Page History

The Backup Manager IDERA Dashboard Web Application service comes with SSL TLS1.2 already set up. By default, SSL TLS works with a self-signed certificate. This certificate can be used for encryption only and does not prove the identity of the server.

That default certificate is not signed by any well-known Certification Authority (CA) , so when the users try and is intended only for use in testing purposes. When a user attempts to open the SSL TLS version of the Backup Manager IDERA Dashboard Web Interface, they usually see the warning interface, a warning appears in the browser window (see the image below).

If you decide to continue working with this self-signed certificate, you have to must perform several steps to "accept" the certificate before you can access the site. This step usually occurs only the first time you access the site. Then the self-signed certificate is stored in the browser database marked as trusted. This scenario is suitable for testing purposes or for running the Backup Manager on the company's internal networks.But

if If you want to provide a Backup Manager SSL interface to the outside world, you should obtain a CA-signed certificate, use the steps below to obtain a certificate signed by a well-known CA. The role of a CA is to verify that the Backup Manager IDERA Dashboard Web Application you are trying to access actually has the name you are trying to access it by , and that this server actually belongs to your organization.

Obtaining a CA-

...

signed certificate

Certificates for production use are issued by trusted 3rd third-party Certification Authorities (CAs). Many CAs simply verify the domain name and issue the certificate, whereas others (VeriSign, etc.) verify the existence of your business, the ownership of your domain name, and your authority to apply for the certificate, providing a higher standard of authentication.

Every browser comes with a pre-defined list of well-known CAs. A sample list of CAs can be found on http://www.dmoz.org/Computers/Security/Public_Key_Infrastructure/PKIX/Tools_and_Services/Third_Party_Certificate_Authorities/.

Along with the name of your organization and the name of your server, a CA-signed certificate contains the public key of the server. This public key is used by the browser to encrypt data sent to the server. There is a private key on the server. The server uses the private key to decrypt the data encrypted by the public key. The private key should be kept secure on the server to prevent unauthorized access.

To learn For more information about public key cryptography, you can read this wikipedia page see

• Newtab2
  alias VeriSign url http://www.verisign.com/

• Newtab2
  alias Thawte url http://www.thawte.com/

• Newtab2
  alias CAcert url http://www.cacert.org/

• Newtab2
  alias GoDaddy url https://www.godaddy.com/ssl/ssl-certificates.aspx?ci=92420

Generating a certificate request

Before the CA can issue you the certificate, you should generate a private key and the certificate request and send it to the CA for signing. For the instructions below to work, the The certificate request and the private key should be generated with using the openssl command , the same way as for Apache web server. If you decide to buy the certificate from GoDaddy - very popular hosting provider, which also issues the certificate - generate the private key and certificate request according to http://support.godaddy.com/help/article/5269/generating-a-certificate-signing-request-csr-apache-2x.
{info:title=Note}unless otherwise instructed by the CA.

...

...

...

...

Importing

...

the certificate into the Trust-Store

The following steps show you how to install a an SSL certificate purchased from a Certification Authority. Your SSL vendor may have different instructions, please check with them for proper certificate installation. The following examples refer to GoDaddy and VeriSign.To enable a certificate, you need to use the Java keytool - a key and certificate management utility. The keytool stores the keys and certificates in a so-called keystore.
Windows
It is assumed that you have both the private key file and certificate file in the PEM format and OpenSSL tool for Windows is installed into. It is also assumed that the private key file is called wildcard.r1soft.com.keyand the certificate file is called wildcard.r1soft.com.key and both are on disk C, in the root directory.
{info:title=Note}
You can download OpenSSL for Windows installation package from

1. Copy your private Key file (wildcard.idera.com.key) and Certificate file (wildcard.idera.com.crt) in PEM format, on the root directory where IDERA Dashboard Services host (i.e. "C:\Program Files\Idera\Dashboard").
2. Download OpenSSL for Windows from

   Newtab2
   alias http://gnuwin32.sourceforge.net/packages/openssl.htm url http://gnuwin32.

...

1. sourceforge.net/packages/openssl.htm

   . Select the ‘Complete package, except sources’ option, and copy the .exe file in the root file where the IDERA Dashboard services host, right-click and Run as Administrator to install the program.
2. Start a Windows Command Prompt by

...

1. clicking Start > Command Prompt (right-click on Command Prompt to run as Administrator).

...

1. Alternatively, you can go

...

1. to Start > Run

...

1.  and then type cmd without quotes and press <Enter>.

...

1. Use the cd C:

...

1. \

...

1.  command to go to the root directory of the disk C:\, where you copied the

...

1. Key and Certificate files.

...

1. Run the following commands to convert the key and the certificate from PEM to DER format.
   

...

1. "C:\OpenSSL\bin\openssl" pkcs8 -topk8 -nocrypt -in wildcard.

...

1. idera.com.key -inform PEM -out wildcard.

...

1. idera.com.key.der -outform DER
"C:\OpenSSL\bin\openssl" x509 -in wildcard.

