Solutions

VM: How to use a pre-generated SSL certificate that includes the private key with Tomcat in the PVCS Version Manager Web Application Server



ID:    S143483
Published:    09 July 2021
Updated:    12 July 2021

Operating System(s)

  • All Unix
  • All Windows

Product(s)

  • PVCS Version Manager
 

Description

The typical process to obtain an SSL certificate consists of generating a private key on the server, sending a signing request to a Certificate Authority, and apply its signature to the certificate (see KB S143068).
 
However, if you are provided with a keystore containing a pre-generated SSL certificate that includes the private key, use the instructions below to import that into PVCS Version Manager's Tomcat instance.

Resolution

The keystore to be imported should be in PKCS12 format (.p12), which includes Microsoft PFX (.pfx).
 
If the keystore you received is in a different format, use a 3rd party utility to convert it to PKCS12. Example using openssl:
 
openssl pkcs12 -export -name TomcatVM -in PublicCertificateFile.crt -inkey PrivateKeyFile.key -out TomcatVM.p12
 
To import the PKCS12 keystore:
 
  • Windows:

    1. Stop the PVCS Version Manager Web Application Server service. (In older VM releases this used to be called the Serena VM Web Application Server service.)
       
    2. Open a Command Prompt (CMD.EXE) using right-click | Run as administrator.
       
    3. Execute the following commands:
       
      • move "%PVCS_HOME%\common\tomcat\conf\serena.keystore" "%PVCS_HOME%\common\tomcat\conf\serena.keystore.old"
         
      • "%PVCS_HOME%\common\jre\win64\bin\keytool" -importkeystore -srckeystore "FULLY_QUALIFIED_PATH_OF_PKCS12_KEYSTORE" -srcstorepass "PASSWORD_ON_PKCS12_KEYSTORE" -srcstoretype pkcs12 -destkeystore "%PVCS_HOME%\common\tomcat\conf\serena.keystore" -deststorepass serena
         
      If you are running a Version Manager release prior to PVCS VM 8.6.0, replace win64 with win32.
       
    4. Start the PVCS Version Manager Web Application Server service.
       
  • Linux/UNIX:

    1. Open a shell on the server as the user who installed PVCS VM, typically the user "pvcs", and go to its installation directory.
       
    2. Stop the PVCS Version Manager Web Application Server by running the command:
       
      vm/common/bin/pvcsstop.sh
       
    3. Execute the following commands, replacing OperatingSystem with one of aix, hpux, linux, or solaris, depending on the operating system being used:
       
      • mv vm/common/tomcat/conf/serena.keystore vm/common/tomcat/conf/serena.keystore.old
         
      • vm/common/java/OperatingSystem/jre/bin/keytool -importkeystore -srckeystore 'FULLY_QUALIFIED_PATH_OF_PKCS12_KEYSTORE' -srcstorepass 'PASSWORD_ON_PKCS12_KEYSTORE' -srcstoretype pkcs12 -destkeystore vm/common/tomcat/conf/serena.keystore -deststorepass serena
         
    4. Start the PVCS Version Manager Web Application Server by running the command:
       
      vm/common/bin/pvcsstart.sh
 
IMPORTANT:
 
  • Before changing the File Server URL in VM from http://server:8080 to https://server:8443 (using Admin | File Server), see Configuring VM File Server access from Version Manager Desktop Client installations on other machines.
     
  • If you get one of the following errors in stderr.log / catalina.out / catalina.YYYY-MM-DD.log:
     
    java.security.UnrecoverableKeyException: Cannot recover key
    or
    java.io.IOException: Cannot recover key
     
    make sure that any password on the private key matches the password on the destination JKS keystore. You can use the following command to change the password of the private key:

    Windows:
    "%PVCS_HOME%\common\jre\win64\bin\keytool" -keypasswd -keypass "EXISTING_PRIVATE_KEY_PASSWORD" -new serena -keystore "%PVCS_HOME%\common\tomcat\conf\serena.keystore" -storepass serena -alias 'CertificateAlias'

    Linux/UNIX:
    vm/common/java/OperatingSystem/jre/bin/keytool -keypasswd -keypass 'EXISTING_PRIVATE_KEY_PASSWORD' -new serena -keystore serena.keystore -storepass serena -alias 'CertificateAlias'
     
    This sets the new private key password (-new password) to match the keystore password (-storepass password), so just using the keystore password can unlock the private key going forward.

    The value of CertificateAlias can be obtained by running the List command and looking for the certificate alias tagged with PrivateKeyEntry:

    Windows:
    "%PVCS_HOME%\common\jre\win64\bin\keytool" -list -keystore "%PVCS_HOME%\common\tomcat\conf\serena.keystore" -storepass serena

    Linux/UNIX:
    vm/common/java/OperatingSystem/jre/bin/keytool -list -keystore vm/common/tomcat/conf/serena.keystore -storepass serena

    Example:

    C:\pvcs\vm8630\vm>"%PVCS_HOME%\common\jre\win64\bin\keytool" -list -keystore "%PVCS_HOME%\common\tomcat\conf\serena.keystore" -storepass serena
    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 1 entry

    or-rgering-w216.serena.com, Nov 13, 2018, PrivateKeyEntry,
    Certificate fingerprint (SHA1): B3:C7:D3:51:59:96:F4:7A:07:FA:B2:38:52:6D:95:50:4E:3B:01:32

    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore C:\pvcs\vm8630\vm\common\tomcat\conf\serena.keystore -destkeystore C:\pvcs\vm8630\vm\common\tomcat\conf\serena.keystore -deststoretype pkcs12".

    C:\pvcs\vm8630\vm>


    In this example, the CertificateAlias value would be or-rgering-w216.serena.com.

     

 

 


Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs