apigw[12439]: quantum-hwmond not installed, skipping pause

    Oct 13 14:38:57 my-appliance-hostname apigw[12439]: /opt/quantum/fscreate_templates directory exists

    Oct 13 14:38:57 my-appliance-hostname apigw[12439]: /opt/quantum/api-gateway/volumes/license_report directory exists

    Oct 13 14:38:57 my-appliance-hostname apigw[12439]: Deploy docker quantum-api stack

    Oct 13 14:38:57 my-appliance-hostname apigw[12439]: Creating network quantum-api-net

    Oct 13 14:38:57 my-appliance-hostname apigw[12439]: Creating network quantum-api-external-net

    Oct 13 14:38:57 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-hseries-hosts

    Oct 13 14:38:57 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-name-servers

    Oct 13 14:38:58 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-fs-create

    Oct 13 14:38:59 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-templates

    Oct 13 14:38:59 my-appliance-hostname apigw[12439]: Creating service quantum-api_gateway-admin-api

    Oct 13 14:39:00 my-appliance-hostname apigw[12439]: Creating service quantum-api_license-aggregator

    Oct 13 14:39:01 my-appliance-hostname apigw[12439]: Creating service quantum-api_license-sender

    .Oct 13 14:39:02 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-registrar

    Oct 13 14:39:02 my-appliance-hostname apigw[12439]: Creating service quantum-api_user-management-api

    Oct 13 14:39:03 my-appliance-hostname apigw[12439]: Creating service quantum-api_kong-server

    Oct 13 14:39:04 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-datamovers

    Oct 13 14:39:04 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-filesystems

    Oct 13 14:39:05 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-metadata-controllers

    Oct 13 14:39:06 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-qxs-hosts

    Oct 13 14:39:06 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-unified-connector-hosts

    .Oct 13 14:39:07 my-appliance-hostname apigw[12439]: Creating service quantum-api_kong-database

    Oct 13 14:39:08 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-fseries-hosts

    Oct 13 14:39:09 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-hosts

    Oct 13 14:39:09 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-appliance-controller-hosts

    Oct 13 14:39:10 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-atfs-controller-hosts

    Oct 13 14:39:11 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-flexsync-hosts

    Oct 13 14:39:12 my-appliance-hostname apigw[12439]: Creating service quantum-api_rest-aggregator-usbe-hosts

    .Oct 13 14:39:12 my-appliance-hostname apigw[12439]: Creating service quantum-api_endpoint-database

    Oct 13 14:39:13 my-appliance-hostname apigw[12439]: Creating service quantum-api_keycloak-database

    Oct 13 14:39:14 my-appliance-hostname apigw[12439]: Creating service quantum-api_keycloak-server

    Oct 13 14:39:14 my-appliance-hostname apigw[12439]: Waiting for kong-server container startup

    .....Oct 13 14:39:37 my-appliance-hostname apigw[12439]: Waiting for response from kong-server container .....................

    Oct 13 14:39:37 my-appliance-hostname apigw[12439]: Waiting for response from kong-server services ping: bad address 'keycloak-server'

    ..Oct 13 14:39:47 my-appliance-hostname apigw[12439]: .ping: bad address 'keycloak-server'

    ..Oct 13 14:39:58 my-appliance-hostname apigw[12439]: .

    Oct 13 14:39:58 my-appliance-hostname apigw[12439]: kong-server container ready

    Oct 13 14:39:58 my-appliance-hostname apigw[12439]: Waiting for keycloak-server container startup

    Oct 13 14:39:58 my-appliance-hostname apigw[12439]: Waiting for response from keycloak-server container

    .Oct 13 14:40:05 my-appliance-hostname apigw[12439]: Waiting for response from keycloak-server services

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: keycloak-server container ready

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: Waiting for rest-registrar container startup

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: Waiting for response from rest-registrar container

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: Waiting for response from rest-registrar services

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: rest-registrar container ready

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: PING 10.65.162.1 (10.65.162.1) 56(84) bytes of data.

