Arctera Insight Information Governance Installation Guide

To generate a unique Management Console certificate

1. Collect the following information to generate a certificate request:

   • Common name

     The fully qualified DNS name of the Management Server. This name must be the actual name of the server that is accessible by all the clients.

   • Organization name

     For example, Information Governance, Inc.

   • Organizational unit (optional)

   • City

     For example, San Francisco

   • State

     For example, CA

   • Country

     For example, US

   • Expiration

     Expiration time in days (90)

2. Use keytool.exe to create the self-signed certificate (keystore file), which you need to generate the Certificate Signing Request (CSR). keytool.exe is a utility for managing keys and certificates. These items are used in self-authentication or data integrity and authentication services, using digital signatures. Certificates also enable users to cache the public keys of their communicating peers.

   To create this file, go to the root directory of the Arctera Insight Information Governance installation and perform the following steps in this order:

   • From a command window, go to the installdir\DataInsight\jre\bin directory, where installdir is the directory into which you installed the Management Server.

   • Run the following command with the information collected in step 1:

     keytool -genkey -alias tomcat -keyalg RSA -validity 730 
     -keysize 2048 -keypass changeit -keystore webserver.keystore 
     -storepass changeit -storetype JKS -dname cn=common_name,
     o=organization_name,ou=organization_unit,l=city,s=state,c=US
     

   The -storepass changeit command sets the password to changeit. Enter this password if you are prompted for a password after running the command. This command creates the self-signed certificate (webserver.keystore) in the <installdir>\jre\bin directory.

   Note:

   Arctera recommends that you set the password as changeit. If you want to use a different password, perform the additional steps mentioned in step 12 before you start the DataInsightWeb service.

3. Generate the certificate signing request (CSR) file. The CSR file is the request that you submit to the Signature Authority to obtain a signed certificate.

   From the <installdir>\jre\bin directory and run the following command:

   keytool -certreq -alias tomcat -keyalg RSA -keystore webserver.
   keystore -storetype JKS -storepass changeit -file "DataInsight.csr"

   If you are prompted for a password, press Enter. This command creates a file called DataInsight.csr. You submit this file to the Signature Authority.

4. To generate a certificate you send the .CSR file to a Certified Signature Authority (your own or a third party, such as VeriSign).

   To obtain a signed certificate from your internal Signature Authority, contact your system administrator for instructions.

   To obtain signed certificates from the Signature Authorities, go to their web sites and follow the instructions to enroll and obtain a signed certificate. However, check with the organization to identify any additional environment information that may be needed for the certificate.

   The certified Signature Authority sends you the signed certificate (this process might take 3-5 days). Internal Signature Authorities must return the root certificate along with the signed certificate.

5. If the signed certificate is chained, download it in the .p7b (PKCS7) format or .pfx (PKCS12) format (if available).

   If downloaded in .pfx format, See Enabling CA signed certificates for inter-node communication. and execute the steps from the section To apply the CA provided certificate to secure web portal communications, perform the following steps on the Management Server.

   In case of .p7b format chained certificate,

   To extract the root and intermediate certificates from the downloaded certificate,

   • Double click the downloaded certificate. The certificate will open in certmgr.

   • Expand the certificate and right click the root certificate.

   • Click All Tasks > Export > Next.

   • Select Base-64 encoded X.509 (.cer)

   • Click Browse location > Next > Finish .

   Follow the same for extracting the intermediate certificate. Place the CA signed certificate, root certificate, and intermediate certificate in <installdir>\jre\bin folder.

6. Place the signed certificate into the directory (<installdir>\jre\bin) with the webserver.keystore file. To email the certificate, paste it into a text document exactly as it appears on the screen. Include the top line and bottom line (-----Begin Certificate----- and -----End Certificate-----). Make sure that no extra lines, spaces, trailing carriage returns, or characters have been inadvertently added. Save this file in the same directory where the webserver.keystore file is located. If the signed certificate is provided as an attachment to an email, copy this file into the same directory where the webserver.keystore file is located.
7. Keep a copy of both the webserver.keystore file and the signed certificate file in a separate, secure location.
8. Confirm the signed certificate is correct. Open a command prompt and run the following command to view the certificate's fingerprint(s)

   keytool -printcert -file signed_certificate_filename

   The following is an example output:

   Owner: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll

   Issuer: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll

   Serial Number: 59092b34

   Valid from: Thu Sep 25 18:01:13 PDT 1997 until: Wed Dec 24 17:01:13

   PST 1997

   Certificate Fingerprints:

   MD5: 11:81:AD:92:C8:E5:0E:A2:01:2E:D4:7A:D7:5F:07:6F SHA1: 
   20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37 37:13:0E:5E:FE

9. Call or email the person who sent the certificate and compare the fingerprint(s) you see with the fingerprint(s) they sent you. If the fingerprint(s) are not exactly equivalent, the certificate may have been replaced in transit by an attacker's certificate.

   If you used an chained certificate, also view the fingerprint(s) of the root certificate using the same -printcert command.

   keytool -printcert -filename_of_root_certificate_provided
   _by_internal_signature_authority

   Compare the displayed fingerprint with the well-known fingerprint (obtained from a newspaper or the root CA's web page). Contact the certificate's issuer if you have questions.

   When you execute the command, the -importcert command prints out the certificate information and prompts you to verify it.

10. Return to the <installdir>jre\bin directory and update the local webserver.keystore file with the signed certificate as follows:

    • Internal signature authority (with chained certificate)

      Use the following command to update the webserver.keystore file with the root certificate:

      <installdir>\jre\bin\keytool.exe -importcert alias -root 
      -file root_certificate_filename.cer -keystore webserver.keystore 
      -storepass changeit
      

      Use the following command to update the webserver.keystore file with the intermediate certificate:

      <installdir>\jre\bin\keytool.exe -importcert -alias intermediate 
      -file intermediate_certificate_filename.cer 
      -keystore webserver.keystore -storepass changeit

      Use the following command to update the webserver.keystore file with the signed certificate:

      <installdir>\jre\bin\keytool.exe -importcert 
      -alias tomcat -file signed_certificate_filename 
      -keystore webserver.keystore -storepass changeit

    • VeriSign or third-party signature authority (For independent CA signed certificate)

      Use the following command to update the local webserver .keystore file with the signed certificate:

      <installdir>\jre\bin\keytool 
      -importcert -alias tomcat -keystore webserver.keystore 
      -file signed_certificate_filename

    For FIPS enabled mode, run this additional command:

    <installdir>\jre\bin\keytool.exe -importkeystore 
    -srckeystore webserver.keystore 
    -destkeystore webserver.keystore 
    -srcalias tomcat -destalias tomcat 
    -deststoretype bcfks -destkeypass changeit 
    -provider com.safelogic.cryptocomply
    .jcajce.provider.CryptoComplyFipsProvider 

11. Copy the updated webserver.keystore file into the $datadir\keys directory. By default, $datadir is located at C:\DataInsight\data. Note that this operation overwrites an existing file of the same name in that location. Rename the existing file if you want to keep it.
12. If you have used a password other than changeit in step 2, perform the following additional steps:

    • Log into the Management Server with Administrator privileges.

    • Open a command prompt window, and change to the bin directory in the installation folder for Information Governance. By default, the bin directory is located at C:\Program Files\DataInsight\bin.

    • Execute the following command:

      configcli.exe keystore_password webserver <new password>

13. Restart the Information Governance web service by performing the following steps in the specified order:

    • net stop DataInsightWeb

    • net start DataInsightWeb