Overview
Adding custom CA certificates to the Gateway is crucial for ensuring secure communication between the gateway and other components within your environment. Custom CA certificates allow you to establish trust between the gateway and the servers it interacts with. By adding these certificates, you enhance the overall security posture of your system, protect sensitive data, and prevent potential security vulnerabilities. This practice is essential to maintain the integrity of your communication channels and safeguard your network infrastructure.
Upload the CA Certificates to Gateway
To upload the certificate, you need to generate the certificate locally first. After that, you can proceed to upload the locally issued certificate to both the gateway and vprobe service.
Step 1: Get the Non-OpsRamp/local issuer certificate
Follow the below steps to get the certificate:
For “Direct” use the following command:
openssl s_client -connect {opsramp-api-server}:{opsramp-api-server-port} -showcerts
For “Proxy” use the following command:
openssl s_client -connect "{opsramp-api-server:opsramp-api-server-port}" -proxy {proxy-server-ip}:{proxy-server-port} -showcerts
Note
opsramp-api-server
: Replace this with the target device’s IP address.opsramp-api-server-port
: Replace this with the target device’s port number.proxy-server-ip
: Replace this with the proxy server’s IP address.proxy-server-port
: Replace this with the proxy server’s port number.
Make sure that you remove the curly brackets {}
from the above tokens when replacing them in command.
- You will receive the certificate output as shown below. Copy this output into a file, such as
/home/ruser/cert1.crt
.-----BEGIN CERTIFICATE----- MIIHnTCCBYWgAwIBAgIQApMqHIN6MX/8V6+KRuvlIjANBgkqhkiG9w0BAQsFADBc MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xNDAyBgNVBAMT K1JhcGlkU1NMIEdsb2JhbCBUTFMgUlNBNDA5NiBTSEEyNTYgMjAyMiBDQTEwHhcN MjIwOTI2MDAwMDAwWhcNMjMxMDI1MjM1OTU5WjAcMRowGAYDVQQDDBEqLmFwaS5v cHNyYW1wLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOYUqmn3 GBFifgvw3d9kCplfUdFtcn8BJDPm2d6cfDqQqNXvJ6sOxoH4pHLaK2Z+AWl+7iqt hs+OEumFX/0kOsfFVf/E6LVPDEX0z4mjXaNM3I7/qDMG -----END CERTIFICATE-----
Note
If you have multiple certificates, you should generate separate files and these files need to be located in the directory/home/ruser/
.Step 2: Upload the issued certificate to Gateway and Vprobe Service
Once the certificates copying is completed then follow steps to upload it to the gateway and vprobe service.
Upload the certificate to Vprobe Service
- Run the following command for each certificate using a suitable random string as the {AliasName}.
Example for one certificate file:
sudo keytool -import -noprompt -trustcacerts -alias "{AliasName}-1" -file /home/ruser/cert1.crt -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -storepass changeit
Example for two certificate files:
sudo keytool -import -noprompt -trustcacerts -alias "{AliasName}-1" -file /home/ruser/cert1.crt -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -storepass changeit
sudo keytool -import -noprompt -trustcacerts -alias "{AliasName}-2" -file /home/ruser/cert2.crt -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -storepass changeit
- Run the following command to verify if the certificate has been successfully uploaded to the vprobe service.
keytool -list -v -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts | grep -i '{AliasName}'
Upload the certificate to Gateway
Run the following commands that you can use as examples to upload the certificate:
sudo cp /home/ruser/cert1.crt /usr/local/share/ca-certificates
sudo update-ca-certificates