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: 64 bytes from 10.65.162.1: icmp_seq=1 ttl=64 time=0.132 ms

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: --- 10.65.162.1 ping statistics ---

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: 1 packets transmitted, 1 received, 0% packet loss, time 0ms

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: rtt min/avg/max/mdev = 0.132/0.132/0.132/0.000 ms

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: PING 10.65.162.2 (10.65.162.2) 56(84) bytes of data.

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: 64 bytes from 10.65.162.2: icmp_seq=1 ttl=64 time=0.155 ms

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: --- 10.65.162.2 ping statistics ---

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: 1 packets transmitted, 1 received, 0% packet loss, time 0ms

    Oct 13 14:40:05 my-appliance-hostname apigw[12439]: rtt min/avg/max/mdev = 0.155/0.155/0.155/0.000 ms

    Oct 13 14:40:06 my-appliance-hostname apigw[12439]: Try setting DNS ndots:1

    Oct 13 14:40:06 my-appliance-hostname apigw[12439]: Kong reloaded

    Oct 13 14:40:06 my-appliance-hostname apigw[12439]: PING keycloak-server (10.0.100.51): 56 data bytes

    Oct 13 14:40:06 my-appliance-hostname apigw[12439]: 64 bytes from 10.0.100.51: seq=0 ttl=64 time=0.062 ms

    Oct 13 14:40:06 my-appliance-hostname apigw[12439]: --- keycloak-server ping statistics ---

    Oct 13 14:40:06 my-appliance-hostname apigw[12439]: 1 packets transmitted, 1 packets received, 0% packet loss

    Oct 13 14:40:06 my-appliance-hostname apigw[12439]: round-trip min/avg/max = 0.062/0.062/0.062 ms

    Oct 13 14:40:06 my-appliance-hostname apigw[12439]: Update SSL certificate if needed

    .Oct 13 14:40:10 my-appliance-hostname apigw[12439]: Checking SSL certificate

    Oct 13 14:40:10 my-appliance-hostname apigw[12439]: SSL certificate from /opt/quantum/uui-ssl/nginx already added

    Oct 13 14:40:10 my-appliance-hostname apigw[12439]: USBE running: update public key

    Oct 13 14:40:10 my-appliance-hostname apigw[12439]: Create cron to check running version matches rpm ...

    Oct 13 14:40:10 my-appliance-hostname apigw[12439]: api-gateway started

    Docker stack quantum-api IS running.

    NAMES STATUS

    quantum-api_kong-server.1.bsrj6ofc24jzcda7xv52hzkwr Up 43 seconds (healthy)

    quantum-api_keycloak-server.1.r29fzo2o4w6tpgjynq1y9qwn7 Up 54 seconds (healthy)

    quantum-api_keycloak-database.1.gtt9msr29rbnubj060eo4ssi2 Up 55 seconds (healthy)

    quantum-api_endpoint-database.1.bizq5tmo78c1vpqoz6hi9ctrj Up 55 seconds (healthy)

    quantum-api_rest-aggregator-usbe-hosts.1.nddlquran5uly3vff6mpn44y6 Up 56 seconds

    quantum-api_rest-aggregator-flexsync-hosts.1.9m64laquouptiq7hlworrp6bg Up 56 seconds

    quantum-api_rest-aggregator-atfs-controller-hosts.1.s8ihcqwpatma1hxyd0r34bwmh Up 57 seconds

    quantum-api_rest-aggregator-appliance-controller-hosts.1.eauxd3xzmf6yz12py9t687bfn Up 58 seconds

    quantum-api_rest-aggregator-hosts.1.6tuyxcbcusi9zy3ncr5ytrmr3 Up 59 seconds

    quantum-api_rest-aggregator-fseries-hosts.1.o5l27c9binq711d43avpkowxn Up About a minute

