Untitled

In thefollowing steps we explain how to resolve this for a Retain / GroupWise / SLESsystem:

1. 1.Setting the connections in theRetain webconsole

2.2. GroupWise settings and certificates

3.3. Create a self-signed or trustedthird party certificate

4. 4. Enable SSL for the Apache server, ifnot already enabled

5.5. Import the GW domain certificate, andthe GW domain PO certificate to the Retain java keystore

6. 6. Import the retain server certificateto the Retain trusted java keystore

7.7. Import the tomcat server certificateto the Retain trusted java keystore;

import the tomcat server key and tomcat server certificate to the tomcat javakeystore;

and configure the tomcat’s server.xml file

8.8. Steps for the Retain multiple serverscenario

hk

1.Setting the connections in the Retain webconsole

Log in totheRetain webconsole and check thefollowing settings.

1.1 Retain Server | ServerConfiguration

Open theRetain Server | Server Configuration page

Scroll downto the Retain Server Connection, and enter the Retain Server connectiondetails.

1.2 Retain Server | ModuleConfiguration | GroupWise module

Open theRetain Server | Module Configuration | GroupWise Module page

Scroll downto the GroupWise SOAP Access, and enable SSL

1.3 Retain Server | Workersmodule

Enter theRetain Server connection details on the Workers | Connection tab.

Enable SSLon the Workers | Module specific tab.


2. Groupwisesettings and certificates

2.1Enabling SOAP

Open theGroupWise admin-console.

Go to thePost Office Agents | Agents Settings, and enable SOAP.

2.2 Get the GWcertificates

On theRetainServer, change to the /opt/ directory and make the certgw directory.

mkdir certgw

Change tothe /opt/certgw/ directory

Import therequired groupwise domain and postoffice certificates and keys.

scp -r root@groupwise.your-domain.com:/opt/cert-directory/groupwisedomain/opt/certgw/

3. Create a self-signed or trustedthird party certificate

Change tothe /opt/ directory and make the certs directory

mkdir certs

Generate self-signedor trusted third-party keys for the Retain server and for the Tomcat server, andname them tomcatserver.key, and retainserver.key

Generate self-signedor trusted third-party certificates and name them tomcatserver.crt, andretainserver.crt

Also referto the following TID:

https://support.microfocus.com/kb/doc.php?id=7023144

4. EnableSSL for the Apache server

Change tothe /etc/apache2/ directory

Copy the retainserverkey to the /etc/apache2/ssl.key/ directory.

On thecommandline:

cp/opt/beginfinite/certs/retainserver.key ssl.key/

Copy the retainserver certificate to the /etc/apache2/ssl.crt/directory

cp /opt/beginfinite/certs/retainserver.crtssl.crt/

Change tothe /etc/apache2/vhosts.d directory

In the /etc/apache2/vhosts.d/directory, create a copy of vhost-ssl.template and name it retainserver-ssl.conf

cp vhost-ssl.templateretainserver-ssl.conf

Open thevhost file that was just created and set “SSLCertificateFile” and “SSLCertificateKeyFile” to the path(s) of key and signedcertificate.

SSLCertificateFile/etc/apache2/ssl.crt/retainserver.crt

SSLCertificateKeyFile/etc/apache2/ssl.key/retainserver.key

Also changethe following tag:

<VirtualHost_default_:443> to<VirtualHost *:443>

Add theline

‘SSLProtocol All –SSLv2 –SSLv3’

The retainserver-ssl.conffile will now contain:

Change tothe /etc/sysconfig/ directory

Open/etc/sysconfig/apache2.

In the”APACHE_MODULES” option, make sure ‘SSL’ is in the list of moduleswhich Apache needs to load.


Also add ‘-DSSL’to ‘APACHE_SERVER_FLAGS’

Add theserver name of the host.

Optional In order toadd configurations for the apache, add ‘/etc/apache2/httpd.conf.local’to APACHE_CONF_INCLUDE_FILES’

Saveand exit the /etc/sysconfig/apache2 file.

Optional Change tothe /etc/apache2/ directory.

