Versions Compared

Old Version 2

changes.mady.by.user Nadja Pollard

Saved on

compared with

New Version Current

changes.mady.by.user Victor Laurencena

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated GoDaddy repository link

The Backup Manager IDERA Dashboard Web Application service comes with SSL TLS1.2 already set up. By default, SSL TLS works with a self-signed certificate. This certificate can be used for encryption only and does not prove the identity of the server.

That default certificate is not signed by any well-known Certification Authority (CA) , so when the users try and is intended only for use in testing purposes. When a user attempts to open the SSL TLS version of the Backup Manager IDERA Dashboard Web Interface, they usually see the warning interface, a warning appears in the browser window (see the image below).

If you decide to continue working with this self-signed certificate, you have to must perform several steps to "accept" the certificate before you can access the site. This step usually occurs only the first time you access the site. Then the self-signed certificate is stored in the browser database marked as trusted. This scenario is suitable for testing purposes or for running the Backup Manager on the company's internal networks.

But if If you want to provide a Backup Manager SSL interface to the outside world, you should obtain a CA-signed certificate, use the steps below to obtain a certificate signed by a well-known CA. The role of a CA is to verify that the Backup Manager IDERA Dashboard Web Application you are trying to access actually has the name you are trying to access it by , and that this server actually belongs to your organization.

Obtaining a CA-

...

signed certificate

Certificates for production use are issued by trusted 3rd third-party Certification Authorities (CAs). Many CAs simply verify the domain name and issue the certificate, whereas others (VeriSign, etc.) verify the existence of your business, the ownership of your domain name, and your authority to apply for the certificate, providing a higher standard of authentication.

Every browser comes with a pre-defined list of well-known CAs. A sample list of CAs can be found on http://www.dmoz.org/Computers/Security/Public_Key_Infrastructure/PKIX/Tools_and_Services/Third_Party_Certificate_Authorities/.

Along with the name of your organization and the name of your server, a CA-signed certificate contains the public key of the server. This public key is used by the browser to encrypt data sent to the server. There is a private key on the server. The server uses the private key to decrypt the data encrypted by the public key. The private key should be kept secure on the server to prevent unauthorized access.

To learn For more information about public key cryptography, you can read this wikipedia page see

Newtab2
aliashttp://en.wikipedia.org/wiki/Public-key_cryptography
urlhttp://en.wikipedia.org/wiki/Public-key_cryptography
. To learn more about certificates and the steps to buy a certificate, you need refer to take a look at CAs' websites. Some of the most well known CAs are:

  • VeriSign
  • Thawte
  • CAcert
  • GoDaddy

...

a CA website such as:

Generating a certificate request

Before the CA can issue you the certificate, you should generate a private key and the certificate request and send it to the CA for signing. For the instructions below to work, the The certificate request and the private key should be generated with using the openssl command , the same way as for Apache web server. If you decide to buy the certificate from GoDaddy - very popular hosting provider, which also issues the certificate - generate the private key and certificate request according to http://support.godaddy.com/help/article/5269/generating-a-certificate-signing-request-csr-apache-2xunless otherwise instructed by the CA.

Info

While generating the private key and certificate request In Windows, you should replace the openssl command with the full path to binary, for example, C:\OpenSSLOpenssl\bin\openssl.

Importing

...

the certificate into the Trust-Store

The following steps show you how to install a an SSL certificate purchased from a Certification Authority. Your SSL vendor may have different instructions, please check with them for proper certificate installation. The following examples refer to GoDaddy and VeriSign.

To enable a certificate, you need to use the Java keytool - a key and certificate management utility. The keytool stores the keys and certificates in a so-called keystore.

Windows

It is assumed that you have both the private key file and certificate file in the PEM format and OpenSSL tool for Windows is installed into. It is also assumed that the private key file is called wildcard.r1soft.com.keyand the certificate file is called wildcard.r1soft.com.key and both are on disk C, in the root directory.

...