    quantum-api_kong-database.1.kqnu06gsd3a1jvih28scv6s4s Up About a minute (healthy)

    quantum-api_rest-aggregator-unified-connector-hosts.1.4dj6ykhaavy6qxjlvflhzukev Up About a minute

    quantum-api_rest-aggregator-qxs-hosts.1.4smqots3jxxn3utf8pjylywix Up About a minute

    quantum-api_rest-aggregator-metadata-controllers.1.dfzmxu65us1x2quogo8yy90ui Up About a minute

    quantum-api_rest-aggregator-filesystems.1.r9an5mm3r5avsr75iu1lmrzxh Up About a minute

    quantum-api_rest-aggregator-datamovers.1.skn0q9umcbdx47qt2iyfzoa5r Up About a minute

    quantum-api_user-management-api.1.keqxvjgi6g8xg3afe77ul00xc Up About a minute

    quantum-api_license-sender.1.lj0y2fy2oauv985jsvi041a0t Up About a minute

    quantum-api_rest-registrar.1.rvp4huaumeqdka6fg5yl8r55t Up About a minute

    quantum-api_license-aggregator.1.mgpvghj7j2t5kf9luc2vd2fag Up About a minute

    quantum-api_gateway-admin-api.1.amvbjacqi2c8gh3lwc0jv6r48 Up About a minute

    quantum-api_rest-templates.1.uwhenw3wotnhc3gl9f2jl0g3b Up About a minute

    quantum-api_rest-fs-create.1.cpe3z979kolb09wagpwkerbc6 Up About a minute

    quantum-api_rest-aggregator-name-servers.1.qotjsek0qrkqwqlolkx3ovg87 Up About a minute

    quantum-api_rest-aggregator-hseries-hosts.1.ki7yh9xi8gsndvneve1aze4rx Up About a minute

    UUI autostart enabled

    Create cron to check running version matches rpm ...

    Restarting Unified StorNext UI Server...

    Stopping quantum_usbe ...

    Stopping docker quantum_usbe stack

    Removing service quantum_usbe_nginx

    Removing service quantum_usbe_pgsql

    Removing service quantum_usbe_php

    Removing network quantum_usbe_default

    quantum_usbe stopped.

    Starting quantum_usbe ...

    Deploy docker quantum_usbe stack

    Setting up /var/lib/docker/volumes/usbe_data/_data/var/log

    Creating network quantum_usbe_default

    Creating service quantum_usbe_pgsql

    Creating service quantum_usbe_php

    Creating service quantum_usbe_nginx

    Fixing permissions for usbe volume directory for www-data

    PING 10.65.189.1 (10.65.189.1) 56(84) bytes of data.

    64 bytes from 10.65.189.1: icmp_seq=1 ttl=64 time=0.148 ms

    --- 10.65.162.1 ping statistics ---

    1 packets transmitted, 1 received, 0% packet loss, time 0ms

    rtt min/avg/max/mdev = 0.148/0.148/0.148/0.000 ms

    PING 10.65.189.2 (10.65.189.2) 56(84) bytes of data.

    64 bytes from 10.65.189.2: icmp_seq=1 ttl=64 time=0.132 ms

    --- 10.65.189.2 ping statistics ---

    1 packets transmitted, 1 received, 0% packet loss, time 0ms

    rtt min/avg/max/mdev = 0.132/0.132/0.132/0.000 ms

    Try setting DNS ndots:1

    PING pgsql (10.0.5.2): 56 data bytes

    64 bytes from 10.0.5.2: seq=0 ttl=64 time=0.044 ms

    --- pgsql ping statistics ---

    1 packets transmitted, 1 packets received, 0% packet loss

    round-trip min/avg/max = 0.044/0.044/0.044 ms

    // Clearing the cache for the prod environment with debug

    // false

    [OK] Cache for the "prod" environment (debug=false) was successfully cleared.

    quantum_usbe started.

