How to implement SSL Web Service Support on NetBackup appliances

How to implement SSL Web Service Support on NetBackup appliances

Article: 100038759
Last Published: 2018-12-13
Ratings: 1 5
Product(s): Appliances

Description

This document describes how to add third-party SSL certificates to implement web service support on NetBackup appliances. The appliance uses the Java KeyStore (JKS) as the repository of security certificates. A JKS is a repository of security certificates, like the authorization certificates or the public key certificates that are used for instance in SSL encryption.

The implementation procedure varies with specific NetBackup Appliance release versions.
To implement third-party SSL certificates in the 2.7.1 release

Important note: For appliance software version 2.7.1, the correct alias to use in the following procedure is netbackupapplianceui, not "tomcat".

  1. Prepare the keystore file for web services. The method varies depending on the type of PKCS (Public-key Cryptography Standards) you use. And, no matter what PKCS type you choose, the keystore file must contain the following keywords: SubjectAlternativeName [ DNSName: localhostIPAddress: 127.0.0.1] The following list describes the steps to use PKCS# 7 and PKCS# 12 standard formats.
    PKCS#7: refer to KB article 000126643
    Additionally, PKCS#7 or X.509 format: Refer to the information in the following link: https://knowledge.symantec.com/support/ssl-certificates-support/index.html .

    PKCS#12 format: Perform the following the actions:
    • To convert PEM formatted x509 Cert and Key to a PKCS#12, use the following command:
    openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name some-alias -CAfile ca.crt -caname root            
    For more information on openssl usage, refer to https://www.openssl.org/.
    Note: Make sure that you secure the PKCS #12 file with a password. Otherwise, you may receive a null reference exception when you import the file.
    • To convert the pkcs12 file to a Java Keystore, use the following commands:
    keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystoreserver.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password -alias some-alias             
    For more information on keytool usage, refer to https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html.
  2. Use the following command to shut down the web service: /etc/init.d/nbappws stop
  3. Replace the existing keystore file with your new keystore file in the following directory: /opt/SYMCnbappws/Security/keystore
  4. In the configuration files, update the values of keystoreFile and keystorePass with your new keystore file details:
    • Update the keystoreFile and keystorePass settings in the /opt/SYMCnbappws/config/server.xml file.
    • Update the keystoreFile and keystorePass settings in the /opt/SYMCnbappws/webserver/conf/server.xml file.
    • Update the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword settings in the /opt/SYMCnbappws/bin/startgui.sh file.
  5. Restart web service by using the following command: /etc/init.d/nbappws start


To implement third-party SSL certificates in the 2.7.2 and 2.7.3 releases:

Note: Although creating new Keystore files is allowable, you need to keep the file name as keystore, and save the new keystore files that you created under the following default directory: /opt/apache-tomcat/security/
  1. Prepare the keystore file for web services. The method varies depending on the type of PKCS (Public-key Cryptography Standards) you use. And, no matter what PKCS type you choose, the keystore file must contain the following keywords: SubjectAlternativeName [ DNSName: localhostIPAddress: 127.0.0.1] The following list describes the steps to use PKCS# 7 and PKCS# 12 standard formats.

    PKCS#7 or X.509 format: Refer to the information in the following link: https://knowledge.symantec.com/support/ssl-certificates-support/index.html .

    PKCS#12 format: Perform the following actions:
    • To convert PEM formatted x509 Cert and Key to a PKCS# 12, use the following command:
    openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name some-alias -CAfile ca.crt -caname root
    For more information on openssl usage, refer to https://www.openssl.org/.
    Note: Make sure that you secure the PKCS #12 file with a password. Otherwise, you may receive a null reference exception when you import the file.
    • To convert the pkcs12 file to a Java Keystore, use the following commands:
    keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystoreserver.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password -alias some-alias For more information on keytool usage, refer to https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html.
     
  2. Use the following commands to shut down the web service: /etc/init.d/nbappws stop /opt/IMAppliance/scripts/infraservices.sh webserver stop
  3. Replace the existing keystore file with your new keystore file in the following directory: /opt/apache-tomcat/security/keystore
  4. In the configuration files, update the values of keystoreFile and keystorePass with your new keystore file details:
    • Update the keystoreFile and keystorePass settings in the /opt/SYMCnbappws/config/server.xml file.
    • Update the keystoreFile and keystorePass settings in the /opt/SYMCnbappws/webserver/conf/server.xml file.
    • Update the keystoreFile and keystorePass settings in the /opt/apache-tomcat/conf/server.xml file.
    • Update the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword settings in the /opt/SYMCnbappws/bin/startgui.sh file.
    • Update the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword settings in the /opt/apache-tomcat/bin/setenv.sh file.
    • (For 2.7.3 only) Update the Tomcat_Keystore and Tomcat_Keystore_Passwd settings in the /etc/rc.d/init.d/as-functions file.
  5. Restart web service by using the following command: /etc/init.d/nbappws start /opt/IMAppliance/scripts/infraservices.sh webserver start
  6. Restart the AutoSupport service by using the following commands:
    Note: Restarting the AutoSupport service is needed in 2.7.3 and higher; it is not needed in 2.7.2. service as-alertmanager stopservice as-analyzer stopservice as-transmission stopservice as-alertmanager startservice as-analyzer startservice as-transmission start


