cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to configure Flexnet Operations On-Premises with SSL

How to configure Flexnet Operations On-Premises with SSL

Summary

This article will explain how to create a keystore that can be used with Flexnet Operations to enable SSL.

Synopsis

In order to create a keystore it is assumed that you have created the PFX file. The steps below will explain how to import the PFX file into the keystore for FlexNet Operations On-Premises.

 

Discussion

Steps to create the keystore for Flexnet Operations

1. First step is to import the given PFX file (PKCS format) into the keystore that will be used by the FNO application.

Note: Keytool.exe manages a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates and is part of the Java installation. Please refer to the article below for more information on this....

https://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

keytool.exe -importkeystore -srckeystore ServerCertificate.pfx -srcstoretype pkcs12 -srcstorepass <password> -destkeystore FlexeraKeyStore.jks -deststoretype JKS

The following output should be displayed:
  • Enter destination keystore password:
  • Re-enter new password:
  • Entry for alias le-0a9b7c02-2830-41bb-b46e-43ee80646aac successfully imported.
  • Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
2. The next step is to isolate the certificate chain used to validate the certificate and put this into the truststore. You could use a separate truststore or add the certificate to the JDK's keystore. The second approach is more preferable, so this is what is used below.
  • Convert the PFX file to PEM format and make sure we transport the certificates into the PEM file
Note: OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Please refer to the article below for more information and how to download....

https://www.openssl.org/source/
  • openssl pkcs12 -in ServerCertificate.pfx -out Keystore.pem -nodes
  • Enter Import Password:
  • MAC verified OK
3. The next step is to convert this PEM file to X509 format.
  • openssl x509 -outform der -in Keystore.pem -out flexera.der
4. The final step is to import this X509 certificate into the JDK's keystore.
  • keytool.exe -import -alias flexera-alias -keystore "C:\cacert\FlexeraKeystore.jks" -file flexera.der
  • Enter keystore password:
  • Trust this certificate? [no]: yes
  • Certificate was added to keystore
Steps to configure Flexnet Operations to use the created keystore
  • Go to flexnet-setup: e.g. http://localhost:4321/flexnetsetup
  • Stop FNO server
  • Undeploy FNO and all applications
  • Go to FNO_HOME\components\wildfly\standalone\logs and clean up the logs (This step will be beneficial later)
  • Go to the 'Advanced' tab
  • Change the keystore to the location of the keystore, e.g. "C:\certs\FlexeraKeyStore.jks"
  • Add the password assigned to the keystore.
  • Save the configuration
  • Deploy FNO.
  • Start server
Once the server is up, look at the server.log to find out if there are any key specific errors.
Was this article helpful? Yes No
No ratings
Comments
In Step 4, the -keystore parameter is specified as "C:/cacert" with no filename...was this intended to be FlexeraKeystore.jks?

Dear @jhurder,

You are correct, this should state "C:\cacert\FlexeraKeystore.jks". 

Thanks for pointing this out. 

Kind regards,
Joe

 

 

Thanks Joe - I did this and it seems to work correctly. The only other edit I think might be in order is that when you import the .der file into the .jks, keytool will warn you that the certificate already exists in the store and to confirm that you want to overwrite it. I did overwrite the cert and seems to work correctly. Thanks for your post, it was extremely helpful for this native .NET/Windows admin to enable HTTPS on my FNO instance.
Version history
Last update:
‎Jun 18, 2024 12:07 PM
Updated by:
Contributors