    Restarting Unified StorNext UI Frontend...

    Stopping quantum_usui ...

    Stopping docker quantum_usui stack

    Removing service quantum_usui_nginx

    Removing network quantum_usui_default

    quantum_usui stopped.

    Starting quantum_usui docker stack...

    Creating network quantum_usui_default

    Creating service quantum_usui_nginx

    quantum_usui docker stack started.

Note: If you have a multi-node system, then perform the following procedure on both the primary and secondary MDC nodes.

  1. Open an SSH connection to your system and log in.
  2. At the prompt, enter the following:
    3. /opt/quantum/uui-ssl/bin/uuissl snuiload

    Example Output

    Stopping StorNext Legacy UI...

    Redirecting to /usr/bin/systemctl stop stornext_web

    Importing StorNext Unified UI SSL Certificate to StorNext Legacy UI...

    Importing keystore server.p12 to /usr/adic/gui/config/.keystore...

    Warning:

    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/adic/gui/config/.keystore -destkeystore /usr/adic/gui/config/.keystore -deststoretype pkcs12".

    Starting StorNext Legacy UI...

    Redirecting to /usr/bin/systemctl start stornext_web

Do the following to generate and load a new self-signed certificate and key.

  1. Open an SSH connection to your system and log in.
  2. At the prompt, enter the following:

    3. /opt/quantum/uui-ssl/bin/uuissl new

    Example Output

    Generating a 4096 bit RSA private key
........................................................................++
........................................................................++
writing new private key to 'nginx.key'
-----


Updating APIGW...

{
  "created_at": 1601317027,
  "cert": "-----BEGIN CERTIFICATE-----\bS01Lm1kaC5xdWFudHVtLmNv\n-----END CERTIFICATE-----",
  "id": "adae7bb0-bac8-4923-9f1f-db7ec3b9123c",
  "tags": null,
  "key": "-----BEGIN PRIVATE KEY-----\nMIIJQgIBADANBgkqhksdfsfs\n-----END PRIVATE KEY-----",
  "snis": [
    "localhost",
    "mySSLcert",
    "mySSLcert.mydomain.com"
  ]
}

Restarting USBE...

Stopping quantum_usbe ...
Removing service quantum_usbe_nginx
Removing service quantum_usbe_pgsql
Removing service quantum_usbe_php
Removing network quantum_usbe_default
quantum_usbe stopped.
Starting quantum_usbe ...
Setting up /var/lib/docker/volumes/usbe_data/_data/var/log
Creating network quantum_usbe_default
Creating service quantum_usbe_nginx
Creating service quantum_usbe_pgsql
Creating service quantum_usbe_php
Fixing permissions for usbe volume directory for www-data

 // Clearing the cache for the prod environment with debug                
 // false                                                                 

 [OK] Cache for the "prod" environment (debug=false) was successfully cleared.


 // Warming up the cache for the prod environment with debug              
 // false                                                                 

 [OK] Cache for the "prod" environment (debug=false) was successfully warmed.

quantum_usbe started.

Restarting USUI...

Stopping quantum_usui docker stack...
Removing service quantum_usui_nginx
Removing network quantum_usui_default
Starting quantum_usui docker stack...
Creating network quantum_usui_default
Creating service quantum_usui_nginx
quantum_usui docker stack started.

