Import certificate to Symantec OpsCenter web server (Tomcat)

Symantec NetBackup 7 users may have Symantec OpsCenter for reporting purposes. OpsCenter is a web-based system, running under Tomcat. It doesn’t appear to provide a method of importing your own certificates, and so you always get a security warning when you visit the site, due to it using it’s own self-signed certificate. You could import the self-signed certificate to all your PCs, but this is a nicer method, if more fiddly. I’m no expert when it comes to Tomcat, but I believe the basic process should work for all Tomcat-based web applications.

These instructions are based on the Tomcat documentation.

Other stuff:

  • OpsCenter keystore is found here: “C:\Program Files\Symantec\OpsCenter\gui\Security\keystore” – I strongly recommend you take a backup copy of this file before starting the process. If you mess up you can just start again by replacing the corrupt keystore with the original one.
  • The keystore password is opscenter – to find this I looked for the value of the keystorePass attribute in “C:\Program Files\Symantec\OpsCenter\WebServer\conf\server.xml”. You’ll be prompted for this when you use the keytool command during this process.
  • The self-signed certificate has an alias of opscenter within the keystore. Check this before you start with the command:
    keytool -list -keystore “C:\Program Files\Symantec\OpsCenter\gui\Security\keystore”
  • I’m running NetBackup 7.0.1 and OpsCenter on Windows Server 2008 R2 (i.e. 64-bit).
  • I’m assuming you’re logged on as the local Administrator, and have UAC enabled.
  • I’m assuming you have a passing acquaintance with Active Directory Certificate Services. I’m no expert but have used it to generate certificates for DRACs for Dell PowerEdge servers, IIS etc.
  • You’ll need to have your corporate root certificate and (if applicable)  intermediate certificate, both as Base 64 encoded X.509 .cer files. I’ve saved these onto the Desktop as root.cer and intermediate.cer as appropriate.

Steps to add a corporate certificate to OpsCenter (Tomcat):

  1. Open an Administrator command prompt. Change to “C:\Program Files\Java\jre6\bin”.
  2. Generate a Certificate Signing Request (CSR) and store it on the desktop:
    keytool –certreq –keyalg RSA –alias opscenter –file C:\Users\Administrator\Desktop\csr.csr –keystore “C:\Program Files\Symantec\OpsCenter\gui\Security\keystore”
  3. Use your corporate Active Directory Certificate Services to create a new certificate for the server, based on the CSR. I’m assuming you know how to do this – this is what I did:
    Request a certificate
    advanced certificate request
    Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
    Open the CSR in Notepad, select all, copy & paste into the Saved Request box, pick the appropriate template, I filled out the Additional Attributes box as follows:
    san:dns=<servername>&dns=<servername fully qualified>&dns=<numeric IP address>
    …obviously without the brackets…
    Click Submit.
    Choose the Base 64 encoded radio button and click the Download certificate link.
    Save the certificate as opscenter.cer and transfer onto the OpsCenter Server Desktop.
  4. Import your root certificate:
    keytool -import -alias root -keystore “C:\Program Files\Symantec\OpsCenter\gui\Security\keystore” -trustcacerts -file “C:\Users\Administrator\Desktop\root.cer”
    Type yes when prompted Trust this certificate?
  5. Import your intermediate certificate:
    keytool -import -alias intermediate -keystore “C:\Program Files\Symantec\OpsCenter\gui\Security\keystore” -trustcacerts -file “C:\Users\Administrator\Desktop\intermediate.cer”
  6. Import your server certificate, this will overwrite/replace the original self-signed certificate:
    keytool -import -alias opscenter -keystore “C:\Program Files\Symantec\OpsCenter\gui\Security\keystore” -trustcacerts -file “C:\Users\Administrator\Desktop\opscenter.cer”
  7. Restart the Symantec OpsCenterWebServer Service.


This entry was posted in NetBackup. Bookmark the permalink.

5 Responses to Import certificate to Symantec OpsCenter web server (Tomcat)

  1. Tim Atkinson says:

    Great article, and thanks. One question though, I followed the steps, but get the following when trying to import the server certificate:

    “keytool error: java.lang.Exception: Certificate not imported, alias already exists”

    I gather this is due to the alias being identical for both the issuing and server certificates, and that changing this to a unique alias has no ill affect.


  2. Thank you very much. Your article is really helpfull for me.

    Also there is not necessary to have all certificate in chain in cer-files. You can just download p7b-file when generating certificate for OpsCenter and import it in 1 step.


  3. Lynne Seamans says:

    Should “keytool” already be on my opscenter server (in this case, also my netbackup master server)?

    I looked at the tomcat doc.. kinda thought i had to install something, but new to NetBackup and don’t want to break anything.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.