Create the ‘httpd.conf.local’file and add the following to the end of the file:

‘# Enter the Servers FQDN, for exampleyour-retainserver.example.com’

‘ServerName your-retainserver.example.com’

‘# Enter the location of the SSL passphrase-file

‘#SSLPassPhraseDialogexec:/etc/httpd/conf/passphrase-file’



As anoption, SSLPassPhraseDialog can be used. Uncomment the linewith the ‘SSLPassPhraseDialog’to do so.

Change tothe /etc/httpd/conf/ directory (or another chosen directory)

Create thepassphrase file ‘passphrase’ and enter the following lines:

#!/bin/sh

echo”private key passphrase”

For thepassphrase insert the chosen passphrase for the privatekey.

Save thefile and make it executable with the command:

chmod +x passphrase-file

Test if thefile delivers the passphrase with the following command

./passphrase

Restartapache with the command:

systemctl restart apache2

5. ImportGroupwise certificates

Change tothe /opt/beginfinite/retain/java/<jdk>/bin/ directory

Import fromthe command line:

./keytool -importcert -keystore gwkeystore-storepass changeit -noprompt -alias gwdomain -file /opt/beginfinite/certgw/gw-domain.crt

./keytool -importcert -keystore gwkeystore-storepass changeit -noprompt -alias gwdomainpo -file /opt/beginfinite/certgw/gw-domain.po.POA.crt

Viewing thecontent of the keystore:

./keytool –list –keystore /opt/beginfinite/retain/java/<jdk>/bin/gwkeystore

Note: Pleasefollow relevant password security protocol, and replace the keystore password ‘changeit’.

6. ImportRetain certificates

6.1 Importthe retain server certificate to the Retain trusted java keystore

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias retaincert -file /opt/certs/retainserver.crt

To check ifthe retainserver certificate has been added, type:

./keytool -list -alias retaincert-cacerts

The outputshould look like:

To removethe retain server certificate from the keystore, use the following:

./keytool -delete -alias retaincert-trustcacerts -keystore /opt/beginfinite/retain/java/<jdk>/lib/security/cacerts

7. ImportTomcat certificates

7.1 Importthe tomcat server certificate to the Retain trusted java keystore

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/jdk-11+28/lib/security/cacerts-storepass changeit -noprompt -alias tomcatcert -file /opt/beginfinite/certs/tomcatserver.crt

To check ifthe tomcatserver certificate has been added, type:

./keytool -list -alias tomcatcert-cacerts

7.2 Importthe tomcat server certificate to a tomcat java keystore in the directory

Change to the /opt/beginfinite/retain/java/<jdk>/bindirectory

Import fromthe command line:

./keytool -importcert -keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore-storepass changeit -noprompt -alias tomcatcert -file /opt/beginfinite/certs/tomcatserver.crt

To check ifthe tomcatserver certificate has been added, type:

./keytool -list -alias tomcatcert-cacerts

7.3 ConfigureTomcat SSL connector in the server.xml file

Change tothe /opt/beginfinite/retain/tomcat/conf/ directory

Add the followingto the server.xml file:

<Connector port=”48443″protocol=”org.apache.coyote.http11.Http11NioProtocol”

maxThreads=”150″ SSLEnabled=”true” scheme=”https”secure=”true” keystoreFile=”conf/tomcatkeystore”

keystorePass=”changeit” clientAuth=”false”sslProtocol=”TLS”>

</Connector>

Restart theretain-tomcat:

systemctl restart retain-tomcat

8.Steps for the Retain multiple server scenario

8.1Make certificate directories

On the primaryretain server we make new directory, for the certificates of the remote retain workerserver.

Change tothe /opt/certs/ directory and make the retainworker directory. In this we willstore the retain serve and tomcat server keys and certificates from theretainworker server.