  1. Open an SSH connection to your system and log in.
  2. At the prompt, enter the following:

    3. /opt/quantum/uui-ssl/bin/uuissl show

    Example Output

    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c2:ab:82:4e:2f:7f:55:8b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=mySSLcert.mydomain.com
        Validity
            Not Before: Aug 17 16:39:53 2020 GMT
            Not After : Aug 15 16:39:53 2030 GMT
        Subject: CN=mySSLcert.mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ab:56:b3:eb:46:91:6d:cc:4e:07:94:7c:f3:7a:
                    18:ae:13:78:42:1f:59:12:74:fd:8b:12:c6:6f:2c:
                    70:9d:e4:f0:89:97:c0:0a:f7:3c:4d:c5:f3:87:a8:
                    e8:0e:5c:07:e9:7c:22:86:19:84:77:ff:b2:91:f3:
                    2f:af:1e:b3:88:4c:d3:48:39:d5:f2:11:13:21:8e:
                    a6:c5:8a:00:08:d9:58:0e:8b:5d:fd:de:e2:4b:94:
                    cb:f7:de:9f:a4:b5:3d:66:59:31:5a:c0:dc:c0:a5:
                    a6:7a:5e:07:12:d4:88:96:5e:90:f3:90:35:f5:07:
                    af:4d:06:8a:ba:48:6a:a9:1f:a0:f4:1a:f1:d2:0c:
                    2f:a3:ad:30:b9:e1:4e:e9:1e:14:63:db:33:4d:64:
                    14:54:b3:0f:59:a4:52:10:64:26:74:a5:f1:fb:4e:
                    1a:f9:16:cf:f1:da:95:65:81:b7:7f:9e:11:10:2b:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:mySSLcert.mydomain.com:441, DNS:mySSLcert.mydomain.com
:8443, DNS:mySSLcert.mydomain.com:8445
    Signature Algorithm: sha256WithRSAEncryption
         6d:66:ae:44:c1:19:36:e2:8e:05:f8:76:24:7f:e3:44:c9:85:
         68:f9:8a:57:eb:af:cc:ff:18:de:0b:33:c9:d0:8f:3f:67:b7:
         d6:98:28:28:2e:aa:27:3a:09:3a:be:a4:1d:5a:52:8d:a9:5c:
         1f:3e:03:bb:1e:0b:da:83:53:57:4b:97:d8:b2:e5:9f:cf:a5:
         0b:ac:40:c4:92:82:35:3f:6a:69:24:71:c9:5f:19:73:47:63:
         1e:72:4e:53:a3:ec:68:f9:c1:d0:0f:ec:59:5b:54:bf:50:e5:
         0c:88:36:6f:27:2f:cd:ea:8e:fc:58:fb:b3:62:af:b5:5a:0b:
         7f:80:6a:14:60:7b:0f:95:da:7f:9e:12:10:c2:3e:2c:28:5e:
         e1:73:17:86:c0:0b:90:ed:06:5f:e6:4a:93:82:20:e2:f6:fe:
         e0:8a:2f:5c:2f:59:c1:02:de:97:ed:f4:06:8e:31:3f:07:f6:
         1e:e0:8e:f7:8c:d3:22:2a:6d:eb:54:d8:06:46:67:f1:3e:df:
         6e:68:75:da:b0:7f:f3:50:7c:e4:6e:62:09:81:14:45:a1:d1:
-----BEGIN CERTIFICATE-----
MIIFMjCCAxqgAwIBAgIJAMGtgT4/j1R7MA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
BAMMGHV1aS12bS01Lm1kaC5xdWFudHVtLmNvbTAeFw0yMDA4MTcxNjM5NTNaFw0z
MDA4MTUxNjM5NTNaMCMxITAfBgNVBAMMGHV1aS12bS01Lm1kaC5xdWFudHVtLmNv
bTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtWs+tGkW3MTgeUfPN6
GK4TeEIfWRJ0/YsSxm8scJ3k8ImXwAr3PE3F84eo6A5cB+l8IoYZhHf/spHzL68e
s4hM00g51fIREyGOpsWKAAjZWA6LXf3e4kuUy/fen6S1PWZZMVrA3MClpnpeBxLU
iJZekPOQNfUHr00GirpIaqkfoPQa8dIML6OtMLnhTukeFGPbM01kFFSzD1mkUhBk
JnSl8ftOGvkWz/HalWWBt3+eERArKEHPjnLA0sq46rTKhGU3MN0E3vMh7yh7KlZK
GjQBBVMWg36Ffkr8GIwygfS5fPH4fQ5IJL+adXHEPtWMsfxW5hV74SPNCETKFw2I
35AXSM+o3RS5Ubpr/bYeUgI1T5+pskMw3/NF7fR7//J7F8+adDNULJfC17jHfVTK
-----END CERTIFICATE-----

Keytool Usage:

For all uses of the keytool utility, you will be prompted to enter a password, which is stored in the following file as the value of keystorePass. By default, the keytool utility password is changeit.

grep Pass /usr/adic/tomcat/conf/server.xml

keystorePass="changeit"

The keytool utility is located in the following directory:

/usr/adic/java/jre/bin

You must generate a .csr file to submit for self-signing or by a trusted Certificate Authority.

Execute the command below to generate the file, tomcat.csr.

/usr/adic/java/jre/bin/keytool -certreq -keyalg RSA -keystore /usr/adic/gui/config/.keystore -alias tomcat -file tomcat.csr

Enter keystore password:

You can expect the following JKS format warning:

Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/adic/gui/config/.keystore -destkeystore /usr/adic/gui/config/.keystore -deststoretype pkcs12".

Execute the following command to view the .csr file you generated above:

openssl req -in tomcat.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=California, L=San Jose, O=StorNext Software, OU=Quantum Corp., CN=node-1.node-1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

If you have a public domain open on port 80 you can submit the .csr file to be signed by a Trusted CA. There are both paid and open source options. If you sign a .csr in this manner, then it does not work for a domain that cannot be reached publicly on port 80 and is not a registered domain name. If you have a Trusted CA, sign the .csr and then proceed to Step 3: Combine the Two Certificates to Create a Chain.

When you self-signing a certificate, you create your own .CRT file.

You must provide the tomcat.cnf file with a subjectAltName that reflects the IP address to Hostname resolution of the system that users connect to the Stornext GUI with:

echo "subjectAltName=DNS:spsxcellis2.sps.lab,DNS:sps.lab,IP:10.20.232.6" > /etc/pki/tls/tomcat.cnf

[root@sps-xcellis2 jon]# nslookup sps-xcellis2

Server: 10.20.232.95

Address: 10.20.232.95#53

Name: sps-xcellis2.sps.lab

Address: 10.20.232.6

Create the .CRT file:

[root@sps-xcellis2 cert]# openssl x509 -req -in tomcat.csr -out tomcat.crt -CA /usr/cvfs/config/certs/server.crt -CAkey /usr/cvfs/config/certs/server.key -sha256 -days 365 -CAcreateserial -extfile /etc/pki/tls/tomcat.cnf

Signature ok

subject=/C=US/ST=California/L=San Jose/O=StorNext Software/OU=Quantum Corp./CN=node-1.node-1

Getting CA Private Key

[root@sps-xcellis2 cert]# ls

tomcat.crt tomcat.csr

The following procedure creates the file, myTomcat.crt. Execute the following command:

[root@sps-xcellis2 cert]# cat tomcat.crt /usr/cvfs/config/certs/server.crt > myTomcat.crt

Caution: You must first import the CA certificate.

Execute the following commands:

[root@sps-xcellis2 cert]# /usr/adic/java/jre/bin/keytool -keystore /usr/adic/gui/config/.keystore -import -alias xmed -file ./myCA.crt

Enter keystore password:

Certificate reply was installed in keystore

[root@sps-xcellis2 cert]# /usr/adic/java/jre/bin/keytool -keystore /usr/adic/gui/config/.keystore -import -alias tomcat -file ./myTomcat.crt

Enter keystore password:

Certificate reply was installed in keystore

Execute the following command:

/etc/init.d/stornext_web restart

Note: The procedure to add the root certificate into the browser's list of recognized Trusted Certificate Authorities is specific to the browser you are using; for additional information, refer to the browser documentation.