Symantec NetBackup 7 users may have Symantec OpsCenter for reporting purposes. OpsCenter is a web-based system, running under Tomcat. It doesn’t appear to provide a method of importing your own certificates, and so you always get a security warning when you visit the site, due to it using it’s own self-signed certificate. You could import the self-signed certificate to all your PCs, but this is a nicer method, if more fiddly. I’m no expert when it comes to Tomcat, but I believe the basic process should work for all Tomcat-based web applications.
These instructions are based on the Tomcat documentation.
- OpsCenter keystore is found here: “C:\Program Files\Symantec\OpsCenter\gui\Security\keystore” – I strongly recommend you take a backup copy of this file before starting the process. If you mess up you can just start again by replacing the corrupt keystore with the original one.
- The keystore password is opscenter – to find this I looked for the value of the keystorePass attribute in “C:\Program Files\Symantec\OpsCenter\WebServer\conf\server.xml”. You’ll be prompted for this when you use the keytool command during this process.
- The self-signed certificate has an alias of opscenter within the keystore. Check this before you start with the command:
keytool -list -keystore “C:\Program Files\Symantec\OpsCenter\gui\Security\keystore”
- I’m running NetBackup 7.0.1 and OpsCenter on Windows Server 2008 R2 (i.e. 64-bit).
- I’m assuming you’re logged on as the local Administrator, and have UAC enabled.
- I’m assuming you have a passing acquaintance with Active Directory Certificate Services. I’m no expert but have used it to generate certificates for DRACs for Dell PowerEdge servers, IIS etc.
- You’ll need to have your corporate root certificate and (if applicable) intermediate certificate, both as Base 64 encoded X.509 .cer files. I’ve saved these onto the Desktop as root.cer and intermediate.cer as appropriate.
Steps to add a corporate certificate to OpsCenter (Tomcat):
- Open an Administrator command prompt. Change to “C:\Program Files\Java\jre6\bin”.
- Generate a Certificate Signing Request (CSR) and store it on the desktop:
keytool –certreq –keyalg RSA –alias opscenter –file C:\Users\Administrator\Desktop\csr.csr –keystore “C:\Program Files\Symantec\OpsCenter\gui\Security\keystore”
- Use your corporate Active Directory Certificate Services to create a new certificate for the server, based on the CSR. I’m assuming you know how to do this – this is what I did:
Request a certificate
advanced certificate request
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Open the CSR in Notepad, select all, copy & paste into the Saved Request box, pick the appropriate template, I filled out the Additional Attributes box as follows:
san:dns=<servername>&dns=<servername fully qualified>&dns=<numeric IP address>
…obviously without the brackets…
Choose the Base 64 encoded radio button and click the Download certificate link.
Save the certificate as opscenter.cer and transfer onto the OpsCenter Server Desktop.
- Import your root certificate:
keytool -import -alias root -keystore “C:\Program Files\Symantec\OpsCenter\gui\Security\keystore” -trustcacerts -file “C:\Users\Administrator\Desktop\root.cer”
Type yes when prompted Trust this certificate?
- Import your intermediate certificate:
keytool -import -alias intermediate -keystore “C:\Program Files\Symantec\OpsCenter\gui\Security\keystore” -trustcacerts -file “C:\Users\Administrator\Desktop\intermediate.cer”
- Import your server certificate, this will overwrite/replace the original self-signed certificate:
keytool -import -alias opscenter -keystore “C:\Program Files\Symantec\OpsCenter\gui\Security\keystore” -trustcacerts -file “C:\Users\Administrator\Desktop\opscenter.cer”
- Restart the Symantec OpsCenterWebServer Service.