Active IQ Unified Manager Discussions

WFA is configured for HTTPS - How do I replace the supplied cert with a real one?

SCOTT_LINDLEY
5,940 Views

I have followed the directions for configuring WFA to respond only to HTTPS requests for the Web GUI. Now I need to replace the wacky certificate that comes with the WFA install with a real one. I will need to know how to generate the CSR against the WFA server, then how to install the resulting certificate on it. Much to my surprise, I cannot find any relevant documentation for such a process on any of the NetApp WFA sites or documentation. Please advise.

Scott Lindley

1 ACCEPTED SOLUTION

sinhaa
5,940 Views

Scott,

You need to create a new keystore for the wfa server:

1.

New keystore:

Goto: C:\Program Files\NetApp\WFA\jboss\standalone\configuration\ and remove/rename the wfa.keystore file

cd to C:\Program Files\NetApp\WFA\jre\bin

keytool -genkey -alias "ssl keystore" -keyalg RSA -keystore "C:\Program Files\NetApp\WFA\jboss\standalone\configuration\wfa.keystore" -validity 3650

When prompted with Keystore password, give "changeit" { without quotes }

In you first and last name, provide your wfa server FQDN or hostname.

C:\Program Files\NetApp\WFA\jre\bin>keytool -genkey -alias "ssl keystore" -keyalg RSA -keystore "C:\

Program Files\NetApp\WFA\jboss\standalone\configuration\wfa.keystore" -validity 3650

Enter keystore password:

Re-enter new password:

What is your first and last name?

  [Unknown]:  mei-2k8r2se64-1

What is the name of your organizational unit?

...

....

Your new wfa.keystore is ready.

You can create CSR in the following way:

1. cd C:\NetApp\WFA\jre\bin

2. keytool -certreq -keystore C:\NetApp\WFA\jboss\standalone\configuration\wfa.keystore -alias "ssl keystore" -file C:\filename.csr

3. It will prompt for the password for the keystore, use "changeit"

4. Open the file C:\filename.csr , It has your required CSR which can be sent to your CA to obtain the certificate.

5. Once you download the certificate you can import it in many ways. Double click and follow there after.

Install the certificate into "Trusted Root Certificate Authorities".

Restart WFA service.

This should be done now.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

4 REPLIES 4

sinhaa
5,940 Views

Hello Scott,

                 Your inconvenience is a valid concern.While the WFA team looks more into it, You can try the directions given in this doc. http://docs.jboss.org/jbossweb/latest/ssl-howto.html or http://www.freebsdhowtos.com/117.html

I googled it just now. I'm trying it myself to see if it works.

warm regards,

Abhishek

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

sinhaa
5,941 Views

Scott,

You need to create a new keystore for the wfa server:

1.

New keystore:

Goto: C:\Program Files\NetApp\WFA\jboss\standalone\configuration\ and remove/rename the wfa.keystore file

cd to C:\Program Files\NetApp\WFA\jre\bin

keytool -genkey -alias "ssl keystore" -keyalg RSA -keystore "C:\Program Files\NetApp\WFA\jboss\standalone\configuration\wfa.keystore" -validity 3650

When prompted with Keystore password, give "changeit" { without quotes }

In you first and last name, provide your wfa server FQDN or hostname.

C:\Program Files\NetApp\WFA\jre\bin>keytool -genkey -alias "ssl keystore" -keyalg RSA -keystore "C:\

Program Files\NetApp\WFA\jboss\standalone\configuration\wfa.keystore" -validity 3650

Enter keystore password:

Re-enter new password:

What is your first and last name?

  [Unknown]:  mei-2k8r2se64-1

What is the name of your organizational unit?

...

....

Your new wfa.keystore is ready.

You can create CSR in the following way:

1. cd C:\NetApp\WFA\jre\bin

2. keytool -certreq -keystore C:\NetApp\WFA\jboss\standalone\configuration\wfa.keystore -alias "ssl keystore" -file C:\filename.csr

3. It will prompt for the password for the keystore, use "changeit"

4. Open the file C:\filename.csr , It has your required CSR which can be sent to your CA to obtain the certificate.

5. Once you download the certificate you can import it in many ways. Double click and follow there after.

Install the certificate into "Trusted Root Certificate Authorities".

Restart WFA service.

This should be done now.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

sinhaa
5,940 Views

If you don't want to use the default keystore password, you need to update this new password in your file standalone-full.xml in folder WFA\jboss\standalone\configuration

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

SCOTT_LINDLEY
5,940 Views

Thanks! Between your excellent writeup and the links from above, I managed to get WFA properly configured. I hope this is properly covered in the GA version of WFA.

Public