...

1. idera.com.crt -inform PEM -out wildcard.

...

1. idera.com.crt.der -outform DER

...

1. Use the cd command to go to the directory where the keytool is located

...

1. :
   

...

1. cd "C:\Program Files\Idera

...

1. \Dashboard\WebApplication\JRE\bin\"

...

1. To create the new keystore file, you have to download the ImportKey utility

   Newtab2
   alias https://discourse.

...

1. igniterealtime.org/uploads/default/original/2X/2/2638b26131247f7d11132bd2e3fba0e1ec87156b.zip url https://

...

1. discourse.igniterealtime.org/

...

1. uploads/default/

...

1. original/

...

1. 2X/

...

1. 2/

...

1. 2638b26131247f7d11132bd2e3fba0e1ec87156b.zip

   .
2. Access IDERA’s FTP server by navigating to the path 

   Newtab2
   alias ftp://downloads.idera.com/ url ftp://downloads.idera.com/

   in Internet Explorer (then follow the instructions on that page to log in), or by using the link in Windows File Explorer. Use the following credentials:
   Username: ImportKeyDownload
   Password: 03gXm6tv
3. Unzip the ImportKey utility to C:\Program Files\Idera

...

1. \Dashboard\WebApplication\JRE\bin\ directory.

...

1. In your Command Promp window, run the following command. It will launch the ImportKey utility and create the keystore file (default name is keystore.ImportKey) in your home directory (in Windows 2008 it is usually C:\Users\<your username>). The private key and the certificate will be placed there.
   

...

1. java ImportKey c:\wildcard.

...

1. idera.com.key.der c:\wildcard.

...

1. idera.com.crt.der

...

1. Info

...

1. The keystore

...

1. and

...

1. key

...

1. passwords both must be set

...

1. to password. To do this, proceed with the next step.

2. The following command

...

1. allows you to set the password for your keystore file. The default password is importkey. Enter it when prompted, in your Command Promp window, and then type the new password, which must be set to

...

1. password

...

1. .

...

1. 
   keytool -storepasswd -keystore c:\Users\Administrator\keystore.ImportKey

...

...

1. This command will allow you to set the password for the key file in the keystore. The default password is importkey. Enter it when prompted, and then type the new password, which must be set to

...

1. password

...

1. .
   

...

1. keytool -keypasswd -alias importkey -keystore c:\Users\Administrator\keystore.ImportKey

...

1. Use Internet Explorer to download the intermediate certificate chain for

...

1. the Certification Authority (CA).

...

1. For example, point Internet Explorer to

   Newtab2
   alias https://

...

1. certs.godaddy.com/repository

...

1. url https://certs.godaddy.com/repository

   .

1. Save the intermediate certificate chain to the root directory of the disk C:\ on the server hosting the IDERA Dashboard services.

...

1. Import the received trusted certificate into your keystore file

...

1. , by running the following command in your Command Promp window:
   keytool -import -alias intermed -file c:\sf_issuing.crt -keystore c:\Users\Administrator\keystore.ImportKey -trustcacerts

...

...

1. Info

...

1. Internet Explorer may change the file extension.

...

1. If the command above does not work, try sf_issuing.cer instead of sf_issuing.crt.

...

...

1. Open Windows File Explorer on the machine hosting the IDERA Dashboard services. Navigate to the

...

1. following directory C:\Program Files\Idera

...

1. \Dashboard\WebApplication\
2. Rename the file keystore to keystore.old.
3. Then rename the file C:\Users\<your username>\keystore.ImportKey to C:\Program Files\Idera

...

1. \Dashboard\WebApplication\conf\keystore

...

1. ,

...

1. and move that file into “C:\Program Files\Idera\Dashboard\WebApplication\conf”.
2. Finally, restart the IDERA Dashboard Web Application service to complete the setup, and log into the IDERA Dashboard to verify that the certificate has been successfully applied.

keytool Options

• alias. All keystore entries are accessed via unique aliases. Aliases are case-insensitive. An alias is specified when you add an entity to the keystore using the -import command. Subsequent keytool commands must use this same alias to refer to the entity.

...

• file

...

• . Define absolute or relative path to your certificate file. If you define only the file name, it means, that the file is located in the root directory.

...

• keystore

...

• . Each keytool command has a -keystore option for specifying the name and location of the persistent keystore file for the keystore managed by keytool. A keystore is created when you use -import command to add data to a keystore that does not already exist. If you do not specify a -keystore option, the default keystore is a file named .keystore in your home directory (as determined by the "user.home" system property). If that file does not already exist, it will be created

...

• .

...

{code}
C:\Winnt\Profiles\uName on multi-user Windows NT systems
C:\Windows\Profiles\uName on multi-user Windows 95 systems
C:\Windows on single-user Windows 95 systems
{code}
{excerpt}
Read more about Java keytool for Windows:

...

Need more help? Search the Idera Customer Support Portal

...

...