To implement third-party SSL certificates in the 3.0 release:

Note: Although creating new Keystore files is allowable, you need to keep the file name as keystore, and save the new keystore files that you created under the following default directory: /opt/apache-tomcat/security/
  1. Prepare the keystore file for web services. The method varies depending on the type of PKCS (Public-key Cryptography Standards) you use. And, no matter what PKCS type you choose, the keystore file must contain the following keywords: SubjectAlternativeName [DNSName: localhost, host names and IP addressesIPAddress: 127.0.0.1, other IP Addresses] The following list describes the steps to use PKCS# 7 and PKCS# 12 standard formats.

    PKCS#7 or X.509 format: Refer to the following link: https://knowledge.symantec.com/support/ssl-certificates-support/index.html .

    PKCS#12 format: Perform the following actions:
    • To convert PEM formatted x509 Cert and Key to a PKCS# 12, use the following commands:
    openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -nametomcat -CAfile ca.crt -caname root For more information on openssl usage, refer to https://www.openssl.org/.
    Note: Make sure that you secure the PKCS #12 file with a password. Otherwise, you may get a null reference exception when you import the file.
    • To convert the pkcs12 file to a Java Keystore, use the following commands:
    keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystorekeystore -srckeystore server.p12 -srcstoretypePKCS12 -srcstorepass some-password -alias tomcat Note:
    • Please specify the same password for -deststorepass and -destkeypass options, otherwise you may get an exception when the web server starts up. For the password, only alphanumeric characters are supported; the default is "appliance".
    • Please always specify "tomcat" for the -alias option, otherwise you may get an exception when the web server starts up.
    For more information on keytool usage, refer to https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html.
     
  2. Use the following commands to shut down the database and web service: /opt/IMAppliance/scripts/infraservices.sh database stop/opt/IMAppliance/scripts/infraservices.sh webserver stop
  3. Replace the existing keystore file with your new keystore file in the following directory: /opt/apache-tomcat/security/
  4. Set permissions to the new keystore file: chmod 700 /opt/apache-tomcat/securitychmod 600 /opt/apache-tomcat/security/keystorechown -R tomcat:tomcat /opt/apache-tomcat/security
  5. Use the following command to update the web server configuration if you chose to use your own non-default password in steps above: /opt/apache-tomcat/vrts/scripts/tomcat_instance.py update --keystore --password <your password>
  6. Update the Tomcat_Keystore and Tomcat_Keystore_Passwd settings in the /etc/rc.d/init.d/as-functions file.
  7. Import the certificates to the mongo server-side and the client-side pam files as follows:
  • For appliance version 3.0: The server-side certificate and the client-side certificate use the same file. Get the pam file from /config/mongodb_ssl_keycert.pem, then import the certificates to it as follows:

    /usr/bin/openssl pkcs12 -in server.p12 –out <client_cert> -passin pass: <keyPassword> -passout pass: <keyPassword>

    Skip steps 8 – 9 and continue to step 10.
  • For appliance versions 3.1 and later: The server-side certificate and the client-side certificate use different files.

    For the mongo server part pam file, get serv_cert from /etc/vxos-ssl/cert.conf, then import the certificates to it as follows:

    /usr/bin/openssl pkcs12 -in server.p12 –out <client_cert> -passin pass: <keyPassword> -passout pass: <keyPassword>

    For the client part pam file, get client_cert from /etc/vxos-ssl/cert.conf, then import the certificates to it as follows:

    /usr/bin/openssl pkcs12 -in server.p12 –out <client_cert> -passin pass: <keyPassword> -passout pass: <keyPassword>

    Continue to step 8.

   8.    If customized password is different with pem_password in /etc/vxos-ssl/cert.conf , modify /etc/vxos-ssl/cert.conf to the customized password.

   9.    Restart nginx using the following commands:

/usr/sbin/update-nginx-conf.sh service nginx stop service nginx start

   10.   Restart web service using the following commands:

/opt/IMAppliance/scripts/infraservices.sh database start /opt/IMAppliance/scripts/infraservices.sh webserver start

   11.  Restart the AutoSupport Service using the following commands:

service as-alertmanager stop service as-analyzer stop service as-transmission stop service as-alertmanager start service as-analyzer start service as-transmission start

References

JIRA : APPSOL-33007

Was this content helpful?