A new Flexera Community experience is coming on November 25th. Click here for more information.
1. Create a folder and share.
Perform the steps below on the Admin Server.
a. Create a folder called E:\FLEXnet\certs.
b.Create a file share named Certs in the E:\FLEXnet\certs folder. Ensure you have write-access to the folder.
2. Generate a Reporting Server encryption key and self-signed certificate.
Open a PowerShell command prompt as an administrator on the Reporting Server and perform the following steps.
a. Open the FNMEA install directory.
cd E:\FLEXnet\manager\reporting
b. Delete the existing keystore.
rm ".\release\platform\bin\keystore"
c. Run the following command to generate a self-signed key pair in a new keystore, where {Admin Server FQDN} is the name of the shared path you created in step 1.
.\jvm\bin\keytool.exe -keystore ".\release\platform\bin\keystore" -storepass "flexnet" -genkeypair -alias "tomcat" -keyalg RSA -validity 7300 -keypass "flexnet" -dname "CN={Reporting Server FQDN},OU=IT,O=test,L=test,S=Stest,C=com" -keysize 2048
3. Generate an Admin Server encryption key and self-signed certificate.
Open a PowerShell command prompt as an administrator on the Admin Server and perform the following steps.
a. Open the FNMEA install directory.
cd E:\FLEXnet\manager\admin
b. Delete the existing keystore.
rm ".\release\platform\bin\keystore"
c. Run the following command to generate a self-signed key pair in a new keystore, where {Admin Server FQDN} is the name of your Admin Server and {Admin Server DNS Alias} is the IP address of the Admin Server.
.\jvm\bin\keytool.exe -keystore ".\release\platform\bin\keystore" -storepass "flexnet" -genkeypair -alias "tomcat" -keyalg RSA -validity 7300 -keypass "flexnet" -dname "CN={Admin Server FQDN},OU=IT,O=test,L=test,S=test,C=test" -ext "SAN=dns:{Admin Server DNS Alias}" -keysize 2048
4. Generate the Admin Server certificate authority signing request.
Open a PowerShell command prompt as administrator on the Admin Server and perform the following steps.
a. Open the FNMEA install directory.
cd E:\FLEXnet\manager\admin
b. Run the following command to generate a certficate signing request.
.\jvm\bin\keytool.exe -keystore ".\release\platform\bin\keystore" -certreq -keyalg RSA -alias tomcat -file "\\{Admin Server FQDN}\certs\admin.csr"
5. Generate the Reporting Server certificate authority signing request.
Open a PowerShell command prompt as administrator on the Reporting Server and perform the following steps.
a. Change to the FNMEA install directory
cd E:\FLEXnet\manager\reporting
b. Run the following command to generate a certficate signing request.
.\jvm\bin\keytool.exe -keystore ".\release\platform\bin\keystore" -certreq -keyalg RSA -alias tomcat -file "\\{Reporting Server FQDN}\certs\admin.csr"
6. Get the Admin Server and Reporting Server certificates signed by a Certification Authority (CA).
7. Import the CA-signed Admin Server certificate into the Admin Server keystore.
Perform the following tasks on the Admin Server to complete the Admin Server certificate CA signing process.
a. Extract and import the root CA certificate.
i. Double-click on \\{Admin Server FQDN}\certs\admin_signed.cer
The certificate properties dialog for the Admin Server certificate will open.
ii. In the Certification Path tab select the root certificate.
iii. Click on View Certificate to open the root certificate.
iv. In the Details tab of the root certificate choose Copy to File.
v. Follow the Certificate Export Wizard prompts to save the root certificate as follows:
- Base-64 encoded X.509 (.CER)
- File Path: \\{Admin Server FQDN}\certs\admin_root.cer
b. Extract the intermediate CA certificate.
i. Double-click on \\{Admin Server FQDN}\certs\admin_signed.cer
The certificate properties dialog for the Admin Server certificate will open.
ii. In the Certification Path tab select the intermediate certificate.
iii. Click on the View Certificate button to open the intermediate certificate.
iv. In the Details tab of the intermediate certificate choose Copy to File.
v. Follow the Certificate Export Wizard prompts to save the intermediate certificate as follows:
- Base-64 encoded X.509 (.CER)
- File Path: \\{Admin Server FQDN}\certs\admin_intermediate.cer
c. Open a PowerShell command prompt as an administrator and run each of the following commands in the order below to import the certificates into the Admin Server keystore:
cd E:\FLEXnet\manager\admin
.\jvm\bin\keytool.exe -keystore ".\release\platform\bin\keystore" -import -trustcacerts -alias "root" -file \\{Admin Server FQDN}\certs\admin_root.cer
.\jvm\bin\keytool.exe -keystore ".\release\platform\bin\keystore" -import -trustcacerts -alias "intermediate" -file \\{Admin Server FQDN}\certs\admin_intermediate.cer
.\jvm\bin\keytool.exe -keystore ".\release\platform\bin\keystore" -import -trustcacerts -alias "tomcat" -file \\{Admin Server FQDN}\certs\admin_signed.cer
8. Export the Admin Server certificate.
Open a PowerShell command prompt as an administrator on the Admin Server and perform the following steps.
a. Open the FNMEA install directory.
cd E:\FLEXnet\manager\admin
b. Run the following command to export the Admin Server certificate.
