HP Servicecontrol Manager 3.0 User's Guide
Increasing Servicecontrol Manager Security
Replace Self-Signed Tomcat Certificates
Chapter 4
56
Replace Self-Signed Tomcat Certificates
Replacing the Tomcat self-signed certificate with a certificate authority signed
(CA-signed) certificate on your CMS and your managed nodes will increase your security.
You can purchase a CA-signed certificate from a third-party certificate authority, or you
can act as your own certificate authority.
This will increase SCM security if you are accessing SCM from a Web browser. It
guarantees the authenticity of the Web pages, and it virtually eliminates the possibility
of unauthorized data interceptions, unauthorized access to SCM, or unauthorized
changes to your transactions. It also prevents the possibility of spoofing.
This security enhancement uses the Java keytool from Sun Microsystems. For more
information on the keytool, go to http://java.sun.com and search for summary of
security tools.
NOTE The following steps may or may not work depending on your operating environment.
Please refer to the Java keytool documentation and the instructions provided by your
certificate authority. These steps are provided for guidance only.
To replace the self-signed certificates:
Step 1. Log on to the CMS as root.
Step 2. If Tomcat is running, stop the server:
# /sbin/init.d/mxtomcat stop
Step 3. Identify the MxKeystorePassword:
# mxpassword -l -x MxKeystorePassword
# your_password
Step 4. Rename or backup the original keystore trust database:
# cd /etc/opt/mx/config/security
# mv certificates original.certificates
Step 5. Create a new keystore and generate the key pair:
# cd /etc/opt/mx/config/security
# keytool –genkey –keyalg RSA –dname “cn=server_name,\
ou=your_department_name,o=your_corporation.com, L=your_town,\
S=your_state, C=your_country” -alias tomcat –keypass your_password \
-keystore certificates –storepass your_password -validity 365
NOTE Please see the Java keytool documentation for an explanation of the fields used above.