In this post we will take a look how we can change the Package Signing Certificate (PSC) in vRealize Orchestrator (vRO) appliance.
- Lab Environment
- Overview
- Changing the Package Signing Certificate
- Importing Digitally Signed Packages to a Different Destination vRO Server
- Backing up your PSC certificate and Private Key
- Final Step
Update Log:
12/02/2016 – Added chapters "Importing Digitally Signed Packages to a Different Destination vRO Server" and "Backing up your PSC certificate and Private Key"
Lab Environment
The full lab logical design can be seen HERE.
Overview
In order to change the PSC certificate we will have to go over few steps. In a high overview these are :
- Issue a certificate to meet the company’s requirement. The certificate must have the DigitalSignature and Key_Encipherment Key Usage attributes. It must also have the Server Authentication Extended Key Usage attribute. Ensure the certificate has a private key.
- Use the keytool to create new keystore. The keystore type must be JCEKS.
- Use the keytool to import the certificate into the keystore.
- Use the keytool to change the alias of the certificate to _dunesrsa_alias_
- Use the keytool to generate a Security Key and place it in the keystore.
- Use the keytool to change the alias of the Security Key to _dunessk_alias_
- Use the Control Center interface to import the keystore you created.
- Use the Control Center interface to restart the Orchestrator server
Here is a screenshot of the original PSC certificate.
Changing the Package Signing Certificate
First think you must obtain is a PFX certificate package containing you PSC certificate.
I already have this certificate issued from my CA.
Note that the certificate must have the DigitalSignature and Key_Encipherment Key Usage attributes as shown above. It must also have the Server Authentication Extended Key Usage attribute.
Copy the PFX certificate package to any linux appliance. We will use the openssl tool there to execute few commands.
Run the following commands to create a new keystore and in the same time import the PFX certificate package:
keytool -importkeystore -srckeystore "/etc/vco/app-server/security/rui.pfx" -srcstoretype pkcs12 -srcstorepass "dunesdunes" -deststoretype jceks -destkeystore "/etc/vco/app-server/security/psckeystore" -deststorepass "dunesdunes"
Run the following command to change the alias of the certificate:
keytool -changealias -alias rui -destalias _dunesrsa_alias_ -keystore "/etc/vco/app-server/security/psckeystore" -storetype jceks -storepass "dunesdunes"
Run the following command to generate a security key
keytool -genseckey -alias _dunessk_alias_ -keyalg DES -keysize 56 -keypass "dunesdunes" -storetype jceks -keystore "/etc/vco/app-server/security/psckeystore" -storepass "dunesdunes"
In the above command I’ve used the DES algorithm and 56 key size , but you may as well use 3DES (DESese) algorithm and 168 key size.
Run the following command to list the contents of the store:
keytool -list -storetype jceks -keystore "/etc/vco/app-server/security/psckeystore"
Copy the keystoere file to your Windows machine.
Open Control Center and navigate to Certificates > Package Signing Certificate.
Click Import > Import from JavaKeyStore file.
Browse the keystore file and enter the password.
Click Import to import the certificate.
Go to Startup Options and restart the Orchestrator service.
Navigate back to Certificates > Package Signing Certificate.
You should see the new certificate shown.
Open your vRO Client and navigate to Tools > Certificate Manager.
You should see the certificate listed here. Common name may differ, but if you compare the thumbprint it should match with the private key entry in your keystore
Under Known Certificates you may click Import certificate to import your certificate chain.
Importing Digitally Signed Packages to a Different Destination vRO Server
What we did in the previous changer was to change the PSC certificate on a vRO server to match our company requirements. The certificate will be used to digitally sign packages which we export from vRO.
If digitally signed workflow packages will only be imported back to the original vRO from which they were exported, no further steps are required.
If digitally signed workflow packages will be imported on a destination vRO different from the one from which they were exported, additional configuration steps are required on the destination vRO.
If you do not perform these steps and you try to import a digitally signed workflow package from vRO ServerA to a different vRO ServerB you will receive error similar to the following:
SignatureException
Signature length not correct: got 256 but was expecting 512.
So, lets take a look at what needs to be done on vRO ServerB in order to be able to successfully import digitally signed workflow packages.
First you need to export the entire keystore containing the PSC certificate from vRO ServerA.
To do this navigate to vRO Control Center, Certificates, and select Package Signing Certificate.
Click Export, type a password and export the keystore to a file.
On vRO ServerB import the keystore containing the PSC certificate from vRO ServerA.
To do this navigate to vRO Control Center, Certificates, and select Package Signing Certificate.
Click Import, Import from JavaKeyStore file.
The Orchestrator server must be restarted for the changes to take effect!
Now both vRO ServerA and vRO ServerB possess the same PSC including the secret key/private key needed to encrypt and decrypt digitally signed workflow packages.
Backing up your PSC certificate and Private Key
In case of vRO failure, you will need the following files in order to successfully being able to to import a digitaly signed package into a different destination appliance:
- vRO Package Signing Certificate Keystore file.
- The Package Signing Certificate (optional but recommended)
Final Step
If all went well, go grab a beer.
include TEMPLATEPATH."/../../../itBlogDisclaimer.php"; ?>