Creating SHA-1 certificates to establish connection between agents and the Management Server
Last Updated May 21, 2018
From data Center Security: Server Advanced 6.7 MP2 onwards, fresh installation of the Management Server generates certificates using SHA-256 with RSA as signature algorithm. Due to the new certificates, the older agents that are mentioned in the following table may fail to communicate with the Management Server:
Frozen agent binary from 5.2.9.MP6
You must deploy tomcat only Management Server and use certificates created using SHA-1 with RSA as signature algorithm for the agent - server communication.
Perform the following procedures and register the legacy agents with the tomcat-only Management Server.
Before you begin
Before you generate the certificates, do the following:
Back up the original certificate files to a safe location. you can find the certificates in the following locations:
<DCS server Install Directory>\server\agent-cert.ssl
<DCS server Install Directory>\server\server-cert.ssl
Ensure that you have access to the server.xml file that is located at: <DCS server Install Directory>\server\tomcat\conf
From the server.xml file, note down the values of keystorepass. The keystorepass is an alphanumeric string of 40 characters.
Note down the Common Name (CN) parameter. For the Management Server, this value is always SCSP_Management_Server.
Note down the hostname of the Management Server. The hostname is required for the OU parameter.
Locate the keytool.exe that is present at the following location: <DCS server Install Directory>\server\jre\bin
To create the SHA-1 certificates manually:
From the command line, access the keytool utility that is present at the following location: <DCS server Install Directory>\server\jre\bin
Create a temporary folder, for example: C:\TempDCS\
Copy the server-cert.ssl file to the temporary location C:\TempDCS\
Using the command line, enter the following command: keytool.exe -delete -keystore C:\TempDCS\server-cert.ssl -alias sss -storepass [40 character alpha-numeric string that is found in the server.xml file] -storetype PKCS12
Using the command line, enter the following command: keytool.exe -genkey -keystore "C:\TempDCS\server-cert.ssl" -alias sss -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -storetype PKCS12 -storepass [40 character alpha-numeric string found in the server.xml file] -keypass [40 character alpha-numeric string found in server.xml] -dname "CN=SDCSS_Management_Server, OU=[SCSP server hostname]"
Using the command line, enter the following command: keytool.exe -export -Alias sss -rfc -keystore "C:\TempDCS\server-cert.ssl" -file "C:\TempDCS\agent-cert.ssl" -storepass [40 character alpha-numeric string found in the server.xml file] -storetype PKCS12 Use the agent-cert.ssl created in this step for agent-server communication.
You must replace the existing certificates with the ones you have created in the above procedure.
To replace the existing certificates:
Stop the Data Center Security: Server Advanced management service.
Go to <DCS server Install Directory>\server and replace the following certificates with the newly created certificates: server-cert.ssl agent-cert.ssl
Start the Data Center Security: Server Advanced management server service.
If you are using Data Center Security: Server, restart the SVA virtual machines in your VMWare platforms.
On the Data Center Security: Server Advanced agent, do the following:
Copy the newly created agent-cert.ssl to the agent computer.
On the command prompt, run the following command: sisipsconfig -c agent-cert.ssl This command enforces the agent to use the new agent-cert.ssl certificate.
To test the connection from the command prompt: sisipsconfig -t
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe