Signed SSL Certificates for PAM360

Secure communication is essential for protecting sensitive data transmitted between clients and servers. You will need to configure signed SSL certificates for PAM360 in various instances to ensure a secure, encrypted connection. This document provides a comprehensive guide to generating and configuring signed SSL certificates for PAM360 using multiple methods.

1. Methods of Generating Signed SSL Certificates for PAM360

1.1 Generating SSL Certificates via PAM360

The Certificates module in PAM360 simplifies the process of generating the SSL certificates by providing the option to sign and issue certificates in your network using Microsoft Certificate Authority or using a custom root CA certificate that is trusted within your environment. Follow these steps to generate a valid certificate via PAM360:

  1. Navigate to Certificates >> CSR and click Create to open the CSR creation page.
  2. Choose one of the following options:
    1. Create CSR: Fill in the required details, such as Common Name, SAN, Organization, Location, State, Country, Key Algorithm, and Key Size. Enter the Validity Type, Validity, and Store Password.
    2. Create CSR From KeyStore: Attach an existing private key file and provide its password.
  3. Click Create to generate the CSR. The CSR content will be displayed, and you can copy the CSR content, export it via email or save it to a file.
  4. View saved CSRs under Certificates >> CSR. Use the eye icon to view the associated keystore passwords.
  5. Now, navigate to Certificates >> CSR. and select the desired CSR and click Sign. To learn more about signing the certificates via PAM360, refer to this help document.
  6. Click Sign. The signed certificate will be available under Certificates >> Certificates.

1.2 Generating SSL Certificates via OpenSSL

OpenSSL mostly comes bundled with the Linux distributions. If you are using the Windows server and do not have OpenSSL installed, download it from here. Make sure the bin folder under the OpenSSL installation is included in the PATH environment variable. Open the command prompt as an administrator from the directory path where the certificates are to be created and proceed with the following steps to create an SSL certificate using OpenSSL:

  1. Execute the command to create the public-private key pair that will be used for the SSL handshake:
    openssl genrsa -passout <pem passphrase> -des3 -out <privatekey-filename> 4096
    For example., openssl genrsa -passout passtrix -des3 -out webserver-ssl.key 4096

    Best Practice

    Enter passtrix or a pass-phrase of your choice. Though it is not documented, Tomcat has issues with passwords containing special characters, so use a password that has only alphanumeric characters.

  2. Execute the following command to create a CSR for submission to a CA to create a signed certificate with the key generated in the previous step:
    openssl req -passin <pem passphrase> -new -key <privatekey-filename> -out <certificate-csr-name>
    E.g., openssl req -passin passtrix -new -key webserver-ssl.key -out webserver-ssl.csr
  3. Submit the CSR to a valid Certificate Authority like Verisign, Thawte, or RapidSSL to obtain a signed certificate and the CA’s root certificate.
  4. Save these files in the working folder.

1.3 Generating SSL Certificates via Keytool

Keytool is a command-line utility bundled with Java for managing keystores and certificates. Open the command prompt as an administrator, navigate to <PAM360-Installation-Directory>/jre/bin folder and proceed with the following steps to create an SSL certificate using Keytool:

  1. Execute the following command to create the public-private key pair that will be used for the SSL handshake:
    For Windows:
    .\keytool -genkey -alias PAM360 -keyalg RSA -sigalg SHA256withRSA -keypass <privatekey_password> -storepass <keystore_password> -validity <no_of days> -keysize 2048 -keystore <keystore_filename>
    For Linux:
    ./keytool -genkey -alias PAM360 -keyalg RSA -sigalg SHA256withRSA -keypass <privatekey_password> -storepass <keystore_password> -validity <no_of days> -keysize 2048 -keystore <keystore_filename>

    Additional Details

    1. <keystore_password> is the password to access the keystore, <privatekey_password> is the password to protect your private key. Note that due to an inherent limitation in tomcat, these two passwords have to be the same. (Though it is not documented, Tomcat has issues with passwords containing special characters, so use a password that has only alpha characters)
    2. <no_of_days> is the validity of the key pair in number of days, from the day it was created
  2. Provide the requested details, ensuring the FQDN matches the PAM360 server. A keystore file will be created in the name <keystore_filename> in the same folder, with the generated key pair.
  3. Execute the following command to create a CSR for submission to a CA to create a signed certificate with the key generated in the previous step:
    keytool -certreq -keyalg RSA -alias PAM360 -keypass <privatekey_password> -storepass <keystore_password> -file <csr_filename> -keystore <keystore_filename> -ext san=dns:<hostname.domain.com>,dns:<hostname>,dns:<alias.domain.com>
    E.g., keytool -certreq -keyalg RSA -alias PAM360 -keypass <privatekey_password> -storepass <keystore_password> -file <csr_filename> -keystore <keystore_filename> -ext san=dns:<hostname.domain.com>,dns:<hostname>,dns:<alias.domain.com>
  4. Submit the CSR to a valid Certificate Authority like Verisign, Thawte, or RapidSSL to obtain a signed certificate and the CA’s root certificate. Upon CA signing, you will receive the signed SSL certificate and the CA's certificate as .cer files. Save both the files in the <PAM360_Home>/jre/bin folder.

2. SSL Certificate for PAM360 Web Server Communication

2.1 Utilizing the SSL Certificate Created via PAM360

To install a web server certificate, you will need the relevant the certificate keystore. To apply the certificate keystore, you must first create it. Follow these steps:

  1. Navigate to Certificates >> Certificates in the PAM360 interface and click on the signed certificate link under the Common Name column.
  2. On the Certificate Details page, click the Export icon located in the top-right corner. The certificate file will be downloaded to your local machine.
  3. Now, go to Certificatles >> Create CSR and locate the CSR for the signed certificate and click the Import Certificate icon.
  4. Browse your local machine to select the downloaded certificate file and click Import. The system will bind the certificate with the private key, forming a keystore.
  5. Return to Certificates >> Certificates and click the certificate link under the Common Name column.
  6. On the Certificate Details page, scroll down and click the Export link. This will download the certificate keystore to your local machine.
  7. Now, navigate to Admin >> Server Settings >> PAM360 Server and follow these steps to update the PAM360 web sever certificate:
    1. Select the Keystore Type (JKS, PKCS12, or PKCS11) that matches the type used when generating the CSR.
    2. Browse and upload the downloaded keystore file.
    3. Enter the Keystore Password you provided during the CSR generation process.
    4. If necessary, update the Server Port and click Save.
    5. Restart the PAM360 service to apply the certificate changes.

By completing these steps, the certificate keystore will be successfully applied to the PAM360 web server.

2.2 Utilizing the SSL Certificate Created via OpenSSL

To install a web server certificate, you will need the relevant the certificate keystore. To apply the certificate keystore, you must first create it. Open the command prompt as an administrator from the directory path where the certificates are to be created and proceed with the following steps:

  1. Execute the following command to create the certificate keystore:
    openssl pkcs12 -export -in <cert_file>.cer -inkey <privatekey_filename>.key -out <keystore_filename>.p12 -name PAM360 -CAfile <root_cert_file>.cer -caname PAM360 -chain
    where,
    • cert_file.cer is the signed SSL certificate with the .cer extension.
    • privatekey_filename.key is the private key file with a .key extension.
    • keystore_filename.p12 name is the keystore that will be generated with a .p12 extension.
    • root_cert_file.cer is the CA's root certificate with a .cer extension.

    Caution

    Enter the same password, you used in while creating the private key. This requirement is due to an inherent limitation in tomcat, which requires the two passwords to match. A keystore file in the name <keystore_filename>.p12 will be generated in the same folder.

  2. Copy the <keystore_filename>.p12 generated in step 4 to the <PAM360_Install_Folder>\conf folder.
  3. From the command prompt, navigate to <PAM360-Installation-Directory>\conf folder and open the server.xml file.
  4. Locate the the entry keystoreFile, which will have the default value set to conf/server.keystore. Change the value to conf/<keystore_filename>.p12.

    Caution

    The keystore password is encrypted and cannot be updated directly in the server.xml file. In order to manually update the keystore password in the .xml file, disable the encryption first, by changing the value keystorePassEncrypted=true to keystorePassEncrypted=false.

  5. Now, set the value of 'keystorePass' to "passtrix" or the password you specified in the previous step while creating the keystore.
  6. Add a new entry keystoreType= PKCS12 or PKCS11 next to the keystorePass entry and save the server.xml file.
  7. Restart the PAM360 server and connect through the web browser. If you are able to view the PAM360 login console without any warning from the browser, you have successfully installed your SSL certificate in PAM360.

2.3 Utilizing the SSL Certificate Created via Keytool

To install a web server certificate, you will need the relevant the certificate keystore. To apply the certificate keystore, you must first create it. Open the command prompt as an administrator proceed with the following steps:

  1. Navigate to the <PAM360-Installation-Directory>/jre/bin folder.
  2. If you have a single file as the certificate bundle (p7b), then execute the following command:
    keytool -import -alias PAM360 -keypass <privatekey_password> -storepass <keystore_password> -keystore <keystore_filename> -trustcacerts -file <your_ssl_bundle.p7b>
    where,
    • <boundlessness> is the certificate bundle obtained from the CA, a .p7b file saved in the previous step. The <privatekey_password>,<keystore_password> and <keystore_filename> are the ones used in the previous steps.
    • If you have 3 files, the root, the intermediate and the actual certificates in .cer format, then you need to import each one of them using the below commands:
      keytool -import -alias root -keypass <privatekey_password> -storepass <keystore_password> -keystore <keystore_filename> -trustcacerts -file <rooter>
      keytool -import -alias inter -keypass <privatekey_password> -storepass <keystore_password> -keystore <keystore_filename> -trustcacerts -file <inter.cer>
      keytool -import -alias PAM360 -keypass <privatekey_password> -storepass <keystore_password> -keystore <keystore_filename> -trustcacerts -file <your_ssl_cert.cer>
  3. Copy the <keystore_filename> to the <PAM360-Installation-Directory>/conf folder.
  4. Now, from <PAM360-Installation-Directory>/conf folder, open the server.xml file.
  5. Locate the the entry keystoreFile, which will have the default value set to conf/server.keystore. Change the value to conf/<keystore_filename>.

    Caution

    The keystore password is encrypted and cannot be updated directly in the server.xml file. In order to manually update the keystore password in the .xml file, disable the encryption first, by changing the value keystorePassEncrypted=true to keystorePassEncrypted=false.

  6. Set the value of 'keystorePass' to "passtrix" or the password you specified in the previous step while creating the keystore.
  7. Restart the PAM360 server and connect through the web browser. If you are able to view the PAM360 login console without any warning from the browser, you have successfully installed your SSL certificate in PAM360.

    Caution

    Tomcat, by default, accepts only the JKS (Java Key Store) and PKCS #12 format keystores. In case, the keystore is of PKCS #12 format, include the following option in the server.xml file along with the keystore name, keystoreType="PKCS12? This notifies tomcat that the format is PKCS12. Restart the server after this change.

Top