You can use third party certificates to configure TLS/SSL
for the dashboard data provider by
adding the signer certificate and private digital certificate to the
key database managed by GSKit, and to the trust and key stores used
by TEPS/e.
Before you begin
Obtain the certificate authority's signer certificate.
Ensure
the TEPS/e administration
console is
enabled. For detailed steps, including information on how to log on,
see Starting the TEPS/e administration console.
Procedure
- Use either the TEPS/e administration
console or the GSKit
command-line interface to create a private certificate request to
be signed by the certificate authority. The following instructions
explain how to perform this step using the TEPS/e administration
console.
- Log on to the TEPS/e administration
console.
- Select Security → SSL certificate and key management.
- In the Related Items area, click the Key stores and
certificates link and in the table click the NodeDefaultKeyStore link.
- In the Additional Properties area, click the Personal
certificate requests link and in the page that is displayed,
click New.
- In the page that is displayed specify the following information:
- Set File name to the location to store
the private certificate request. For example, C:\dashboardcerts\TEPSCertRequest.arm.
- Set the Key label to the desired label
for the certificate. For example, TEPS Certificate.
- Set the Key size to 2048.
- Leave the Signature algorithm as SHA1withRSA.
- Set the Common name to a unique name for
the TEPS/e computer. Typically, this is a hostname.
- Set Organization to a meaningful value.
Typically, this is a company name.
- Set Organization unit to a meaningful name.
For example, TEPS.
- Set Country or region to desired value.
For example, US.
- Click OK, then Save.
- Send the certificate request generated above to the certificate
authority to request a new digital certificate. The certificate authority
can take two to three weeks to generate the new digital certificate.
- After the certificate authority returns your new digital
certificate, save it to a location on the computer where the portal
server and TEPS/e are installed. For example, C:\dashboardcerts\TEPSSignedCert.arm.
- Use the GSKit command-line interface to create a new key
database of type CMS and save the key database's
password to a stash file. Then import the certificate authority's
signer certificate and the new digital certificate into the new key
database. This key database is used by the portal server's embedded
HTTP server.
- You must also add the certificate authority public signer
certificate into the TEPS/e trust store using the TEPS/e administration
console.
- Log on to the TEPS/e administration
console.
- Select Security → SSL certificate and key management.
- In the Related Items area, click the Key stores and
certificates link and in the table click the NodeDefaultTrustStore link.
- In the Additional Properties area, click the Signer
certificates link and in the page that is displayed, click Add.
- In the page that is displayed specify the following information:
- Set Alias to the desired label for the
certificate. For example, TEPS Signer Certificate.
- Set File name to the location of the extracted
certificate authority signer certificate. For example, C:\dashboardcerts\CASignerCert.arm.
- Leave the Data type as Base64-encoded
ASCII data.
- Click OK, then Save.
- Receive the signed digital certificate into the TEPS/e
key store using the TEPS/e administration
console.
- Log on to the TEPS/e administration
console.
- Select Security → SSL certificate and key management.
- In the Related Items area, click the Key stores and
certificates link and in the table click the NodeDefaultKeyStore link.
- In the Additional Properties area, click the Personal
certificates link and in the page that is displayed, click Receive
from a certificate authority.
- In the page that is displayed specify the following information:
- Set File name to the location of the signed
digital certificate. For example, C:\dashboardcerts\TEPSSignedCert.arm.
- Leave the Data type as Base64-encoded
ASCII data.
- Click OK, then Save.
- Set the new private certificate as the default server certificate
for TEPS/e.
- Log on to the TEPS/e administration
console.
- Select Security → SSL certificate and key management.
- In the Related Items area, click the SSL configurations link
and in the table click the NodeDefaultSSLSettings link.
- In the page that is displayed, click Default server
certificate alias and choose the signed TEPS/e certificate.
For example, TEPS Certificate.
- Click OK, then Save.
- Select Security → SSL certificate and key management again.
- Click on the Manage endpoint security configurations link.
- Click on the node name link under Inbound → thecellname
→ nodes.
- Click Certificate alias in key store and
choose the signed TEPS/e certificate. For example, TEPS Certificate.
- Click OK, then Save.