Should there be more than one retainworker, you could namethe directory for its certificates and keys, retainworker02, etc.

mkdir retainworker

On the remoteretainworker we make the certgw and the certs directory

Change tothe /opt/ directory and make the certsgw and the certs directory.

mkdir certgw

mkdir certs

Change tothe /opt/certs/ directory and make the retain-primary directory. In this wewill store the retain server and the tomcat server certificates from the retainserver.

mkdir retain-primary

8.2Create a self-signed or trusted third party certificate for the remoteretainworker server

On theretain worker server change to the /opt/ directory and make the certs directory

mkdir certs

Change tothe /opt/directory/certs/ directory

Generateself-signed or trusted third-party keys for the Retain worker server and forthe Tomcat server, and name them tomcatworker.key, and retainworker.key

Generateself-signed or trusted third-party certificates and name them tomcatworker.crt,and retainworker.crt

8.3Import the groupwise keys and certificates from the primary retainserver to theremote retainworker

On the remoteretainworker server run from the commandline

scp -r root@retain.your-domain.com:/opt/certgw/groupwisedomain/opt/certgw/

8.4Import the retainserver and tomcatserver keys and certificates from the primaryretainserver to the remote retainworker

On the remoteretainworker server run from the commandline

scp -rroot@retain.your-domain.com:/opt/certs/ /opt/certs/retain-primary/

8.5Import the retainserver and tomcatserver keys and certificates from the remote retainworkerserver to the primary retainserver

On theprimary retain server run from the commandline

scp -r root@retainworker.your-domain.com:/opt/certs/opt/certs/retainworker//opt/certs/retainworker/

Still onthe retainserver, change to the /opt/certs/retainworker/certs directory.

If theretain-primary directory is in there, remove it:

rm -r retain-primary/

8.6Add certificates to the primary retainserver
8.6.1 Primary Retaintrusted java keystore: add- remote retaincertificate and remote tomcatservercert

On theRetainServer, change to the /opt/beginfinite/retain/java/<jdk>/bindirectory

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias remretaincert -file/opt/certs/retainworker/retainworker.crt

To check ifthe retainserver certificate has been added, type:

./keytool -list -alias remretaincert-cacerts

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias remtomcatcert -file /opt/certs/retainworker/tomcatworker.crt

8.6.2 Primary Tomcatsserverkeystore: add remote tomcatserver certificate

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe command line:

./keytool -importcert -keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore-storepass changeit -noprompt -alias remtomcatcert -file /opt/certs/retainworker/tomcatworker.crt

To check ifthe tomcatserver certificate has been added, type:

./keytool -list -alias remtomcatcert-keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore

8.7Add certificates to the remote retainworker server
8.7.1 Remote GroupWise keystore: Add GW certificates

Change tothe /opt/beginfinite/retain/java/<jdk>/bin/ directory

Import fromthe command line:

./keytool -importcert -keystore gwkeystore-storepass changeit -noprompt -alias gwdomain -file /opt/certgw/gw-domain.crt

./keytool -importcert -keystore gwkeystore-storepass changeit -noprompt -alias gwdomainpo -file /opt/certgw/gw-domain.po.POA.crt

To view thecontent of the keystore, type:

./keytool –list –keystore /opt/beginfinite/retain/java/<jdk>/bin/gwkeystore

8.7.2 Remote Retaintrusted java keystore: add- remote retaincertificate and remote tomcatservercert

On theRemote Retain Server, change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias retainworkcert -file /opt/certs/retainworker.crt

To check ifthe (remote) retainserver certificate has been added, type:

./keytool -list -alias retainworkcert-cacerts

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias tomcatworkcert -file /opt/certs/tomcatworker.crt

To check ifthe (remote) tomcatserver certificate has been added, type:

./keytool -list -alias tomcatworkcert-cacerts

8.7.3 Remote Tomcatserverkeystore: add remote tomcatserver certificate

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe command line:

./keytool -importcert -keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore-storepass changeit -noprompt -alias tomcatworkcert -file /opt/certs/tomcatworker.crt

To check ifthe (remote)tomcatserver certificate has been added, type:

./keytool -list -alias tomcatworkcert-keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore

8.7.4 Configure Tomcat SSLconnector in the server.xml file

Change tothe /opt/beginfinite/retain/tomcat/conf/ directory

Add thefollowing to the server.xml file:

<Connector port=”48443″protocol=”org.apache.coyote.http11.Http11NioProtocol”

maxThreads=”150″ SSLEnabled=”true” scheme=”https”secure=”true” keystoreFile=”conf/tomcatkeystore”

keystorePass=”changeit” clientAuth=”false”sslProtocol=”TLS”>

</Connector>

8.7.5 Remote Retain trustedjava keystore: add- primary retain certificate and primary tomcatserver certificate

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias primretaincert -file/opt/certs/retain-primary/certs/retainserver.crt

To check ifthe (remote) retainserver certificate has been added, type:

./keytool -list -alias primretaincert-cacerts

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias primtomcatcert -file /opt/certs/retain-primary/certs/tomcatserver.crt

To check ifthe (remote) tomcatserver certificate has been added, type:

./keytool -list -alias primtomcatcert-cacerts

8.7.6 Remote Tomcatserverkeystore: add primary tomcatserver certificate

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe command line:

./keytool -importcert -keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore-storepass changeit -noprompt -alias primtomcatcert -file /opt/certs/retain-primary/certs/tomcatserver.crt

To check ifthe (remote)tomcatserver certificate has been added, type:

./keytool -list -alias primtomcatcert-keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore

Restart theretain-tomcat on the remote server:

systemctl restart retain-tomcat



Related:

  • No Related Posts

Untitled

In thefollowing steps we explain how to resolve this for a Retain / GroupWise / SLESsystem:

1.Setting the connections in theRetain webconsole

2.GroupWise settings and certificates

3.Create a self-signed or trustedthird party certificate

4.Enable SSL for the Apache server, ifnot already enabled

5.Import the GW domain certificate, andthe GW domain PO certificate to the Retain java keystore

6.Import the retain server certificateto the Retain trusted java keystore

7.Import the tomcat server certificateto the Retain trusted java keystore;

import the tomcat server key and tomcat server certificate to the tomcat javakeystore;

and configure the tomcat’s server.xml file

8.Steps for the Retain multiple serverscenario

1.Setting the connections in the Retain webconsole

Log in totheRetain webconsole and check thefollowing settings.

1.1 Retain Server | ServerConfiguration

Open theRetain Server | Server Configuration page

Scroll downto the Retain Server Connection, and enter the Retain Server connectiondetails.

1.2 Retain Server | ModuleConfiguration | GroupWise module

Open theRetain Server | Module Configuration | GroupWise Module page

Scroll downto the GroupWise SOAP Access, and enable SSL

1.3 Retain Server | Workersmodule

Enter theRetain Server connection details on the Workers | Connection tab.

Enable SSLon the Workers | Module specific tab.


2. Groupwisesettings and certificates

2.1Enabling SOAP

Open theGroupWise admin-console.

Go to thePost Office Agents | Agents Settings, and enable SOAP.

2.2 Get the GWcertificates

On theRetainServer, change to the /opt/ directory and make the certgw directory.

mkdir certgw

Change tothe /opt/certgw/ directory

Import therequired groupwise domain and postoffice certificates and keys.

scp -r root@groupwise.your-domain.com:/opt/cert-directory/groupwisedomain/opt/certgw/

3. Create a self-signed or trustedthird party certificate

Change tothe /opt/ directory and make the certs directory

mkdir certs

Generate self-signedor trusted third-party keys for the Retain server and for the Tomcat server, andname them tomcatserver.key, and retainserver.key

Generate self-signedor trusted third-party certificates and name them tomcatserver.crt, andretainserver.crt

Also referto the following TID:

https://support.microfocus.com/kb/doc.php?id=7023144

4. EnableSSL for the Apache server

Change tothe /etc/apache2/ directory

Copy the retainserverkey to the /etc/apache2/ssl.key/ directory.

On thecommandline:

cp/opt/beginfinite/certs/retainserver.key ssl.key/

Copy the retainserver certificate to the /etc/apache2/ssl.crt/directory

cp /opt/beginfinite/certs/retainserver.crtssl.crt/

Change tothe /etc/apache2/vhosts.d directory

In the /etc/apache2/vhosts.d/directory, create a copy of vhost-ssl.template and name it retainserver-ssl.conf

cp vhost-ssl.templateretainserver-ssl.conf

Open thevhost file that was just created and set “SSLCertificateFile” and “SSLCertificateKeyFile” to the path(s) of key and signedcertificate.

SSLCertificateFile/etc/apache2/ssl.crt/retainserver.crt

SSLCertificateKeyFile/etc/apache2/ssl.key/retainserver.key

Also changethe following tag:

<VirtualHost_default_:443> to<VirtualHost *:443>

Add theline

‘SSLProtocol All –SSLv2 –SSLv3’

The retainserver-ssl.conffile will now contain:

Change tothe /etc/sysconfig/ directory

Open/etc/sysconfig/apache2.

In the”APACHE_MODULES” option, make sure ‘SSL’ is in the list of moduleswhich Apache needs to load.


Also add ‘-DSSL’to ‘APACHE_SERVER_FLAGS’

Add theserver name of the host.

Optional In order toadd configurations for the apache, add ‘/etc/apache2/httpd.conf.local’to APACHE_CONF_INCLUDE_FILES’

Saveand exit the /etc/sysconfig/apache2 file.

Optional Change tothe /etc/apache2/ directory.

Create the ‘httpd.conf.local’file and add the following to the end of the file:

‘# Enter the Servers FQDN, for exampleyour-retainserver.example.com’

‘ServerName your-retainserver.example.com’

‘# Enter the location of the SSL passphrase-file

‘#SSLPassPhraseDialogexec:/etc/httpd/conf/passphrase-file’



As anoption, SSLPassPhraseDialog can be used. Uncomment the linewith the ‘SSLPassPhraseDialog’to do so.

Change tothe /etc/httpd/conf/ directory (or another chosen directory)

Create thepassphrase file ‘passphrase’ and enter the following lines:

#!/bin/sh

echo”private key passphrase”

For thepassphrase insert the chosen passphrase for the privatekey.

Save thefile and make it executable with the command:

chmod +x passphrase-file

Test if thefile delivers the passphrase with the following command

./passphrase

Restartapache with the command:

systemctl restart apache2

5. ImportGroupwise certificates

Change tothe /opt/beginfinite/retain/java/<jdk>/bin/ directory

Import fromthe command line:

./keytool -importcert -keystore gwkeystore-storepass changeit -noprompt -alias gwdomain -file /opt/beginfinite/certgw/gw-domain.crt

./keytool -importcert -keystore gwkeystore-storepass changeit -noprompt -alias gwdomainpo -file /opt/beginfinite/certgw/gw-domain.po.POA.crt

Viewing thecontent of the keystore:

./keytool –list –keystore /opt/beginfinite/retain/java/<jdk>/bin/gwkeystore

Note: Pleasefollow relevant password security protocol, and replace the keystore password ‘changeit’.

6. ImportRetain certificates

6.1 Importthe retain server certificate to the Retain trusted java keystore

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias retaincert -file /opt/certs/retainserver.crt

To check ifthe retainserver certificate has been added, type:

./keytool -list -alias retaincert-cacerts

The outputshould look like:

To removethe retain server certificate from the keystore, use the following:

./keytool -delete -alias retaincert-trustcacerts -keystore /opt/beginfinite/retain/java/<jdk>/lib/security/cacerts

7. ImportTomcat certificates

7.1 Importthe tomcat server certificate to the Retain trusted java keystore

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/jdk-11+28/lib/security/cacerts-storepass changeit -noprompt -alias tomcatcert -file /opt/beginfinite/certs/tomcatserver.crt

To check ifthe tomcatserver certificate has been added, type:

./keytool -list -alias tomcatcert-cacerts

7.2 Importthe tomcat server certificate to a tomcat java keystore in the directory

Change to the /opt/beginfinite/retain/java/<jdk>/bindirectory

Import fromthe command line:

