IBM DataPower Operations Dashboard v1.0.17.0

A newer version of this product documentation is available.

You are viewing an older version. View latest at IBM DPOD Documentation.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 24 Current »

The system encrypts the communication between end-users and the Web & Admin Consoles with self-signed certificates generated during the installation.

Use the following procedure to replace these certificates:

  1. Make sure you have the custom certificate and key files provided in .pem format. If the key file is encrypted, make sure to also have the key passphrase in a .txt file.
    Use the following file names:

    custom_cer.pem
custom_key.pem
custom_key_passphrase.txt      (optional)

  2. In a Cell Environment, perform all the steps on the cell manager only.

  3. Log in to DPOD's server using SSH.

  4. Copy the custom certificate file, the custom key file and optionally the custom key passphrase file to /etc/httpd/conf/certs.

  5. Generate a new Diffie-Hellman (DH) Group for a more secured TLS session and append the new DH group parameters file to the new certificate:

    openssl dhparam -out /etc/httpd/conf/certs/custom_dhparams.pem 2048
cat /etc/httpd/conf/certs/custom_dhparams.pem >> /etc/httpd/conf/certs/custom_cer.pem

  6. Execute the following commands:

    sed -i 's#^SSLCertificateFile .*#SSLCertificateFile "/etc/httpd/conf/certs/custom_cer.pem"#g' /etc/httpd/conf/httpd.conf
sed -i 's#^SSLCertificateKeyFile .*#SSLCertificateKeyFile "/etc/httpd/conf/certs/custom_key.pem"#g' /etc/httpd/conf/httpd.conf

  7. If the key file is encrypted, create a script named custom_key_passphrase.sh:

    vi /etc/httpd/conf/certs/custom_key_passphrase.sh

    with the following content:

    #!/bin/sh
cat /etc/httpd/conf/certs/custom_key_passphrase.txt

    and execute the following commands:

    chmod +x /etc/httpd/conf/certs/custom_key_passphrase.sh
sed -i "/^SSLPassPhraseDialog /d" /etc/httpd/conf/httpd.conf
sed -i '/^SSLCertificateKeyFile /a SSLPassPhraseDialog exec:/etc/httpd/conf/certs/custom_key_passphrase.sh' /etc/httpd/conf/httpd.conf

  8. Run a syntax check on the httpd configuration file to make sure the configuration is valid:

    apachectl -t

    Valid output:

    Syntax OK

    Invalid output:

    AH00526: Syntax error on line 541 of /etc/httpd/conf/httpd.conf:
SSLCertificateFile: file '/etc/httpd/conf/certs/custom_cer.pem' does not exist or is empty

  9. Restart the web server:

    service httpd restart

Troubleshooting

  1. Make sure the certificate file is valid:

    openssl x509 -inform PEM -in /etc/httpd/conf/certs/custom_cer.pem

    Valid output:

    -----BEGIN CERTIFICATE-----
MIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV
BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw
...
S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS
GZYv2emdIk3/WcuMV0mqkXjhsw==
-----END CERTIFICATE-----

    Invalid output:

    unable to load certificate 140583261931328:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE

  2. Make sure the key file is valid:

    openssl rsa -in /etc/httpd/conf/certs/custom_key.pem -check

    Valid output:

    RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf+Bi/dw91FtZESBgw
WDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K/0j/2Muztvxq2kck
...
sGX1E9E14G4itq8juxQo1VjqpC6AgbiVAlLpL1NAjlWstYC0coJrZzcH0dxTaEhs
DCxCYclWOYBAiSqf/PjR4nwzYjw2wcvXm7W0n+ZcZWxD9qjLkgjT
-----END RSA PRIVATE KEY-----

    Invalid output:

    unable to load Private Key 139695916947264:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: ANY PRIVATE KEY

  • No labels

IBM DataPower Operations Dashboard (DPOD) v1.0.17.0