[Linux-PowerEdge] OMSA 7.4.0 and sec_error_ca_cert_invalid on new CentOS6.5 install

Shane Forsythe sforsyt at gmail.com
Mon Oct 20 10:57:54 CDT 2014


These are steps I took to replace the keystore.db file and use my own
Certificate Authority to sign CSR from the keytool. Caveat that doing so on
your own machines is at your own risk.

# Presumes that you have your own CA setup (fairly easy, google for
instructions and follow)
# Firefox has no way of automatically importing CA certs from command line
for multiple profiles, so you must import your CA.cert into Mozilla, then
find the cert.db in the profile and copy to other machines if you wish to
'automate'

cd /opt/dell/srvadmin/lib64/openmanage/apache-tomcat/conf
cp keystore.db keystore.dell
## The keything when you generate the key is to use the -alias dell and
during prompt for "what is your first and last name" , put the 'cname' you
would like if you were generating a csr for ssl, I used localhost as I
browse OMSA locally.  If you enable external viewing of omsa, use the
hostname you use, ip addresses will not work
../../jre/bin/keytool -genkey -keyalg RSA -alias dell -keystore keystore.db
-storepass password -validity 36000 -keysize 2048
../../jre/bin/keytool -certreq -keyalg RSA -alias dell -keystore
keystore.db -file omsa.csr

## Copy omsa.csr to your CA. You need to use the following line to make
sure keytool/openssl are compatible.

openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -in omsa.csr -out
omsa.cert.pem -days 3650 -CAcreateserial

## Copy omsa.cert.pem and ca.cert.pem back to your machine that generated
the csr
cd /opt/dell/srvadmin/lib64/openmanage/apache-tomcat/conf
../../jre/bin/keytool -import -keystore keystore.db -file /tmp/ca.cert.pem
-alias theCARoot
../../jre/bin/keytool -import -keystore keystore.db -file
/tmp/omsa.cert.pem -alias dell

### edit the server.xml line, and change the keypass and keystorepass  to
what you used when you generated keystore.db
  <Connector compression="force" SSLEnabled="true" clientAuth="false"
keystoreFile="conf/keystore.db" keystorePass="password" keyPass="password"
maxThreads="150" maxPostSize="6291456" port="1311" protocol="HTTP/1.1"
scheme="https" secure="true" sslProtocol="TLS"
ciphers="SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>

## restart OMSA services
/opt/dell/srvadmin/sbin/srvadmin-services.sh restart


On Mon, Oct 20, 2014 at 3:02 AM, <Viswanath_Ponnuru at dell.com> wrote:

> The importing of CA signed certificates-OMSA CLI feature is planned to
> deliver as part OMSA 8.1 release.
>
> Regards
>
> Vish Ponnuru.
>
> -----Original Message-----
> From: linux-poweredge-bounces-Lists On Behalf Of Stefan M. Radman
> Sent: Saturday, October 18, 2014 4:25 AM
> To: linux-poweredge-Lists
> Subject: Re: [Linux-PowerEdge] OMSA 7.4.0 and sec_error_ca_cert_invalid on
> new CentOS6.5 install
>
> Same seen with firefox 31.1.0 on RHEL 6.5 server
>
> any solution appreciated
>
> Thanks
> Stefan
>
> On Oct 17, 2014, at 5:42 PM, Shane Forsythe wrote:
>
> > The default install of firefox on any new centos machines is now
> invalidating the certificate with OMSA. I have found some documentation
> about updating the cert once you are logged in, but does anyone know of a
> way to update the cert from the command line?
> >
> > Does Dell have a ca.cert file we can import, or we have to use our own
> ca and self-signed keys?
> >
> > Thanks
> > Shane
> >
> > _______________________________________________
> > Linux-PowerEdge mailing list
> > Linux-PowerEdge at dell.com
> > https://lists.us.dell.com/mailman/listinfo/linux-poweredge
>
> _______________________________________________
> Linux-PowerEdge mailing list
> Linux-PowerEdge at dell.com
> https://lists.us.dell.com/mailman/listinfo/linux-poweredge
>
> _______________________________________________
> Linux-PowerEdge mailing list
> Linux-PowerEdge at dell.com
> https://lists.us.dell.com/mailman/listinfo/linux-poweredge
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.us.dell.com/pipermail/linux-poweredge/attachments/20141020/ce9a38c7/attachment.html 


More information about the Linux-PowerEdge mailing list