./keytool -importcert -keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore-storepass changeit -noprompt -alias tomcatcert -file /opt/beginfinite/certs/tomcatserver.crt

To check ifthe tomcatserver certificate has been added, type:

./keytool -list -alias tomcatcert-cacerts

7.3 ConfigureTomcat SSL connector in the server.xml file

Change tothe /opt/beginfinite/retain/tomcat/conf/ directory

Add the followingto the server.xml file:

<Connector port=”48443″protocol=”org.apache.coyote.http11.Http11NioProtocol”

maxThreads=”150″ SSLEnabled=”true” scheme=”https”secure=”true” keystoreFile=”conf/tomcatkeystore”

keystorePass=”changeit” clientAuth=”false”sslProtocol=”TLS”>

</Connector>

Restart theretain-tomcat:

systemctl restart retain-tomcat

8.Steps for the Retain multiple server scenario

8.1Make certificate directories

On the primaryretain server we make new directory, for the certificates of the remote retain workerserver.

Change tothe /opt/certs/ directory and make the retainworker directory. In this we willstore the retain serve and tomcat server keys and certificates from theretainworker server.

Should there be more than one retainworker, you could namethe directory for its certificates and keys, retainworker02, etc.

mkdir retainworker

On the remoteretainworker we make the certgw and the certs directory

Change tothe /opt/ directory and make the certsgw and the certs directory.

mkdir certgw

mkdir certs

Change tothe /opt/certs/ directory and make the retain-primary directory. In this wewill store the retain server and the tomcat server certificates from the retainserver.

mkdir retain-primary

8.2Create a self-signed or trusted third party certificate for the remoteretainworker server

On theretain worker server change to the /opt/ directory and make the certs directory

mkdir certs

Change tothe /opt/directory/certs/ directory

Generateself-signed or trusted third-party keys for the Retain worker server and forthe Tomcat server, and name them tomcatworker.key, and retainworker.key

Generateself-signed or trusted third-party certificates and name them tomcatworker.crt,and retainworker.crt

8.3Import the groupwise keys and certificates from the primary retainserver to theremote retainworker

On the remoteretainworker server run from the commandline

scp -r root@retain.your-domain.com:/opt/certgw/groupwisedomain/opt/certgw/

8.4Import the retainserver and tomcatserver keys and certificates from the primaryretainserver to the remote retainworker

On the remoteretainworker server run from the commandline

scp -rroot@retain.your-domain.com:/opt/certs/ /opt/certs/retain-primary/

8.5Import the retainserver and tomcatserver keys and certificates from the remote retainworkerserver to the primary retainserver

On theprimary retain server run from the commandline

scp -r root@retainworker.your-domain.com:/opt/certs/opt/certs/retainworker//opt/certs/retainworker/

Still onthe retainserver, change to the /opt/certs/retainworker/certs directory.

If theretain-primary directory is in there, remove it:

rm -r retain-primary/

8.6Add certificates to the primary retainserver
8.6.1 Primary Retaintrusted java keystore: add- remote retaincertificate and remote tomcatservercert

On theRetainServer, change to the /opt/beginfinite/retain/java/<jdk>/bindirectory

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias remretaincert -file/opt/certs/retainworker/retainworker.crt

To check ifthe retainserver certificate has been added, type:

./keytool -list -alias remretaincert-cacerts

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias remtomcatcert -file /opt/certs/retainworker/tomcatworker.crt

8.6.2 Primary Tomcatsserverkeystore: add remote tomcatserver certificate

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe command line:

./keytool -importcert -keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore-storepass changeit -noprompt -alias remtomcatcert -file /opt/certs/retainworker/tomcatworker.crt

To check ifthe tomcatserver certificate has been added, type:

./keytool -list -alias remtomcatcert-keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore

8.7Add certificates to the remote retainworker server
8.7.1 Remote GroupWise keystore: Add GW certificates

Change tothe /opt/beginfinite/retain/java/<jdk>/bin/ directory

Import fromthe command line:

./keytool -importcert -keystore gwkeystore-storepass changeit -noprompt -alias gwdomain -file /opt/certgw/gw-domain.crt