  1. Copy your private Key file (wildcard.idera.com.key) and Certificate file (wildcard.idera.com.crt) in PEM format, on the root directory where IDERA Dashboard Services host (i.e. "C:\Program Files\Idera\Dashboard").
  2. Download OpenSSL for Windows from
    Newtab2
    aliashttp://gnuwin32.sourceforge.net/packages/openssl.htm
    url
  1. http://gnuwin32.sourceforge.net/packages/openssl.htm
    . Select the ‘Complete package, except sources’ option, and copy the .exe file in the root file where the IDERA Dashboard services host, right-click and Run as Administrator to install the program.
  2. Start a Windows Command Prompt by clicking clicking Start > Command Prompt (right-click on Command Prompt to run as Administrator). Alternatively, you can go to to Start > Run > type cmd without  and then type cmd without quotes and press <Enter>.
  3. Use Use the cd C: and then cd \ commands  command to go to the root directory of the disk C:\, where you copied the key and certificates are locatedKey and Certificate files.
  4. Run the following commands to convert the key and the certificate from PEM to DER format.
    "C:\OpenSSL\bin\openssl" pkcs8 -topk8 -nocrypt -in wildcard.r1softidera.com.key -inform PEM -out wildcard.r1softidera.com.key.der -outform DER
    "C:\OpenSSL\bin\openssl" x509 -in wildcard.r1softidera.com.crt -inform PEM -out wildcard.r1softidera.com.crt.der -outform DER
  5. Use the cd command to go to the directory where the keytool is located.:
    cd "C:\Program Files\Idera Server Backup\jre\Dashboard\WebApplication\JRE\bin\"
  6. Use Internet Explorer To create the new keystore file, you have to download the ImportKey utility
    Newtab2
    aliashttps://discourse.igniterealtime.org/uploads/default/original/2X/2/2638b26131247f7d11132bd2e3fba0e1ec87156b.
    Point Internet Explorer to
    zip
    urlhttps
    http
    ://
    community
    discourse.igniterealtime.org/
    servlet
    uploads/default/
    JiveServlet
    original/
    download
    2X/
    196707-4718
    2/
    importkey
    2638b26131247f7d11132bd2e3fba0e1ec87156b.zip
    .
  7. Access IDERA’s FTP server by navigating to the path 
    Newtab2
    aliasftp://downloads.idera.com/
    urlftp://downloads.idera.com/
    in Internet Explorer (then follow the instructions on that page to log in), or by using the link in Windows File Explorer. Use the following credentials:
    Username: ImportKeyDownload
    Password: 03gXm6tv
  8. Unzip the ImportKey utility to C:\Program Files\Idera Server Backup\jre\Dashboard\WebApplication\JRE\bin\ directory.

  9. Run In your Command Promp window, run the following command. It will launch the ImportKey utility and create the keystore file (default name is keystore.ImportKey) in your home directory (in Windows 2008 it is usually C:\Users\<your username>). The private key and the certificate will be placed there.
    java ImportKey c:\wildcard.r1softidera.com.key.der c:\wildcard.r1softidera.com.crt.der

    Info

    The keystore 's password and the key 's passwords both must be set to passwordto password. To do this, proceed with the next step.

  10. The following command will allow allows you to set the password for your keystore file. The default password is importkey. Enter it when prompted, in your Command Promp window, and then type the new password, which must be set to "password".
    keytool -storepasswd -keystore c:\Users\Administrator\keystore.ImportKey
  11. This command will allow you to set the password for the key file in the keystore. The default password is importkey. Enter it when prompted, and then type the new password, which must be set to "password".
    keytool -keypasswd -alias importkey -keystore c:\Users\Administrator\keystore.ImportKey
  12. Use Internet Explorer to download the intermediate certificate chain for GoDaddy the Certification Authority (CA). Point For example, point Internet Explorer to
    Newtab2
    aliashttps://
    certificates
    certs.godaddy.com/repository
    /sf_issuing.crt
    urlhttps://certs.godaddy.com/repository
    .
  13. Save the intermediate certificate chain to the root directory of the disk C:\ on the server hosting the IDERA Dashboard services.

  14. Import the received trusted certificate into your keystore file., by running the following command in your Command Promp window:
    keytool -import -alias intermed -file c:\sf_issuing.crt -keystore c:\Users\Administrator\keystore.ImportKey -trustcacerts

    Info

    Internet Explorer may change the file extension. So if If the command above does not work, try sf_issuing.cer instead of sf_issuing.crt.

  15. Open Windows File Explorer on the machine hosting the IDERA Dashboard services. Navigate to the directory following directory C:\Program Files\Idera Server Backup\conf.\Dashboard\WebApplication\
  16. Rename the file keystore to keystore.old.
  17. Then rename the file C:\Users\<your username>\keystore.ImportKey to C:\Program Files\Idera Server Backup\Dashboard\WebApplication\conf\keystore.
  18. Restart Backup Manager service.

Follow the instructions below to restart the Backup Manager using the Backup Manager Configuration Utility.

  1. Go to Start > All Programs > Idera Server Backup > Backup Manager Configuration Utility. The Configuration Utility will start.
  2. From the "Services" menu, select the "Restart Backup Manager" option.
  3. Confirm your request to restart the Backup Manager by clicking "OK." You will see the following message. Click the "OK" button.

Linux

  1. Establish a SSH connection to the Linux server where the Backup Manager is installed. Or log in on the text Linux console. You should either log in as root or obtain root permissions after login via su or sudo command.

    Info

    Your home directory should be set to /root.

