Contact support for information about Gateway versions older than 1.16.
Note: An imported SSL certificate signed by a trusted certificate authority or a CA certificate imported to the keystore will not persist through an EcoStruxure IT Gateway update.
EcoStruxure IT Gateway stores the user interface SSL certificates in two Java keystore files in the C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore\ directory:
dcos.keystore (PrivateKeyEntry)
dcos.truststore (trustedCertEntry)
Verify the contents of the Java keystores
-
Open C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\application-installer.yaml
-
In the server: > ssl: section, find the line key-store-password and remember the password for the keystores.
-
Open a command prompt window and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore
-
Type the command
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe” -list -v -keystore dcos.keystore -
Enter the password you remembered in step 2.
-
Verify the keystore contents are displayed without error.
-
Type the command
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -list -v -keystore dcos.truststore -
Enter the password you remember from step 2 when prompted.
-
Verify the keystore contents are displayed without error.
Create a new keystore for the trusted SSL certificate
-
Stop the EcoStruxureITGateway-x.x.x.x service.
-
Delete the existing keystore file, C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore\dcos.keystore.
-
Open a command prompt and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore
-
Type the command
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048 -
The other values might need to match the values present on the CA. Some values are required by the CA, and others might be optional. This depends on the CA configuration.
-
Use the .csr file to create a new certificate signed by the Trusted CA. This could be a CA run by your company, or it might need to be sent to a third-party Certificate Authority.
-
Use the same password you remembered in step 2 of the ‘Verify the contents of the Java keystores” section.
-
Verify that the file dcos.keystore now exists in the keystore folder.
-
Start the EcoStruxureITGateway-x.x.x.x service.
Create a certificate signing request and a new SSL certificate signed by a trusted CA
-
Type the command:
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -certreq -alias dcos -keystore dcos.keystore -file newSxOnGW.csr -
Enter the required values when prompted. The first value must match the hostname or FQDN (Fully Qualified Domain Name) of the server where EcoStruxure IT Gateway is installed.
Import the Root CA and Web Server SSL certificates to the EcoStruxure IT Gateway keystore
-
Copy rootca.crt and newSxOnGW.crt to the machine where EcoStruxure IT Gateway is installed.
-
Stop the EcoStruxureITGateway-x.x.x.x service.
-
Open a command prompt and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore
-
Import the root CA certificate. Type the command
“C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -importCert -trustcacerts -alias root -file rootca.crt -keystore root.truststore -
Import the Web Server SSL certificate. Type the command
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -importCert -trustcacerts -alias dcos -file newSxOnGW.crt -keystore dcos.keystore -
Make sure the root CA certificate is imported to the internet browser on all the computers that will be used to access the Gateway user interface.
-
Start the EcoStruxureITGateway-x.x.x.x service.
EcoStruxure IT Gateway will now use the new signed certificate, and no SSL Certificate security warning will be displayed by the browser when the Gateway user interface is launched.
C:\Program Files\EcoStruxureITGateway\<version>\gateway\conf\keystore\dcos.keystore (PrivateKeyEntry)
C:\Program Files\EcoStruxureITGateway\<version>\gateway\conf\keystore\dcos.truststore (trustedCertEntry)
EcoStruxure IT Gateway stores the user interface SSL certificates in two Java keystore files in the /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore directory:
dcos.keystore (PrivateKeyEntry)
dcos.truststore (trustedCertEntry)
Verify the contents of the Java keystores
-
Open /opt/EcoStruxureITGateway</current Gateway install version>/gateway/conf/application-installer.yaml
-
In the server: > ssl: section, find the line key-store-password and remember the password for the keystores.
-
Open a command prompt window and change the directory to /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore
-
Type the command
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool.exe' -list -v -keystore dcos.keystore -
Enter the password you remembered in step 2.
-
Verify the keystore contents are displayed without error.
-
Type the command
'opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -list -v -keystore dcos.truststore -
Enter the password you remember from step 2 when prompted.
-
Verify the keystore contents are displayed without error.
Create a new keystore for the trusted SSL certificate
-
Stop the EcoStruxureITGateway-x.x.x.x service.
-
Delete the existing keystore file, /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore/dcos.keystore.
-
Open a command prompt and change the directory to /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore
-
Type the command
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048 -
The other values might need to match the values present on the CA. Some values are required by the CA, and others might be optional. This depends on the CA configuration.
-
Use the .csr file to create a new certificate signed by the Trusted CA. This could be a CA run by your company, or it might need to be sent to a third-party Certificate Authority.
-
Use the same password you remembered in step 2 of the ‘Verify the contents of the Java keystores” section.
-
Verify that the file dcos.keystore now exists in the keystore folder.
-
Start the EcoStruxureITGateway-x.x.x.x service.
Create a certificate signing request and a new SSL certificate signed by a trusted CA
-
Type the command:
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -certreq -alias dcos -keystore dcos.keystore -file newSxOnGW.csr -
Enter the required values when prompted. The first value must match the hostname or FQDN (Fully Qualified Domain Name) of the server where EcoStruxure IT Gateway is installed.
Import the Root CA and Web Server SSL certificates to the EcoStruxure IT Gateway keystore
-
Copy rootca.crt and newSxOnGW.crt to the machine where EcoStruxure IT Gateway is installed.
-
Stop the EcoStruxureITGateway-x.x.x.x service.
-
Open a command prompt and change the directory to /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore
-
Import the root CA certificate. Type the command
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -importCert -trustcacerts -alias root -file rootca.crt -keystore root.truststore -
Import the Web Server SSL certificate. Type the command
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -importCert -trustcacerts -alias dcos -file newSxOnGW.crt -keystore dcos.keystore -
Make sure the root CA certificate is imported to the internet browser on all the computers that will be used to access the Gateway user interface.
-
Start the EcoStruxureITGateway-x.x.x.x service.
EcoStruxure IT Gateway will now use the new signed certificate, and no SSL Certificate security warning will be displayed by the browser when the Gateway user interface is launched.
/opt/EcoStruxureITGateway/<version>/gateway/conf/keystore/dcos.keystore (PrivateKeyEntry)
/opt/EcoStruxureITGateway/<version>\gateway/conf/keystore/dcos.truststore (trustedCertEntry)
Comments
0 comments
Please sign in to leave a comment.