./keytool -importcert -keystore gwkeystore-storepass changeit -noprompt -alias gwdomainpo -file /opt/certgw/gw-domain.po.POA.crt

To view thecontent of the keystore, type:

./keytool –list –keystore /opt/beginfinite/retain/java/<jdk>/bin/gwkeystore

8.7.2 Remote Retaintrusted java keystore: add- remote retaincertificate and remote tomcatservercert

On theRemote Retain Server, change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias retainworkcert -file /opt/certs/retainworker.crt

To check ifthe (remote) retainserver certificate has been added, type:

./keytool -list -alias retainworkcert-cacerts

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias tomcatworkcert -file /opt/certs/tomcatworker.crt

To check ifthe (remote) tomcatserver certificate has been added, type:

./keytool -list -alias tomcatworkcert-cacerts

8.7.3 Remote Tomcatserverkeystore: add remote tomcatserver certificate

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe command line:

./keytool -importcert -keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore-storepass changeit -noprompt -alias tomcatworkcert -file /opt/certs/tomcatworker.crt

To check ifthe (remote)tomcatserver certificate has been added, type:

./keytool -list -alias tomcatworkcert-keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore

8.7.4 Configure Tomcat SSLconnector in the server.xml file

Change tothe /opt/beginfinite/retain/tomcat/conf/ directory

Add thefollowing to the server.xml file:

<Connector port=”48443″protocol=”org.apache.coyote.http11.Http11NioProtocol”

maxThreads=”150″ SSLEnabled=”true” scheme=”https”secure=”true” keystoreFile=”conf/tomcatkeystore”

keystorePass=”changeit” clientAuth=”false”sslProtocol=”TLS”>

</Connector>

8.7.5 Remote Retain trustedjava keystore: add- primary retain certificate and primary tomcatserver certificate

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias primretaincert -file/opt/certs/retain-primary/certs/retainserver.crt

To check ifthe (remote) retainserver certificate has been added, type:

./keytool -list -alias primretaincert-cacerts

Import fromthe commandline:

./keytool -import -trustcacerts-keystore/opt/beginfinite/retain/java/<jdk>/lib/security/cacerts-storepass changeit -noprompt -alias primtomcatcert -file /opt/certs/retain-primary/certs/tomcatserver.crt

To check ifthe (remote) tomcatserver certificate has been added, type:

./keytool -list -alias primtomcatcert-cacerts

8.7.6 Remote Tomcatserverkeystore: add primary tomcatserver certificate

Change tothe /opt/beginfinite/retain/java/<jdk>/bin directory

Import fromthe command line:

./keytool -importcert -keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore-storepass changeit -noprompt -alias primtomcatcert -file /opt/certs/retain-primary/certs/tomcatserver.crt

To check ifthe (remote)tomcatserver certificate has been added, type:

./keytool -list -alias primtomcatcert-keystore /opt/beginfinite/retain/tomcat/conf/tomcatkeystore

Restart theretain-tomcat on the remote server:

systemctl restart retain-tomcat



Related:

  • No Related Posts

Untitled

In thefollowing steps we explain how to resolve this for a Retain / GroupWise / SLESsystem:

1.Setting the connections in theRetain webconsole

2.GroupWise settings and certificates

3.Create a self-signed or trustedthird party certificate

4.Enable SSL for the Apache server, ifnot already enabled

5.Import the GW domain certificate, andthe GW domain PO certificate to the Retain java keystore

6.Import the retain server certificateto the Retain trusted java keystore

7.Import the tomcat server certificateto the Retain trusted java keystore;

import the tomcat server key and tomcat server certificate to the tomcat javakeystore;

and configure the tomcat’s server.xml file

8.Steps for the Retain multiple serverscenario

1.Setting the connections in the Retain webconsole

Log in totheRetain webconsole and check thefollowing settings.

1.1 Retain Server | ServerConfiguration

Open theRetain Server | Server Configuration page

Scroll downto the Retain Server Connection, and enter the Retain Server connectiondetails.