.\jvm\bin\keytool.exe -keystore ".\release\platform\bin\keystore" -storepass "flexnet" -alias "tomcat" -exportcert -file "\\{Admin Server FQDN}\certs\admin.cer"
9. Import the CA-signed Reporting Server certificate into the Reporting Server keystore.
Perform the following tasks on the Reporting Server to complete the Reporting Server certificate CA signing process.
a. Extract and import the root CA certificate.
i. Double-click on \\{Reporting Server FQDN}\certs\admin_signed.cer
The certificate properties dialog for the Reporting Server certificate will open.
ii. In the Certification Path tab select the root certificate.
iii. Click on View Certificate to open the root certificate.
iv. In the Details tab of the root certificate choose Copy to File.
v. Follow the Certificate Export Wizard prompts to save the root certificate as follows:
- Base-64 encoded X.509
- File Path: \\{Reporting Server FQDN}\certs\admin_root.cer
10. Export the Reporting Server certificate.
Open a PowerShell command prompt as an administrator on the Reporting Server and perform the following steps.
a. Open the FNMEA install directory.
cd E:\FLEXnet\manager\admin
b. Run the following command to export the Reporting Server certificate.
.\jvm\bin\keytool.exe -keystore ".\release\platform\bin\keystore" -storepass "flexnet" -alias "tomcat" -exportcert -file "\\{Admin Server FQDN}\certs\reproting.cer"
11. Import certificates into the Admin Server truststores.
Perform the steps below on the Admin Server.
a. Open a PowerShell command prompt as an administrator.
b. Open the FNMEA install directory.
cd E:\FLEXnet\manager\admin
c. Run the following commands:
.\jvm\bin\keytool.exe -keystore ".\release\platform\bin\keystore" -storepass "flexnet" -import -alias reporting -file "\\{Admin Server FQDN}\certs\reporting.cer" -trustcacerts -noprompt
.\jvm\bin\keytool.exe -keystore ".\jvm\lib\security\cacerts" -storepass "changeit" -import -alias reporting_root -file "\\{Admin Server FQDN}\certs\ reporting_root.cer" -trustcacerts -noprompt
.\jvm\bin\keytool.exe -keystore ".\jvm\lib\security\cacerts" -storepass "changeit" -import -alias reporting_intermediate -file "\\{Admin Server FQDN}\certs\ reporting_intermediate.cer" -trustcacerts -noprompt
12. Import certificates into the Reporting Server truststores.
Perform the steps below on the Reporting Server.
a. Open a PowerShell command prompt as an administrator.
b. Open the FNMEA install directory.
cd E:\FLEXnet\manager\reporting
c. Run the following commands:
.\jvm\bin\keytool.exe -keystore ".\release\platform\bin\keystore" -storepass "flexnet" -import -alias admin_root -file "\\{Reporting Server FQDN}\certs\admin_root.cer" -trustcacerts -noprompt
.\jvm\bin\keytool.exe -keystore ".\release\platform\bin\keystore" -storepass "flexnet" -import -alias admin_intermediate -file "\\{Reporting Server FQDN}\certs\admin_intermediate.cer" -trustcacerts -noprompt
.\jvm\bin\keytool.exe -keystore ".\jvm\lib\security\cacerts" -storepass "changeit" -import -alias admin -file "\\{Reporting Server FQDN}\certs\admin.cer" -trustcacerts -noprompt
13. Run the following command:
.\jvm\bin\keytool.exe -keystore ".\jvm\lib\security\cacerts" -storepass "changeit" -import -alias cognos_root -file "\\{Admin Server FQDN}\certs\cognos_root.cer" -trustcacerts -noprompt
Note: The third-party root CA certificate should already exist in all truststores globally. If it already exists in the the truststore, the command will fail. |
Aug 04, 2022 02:19 PM - edited Sep 27, 2022 12:41 PM
I think there is an error in steps 2d, 8b and 10b as you cannot specify both commands together: -genkeypair and -exportcert.
I suspect you just need to remove -genkeypair as this step is intended to simply export the cert.
Thank you, @MurrayPeters, for pointing it out. I updated it.
@Akshitha - Is there any specific/dedicated document for Cognos to generate CSR file and import SSL certificate?