Jul 22, 2015 Accessing the sserver via openssl sclient. To create a full circle, we’ll make sure our sserver is actually working by accessing it via openssl sclient: [email protected] $ openssl sclient -connect localhost:44330 CONNECTED(00000003) depth=0 C = NL, ST = Utrecht, L = Utrecht, O = Company, OU = Unit, CN = localhos t. Openssl sclient -servername www.example.com -host example.com -port 443 Test TLS connection by forcibly using specific cipher suite, e.g. Useful to check if a server can properly talk via different configured cipher suites, not one it prefers.
The following example describes how to create a signed client certificate using the OpenSSL toolkit as a private certificate authority. This example also uses the keytool utility available with the Sun Microsystems™ standard Java Development Kit. You can use a client certificate to validate that the client is authorized to connect to HPE Service Manager server or as part of a trusted sign-on configuration.
Note This example builds on information presented in Example: Generating a server certificate with OpenSSL. The information contained in this example regarding OpenSSL technology is provided by HPE as a courtesy to our customers and partners. This documentation does not replace an OpenSSL reference, and HPE encourages you to conduct additional research regarding OpenSSL technology by consulting with sources outside of this document. HPE hereby disclaims all liability associated with the use and accuracy of this information. As OpenSSL technology evolves, HPE may or may not update this reference.
Type the following command to create a private key and keystore for your Service Manager client. For example, to create a private key and keystore for your Service Manager web tier, type:
keytool -genkey -keyalg RSA -alias clients -keystore <clientcerts>.keystore
Note When you repeat this step for multiple clients, replace <clientcerts> (and also <client> in the following steps) with a name that can identify every single client. For example, you can use the FQDN for each Windows client, and use the FQDN or smwebtier for your web tier client.
Note HPE recommends that the
keyalg parameter use a value of
RSA rather than the default of
DSA. Doing so allows your TLS communications to use the stronger ECDHE cipher suites which are not vulnerable to Logjam attacks (CVE-2015-4000).
yesif it is correct.
When keytool prompts you for the password phrase to use for your Service Manager web tier's private key, press ENTER to use the same password as you created for the keystore.
Note The password for the private key must match the password for the keystore file.
keytool -certreq -alias clients -keystore <clientcerts>.keystore -file <client>_certrequest.crs
<client>_certrequest.crs) to the OpenSSL
openssl x509 -req -days 365 -sha256 -in <client>_certrequest.crs -CA mycacert.pem -CAkey cakey.pem -CAcreateserial -out <client>_cert.pem
When OpenSSL prompts you, type the password for your certificate authority's private key. For example,
OpenSSL stores the new signed certificate (
<client>_cert.pem) in the
Tip To view the contents of the signed certificate, you can type following command:
openssl x509 -in <client>_cert.pem -text -noout
<client>_cert.pem) to the OpenSSL server's Java platform
Type the following command to import the Service Manager client's signed certificate into a client keystore.
keytool -import -trustcacerts -alias clients -keystore ./<clientcerts>.keystore -file <client>_cert.pem
Copy the updated client keystore (
<clientcerts>.keystore) to the default certificate path of your client:
WEB-INFfolder of the Service Manager Web tier
<Windows client installation path>pluginscom.hp.ov.sm.client.common_x.xxfolder of your Service Manager Windows clients
Import each client certificate you want to be part of the list of trusted clients to a trusted clients keystore.To do so, type the following command:
-alias client1 -file <client>_cert.pem -keystore trustedclients.keystore
trustedclients.keystore) to the Service Manager server's RUN folder.
Example: Enabling required SSL encryption and client authentication
Example: Enabling required SSL encryption and trusted clients
Example: Enabling trusted sign-on
Example: Viewing the contents of a cacerts file
OpenSSL Web site
Secure Sockets Layer (SSL) encryption and server certificates
What are PEM files?
What is a cacerts file?
Add a client certificate to the web tier
Add a client certificate to the Windows client
Update the cacerts keystore file
Use keytool to create a certificate request
Use keytool to create a private key