  2. Upload the key and the certificate to Backup Manager.
  3. Use the cd command to go to the directory where the keys are in.
  4. Run the following commands to convert the key and the certificate files from PEM into DER format.
    openssl pkcs8 -topk8 -nocrypt -in wildcard.r1soft.com.key -inform PEM -out wildcard.r1soft.com.key.der -outform DER
    openssl x509 -in wildcard.r1soft.com.crt -inform PEM -out wildcard.r1soft.com.crt.der -outform DER
  5. Use the cd command to go to the directory where keytool is located.
    cd /usr/sbin/r1soft/jre/bin
  6. Give everybody the permissions to execute the  keytool and java applications. The versions of these application hat come with Backup Manager are not executable, so you have to run chmod 755 it.
    chmod 755 java keytool
  7. Use the wget command to download the ImportKey utility:
    wget http://community.igniterealtime.org/servlet/JiveServlet/download/196707-4718/importkey.zip
  8. Unzip ImportKey.zip.
    unzip importkey.zip

  9. Run the following command. It will launch the ImportKey utility and create the keystore file (default name is keystore.ImportKey) in your home directory (root). The private key and the certificate will be placed there.
    ./java ImportKey /root/wildcard.r1soft.com.key.der /root/wildcard.r1soft.com.crt.der

    Info

    The keystore's password and the key's passwords must be set to password.

  10. The following command will allow you to set the password for your keystore file. The default password is importkey. Enter it when prompted and then type the new password, which must be set to "password".
    ./keytool -storepasswd -keystore /root/keystore.ImportKey
  11. This command will allow you to set the password for the key file in the keystore. The default password is importkey. Enter it when prompted and then type the new password, which must be set to "password".
    ./keytool -keypasswd -alias importkey -keystore /root/keystore.ImportKey
  12. Rename the keystore.ImportKey file (default name) into keystore.
    mv /root/keystore.ImportKey /root/keystore
  13. Run the following command to download the trusted certificate from the Certification Authority (CA). In our example, we connect to Go Daddy.
    wget -no-check-certificate -O /root/sf_issuing.crt https://certificates.godaddy.com/repository/sf_issuing.crt
  14. Import the received trusted certificate into your keystore file.
    ./keytool -import -alias intermed -file /root/sf_issuing.crt -keystore /root/keystore -trustcacerts
  15. You may have another keystore in your R1Soft folder. To make a backup copy of it, you should rename it (for example, to "keystore.old" as shown in the following example).
    mv /usr/sbin/r1soft/conf/keystore /usr/sbin/r1soft/conf/keystore.old
  16. Copy the new keystore file to your R1Soft folder.
    cp /root/keystore /usr/sbin/r1soft/conf/keystore
  17. Restart Backup Manager.
    /etc/init.d/cdp-server restart
  1. and move that file into “C:\Program Files\Idera\Dashboard\WebApplication\conf”.
  2. Finally, restart the IDERA Dashboard Web Application service to complete the setup, and log into the IDERA Dashboard to verify that the certificate has been successfully applied.


keytool keytool Options

  • alias. All keystore entries are accessed via unique aliases. Aliases are case-insensitive. An alias is specified when you add an entity to the keystore using the -import command. Subsequent keytool commands must use this same alias to refer to the entity.
  • file. Define absolute or relative path to your certificate file. If you define only the file name, it means, that the file is located in the root directory.
  • keystore. Each keytool command has a -keystore option for specifying the name and location of the persistent keystore file for the keystore managed by keytool. A keystore is created when you use -import command to add data to a keystore that does not already exist. If you do not specify a -keystore option, the default keystore is a file named .keystore in your home directory (as determined by the "user.home" system property). If that file does not already exist, it will be created.

...

  • .

...

C:\Windows\Profiles\uName on multi-user Windows 95 systems
C:\Windows on single-user Windows 95 systems
{code}
{excerpt}
Read more about Java keytool for Windows:

Newtab2
aliashttp://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html
{excerpt:hidden=true}
Linux:
The keystore is by default stored in a file named .keystore in the user's home directory, as determined by the "user.home" system property. If you do not specify a -keystore option, the default keystore is a file named .keystore in your home directory.
{excerpt}
Read more about Java keytool for Linux:
urlhttp://
download
java.
oracle
sun.com/javase/6/docs/technotes/tools/
solaris
windows/keytool.html



Scroll pdf ignore
Excerpt

Newtabfooter
aliasIDERA
urlhttp://www.idera.

...

com
|
Newtabfooter
aliasProducts
urlhttps://www.idera.com/productssolutions/sqlserver
|
Newtabfooter
aliasPurchase
urlhttps://www.idera.com/buynow/onlinestore
|
Newtabfooter
aliasSupport
urlhttps://idera.secure.force.com/
|
Newtabfooter
aliasCommunity
urlhttp://community.idera.com
|
Newtabfooter
aliasResources
urlhttp://www.idera.com/resourcecentral
|
Newtabfooter
aliasAbout Us
urlhttp://www.idera.com/about/aboutus
 |
Newtabfooter
aliasLegal
urlhttps://www.idera.com/legal/termsofuse

 

Need more help? Search the Idera Customer Support Portal

...