During the configuration process, EPM System Configurator must establish secure communication with the components for which SSL is to be supported. To establish secure communication, you must import the root certificate of the CA that signed the certificate that was used to SSL-enable these components.
Database server used for Shared Services Registry and Shared Services database
Database server used by EPM System components
SMTP mail server
Application server
Web server
Generally, the root certificates of well-known third-party CAs are available in the keystore that EPM System Configurator uses, so you do not need to reimport them.
If you did not use signed certificates from a well-known third-party CA ( if you used self-signed certificates, for example), you must import the root CA certificate into the keystore that is used by EPM System Configurator. The default EPM System Configurator keystore is MIDDLEWARE_HOME/jdk160_11/jre/lib/security/cacerts.
You use a tool such as keytool to import certificates into a keystore.
Note: | Perform this procedure for each EPM System Configurator that you use to deploy EPM System components. |
To import certificates using keytool:
From a console, change directory to MIDDLEWARE_HOME/jdk160_11/jre/bin.
Execute a command such as the following:
keytool -import -alias CERT_ALIAS -file CERT_FILE -keystore KEYSTORE -storepass KEYSTORE_PASSWORD -trustcacerts
For example, you can use the following command to add root CA certificate C:/certificates/CA.crt into MIDDLEWARE_HOME/jdk160_11/jre/lib/security/cacerts with DB_CA_ROOT as the certificate alias in the keystore. Default storepass (changeit) is assumed.
keytool -import -alias DB_CA_ROOT -file C:/certificates/CA.crt -keystore ../lib/security/cacerts -storepass changeit -trustcacertsNote:
The preceding command and example use some of the syntax for importing certificates using keytool. See keytool documentation for a complete list of import syntax.
Repeat the procedure for each root CA certificate that you want to import.
Note:
If you obtained all signed certificates from one CA, you need to import the root CA certificate only once.