ISR Certificates

Many ISR services are configured for more secure requests via HTTPS, including:

• ISR Dashboard
• ISR FACE
• Recorder REST Webservice
• Converter REST Webservice
• RSS Java API

To access these services, the clients you use must have either public keys or certificates, which are generated at installation time, or negotiated through a public key exchange. Public keys and certificates can be found in the locations described below.

The following table lists and describes the RSS public key locations.

Public Key Location	Description	Key Technology
/opt/isr/security/keys/rss_cert.pem	Certificate for ISR components to connect to RSS REST services	OpenSSL SHA256 RSA Key/ X509 Self-signed certificate
/opt/isr/security/keys/isr.key	Private key for ISR component communications	N/A
/opt/isr/security/keys/israpi-public.key	Public certificate for ISR API	Java keytool created RSA Key/Certificate
/opt/isr/security/keys/tomcat.keystore	Keystore for ISR Java applications on the RSS	N/A

The following table lists and describes the Dashboard public key locations.

Public Key Location	Description	Key Technology
/opt/isr/security/keys/puma.crt	Certificate file	OpenSSL DES3 RSA Key/ X509 Self-signed certificate
/opt/isr/security/keys/isr.key	Private key for ISR component communications	N/A

The following table lists and describes the FACE public key locations.

Public Key Location	Description	Key Technology
/opt/isr/security/keys/face-public.key	Public key for FACE HTTPS clients	Java keytool created RSA Key/Certificate
/opt/isr/security/keys/tomcat.keystore	Keystore for ISR Java applications on FACE	N/A
/opt/isr/security/keys/isr.key	Private key for ISR component communications	N/A

Imported Certificates for Secure Communications

Some ISRISRapplications (for example, the Dashboard) may send client requests to other ISR applications. For these requests and responses to be secure and authenticated, the application hosts must initially import the public keys of the services receiving the requests. The following table describes the keys imported to ISR component hosts for secure ISR application communication.

Component	Public Key Location	Description
Dashboard	/opt/isr/security/keys/israpi-public.key.<RSS host IP> /opt/isr/security/keys/rss_cert.pem. <RSS host IP>	Imported RSS API public key for Dashboard RSS API requests Imported RSS Converter and Recorder process public keys
FACE	opt/isr/security/keys/israpi-public.key.<RSS host IP> /opt/isr/security/keys/rss_cert.pem.<RSS host IP>	Imported RSS API public key for FACE RSS API requests Imported RSS Converter and Recorder process public keys

Signing Keys

Many ISR services utilize self-signed keys which are generated during installation. For better security, Oracle recommends that keys are signed by a Certificate Authority (CA). You must generate a certificate signing request (CSR) and use it to request a signed certificate from a CA. The certificates described in "Imported Certificates for Secure Communications" are self-signed when you install them. You must replace these with certificates signed by a certified Certificate Signing Authority (CSA).To obtain these properly signed certificates, you must generate a Certificate Signing Request (CSR).

To generate a CSR for your host:

1. Run /opt/isr/configIsr.sh from the Linux command line.
2. Choose the 'k' Manage ISR Keys option.
3. Choose the 'c' Create Certificate Signing Request(s) option.
4. Follow the instructions for creating a CSR.

CSRs are created in the /opt/isr/security/keys/ directory.

Once you have generated a CSR, you must send it to a CSA for signing and install and replace the temporary self-signed certificate created during installation.

To import a signed certificate to your host:

1. Run /opt/isr/configIsr.sh from the Linux command line.
2. Choose the 'k' Manage ISR Keys option.
3. Choose the 'i' Import a signed certificate option.
4. Follow the instructions for importing your CA signed certificate.

Note:

If a CA-signed ISR API Face certificate has not been received, in bundled form, by the CA authority, then each signed certificate issued by the CA (for example, root certificates, intermediate certificates, and issued API Face signed certificates) must be manually imported using the below commands.

The following command imports received root certificates to the tomcat keystore:

keytool -import -file root.cert -alias root -keystore /opt/isr/security/keys/tomcat.keystore

The following command imports received intermediate certificates to the tomcat keystore:

keytool -import -file intermediate1.cert -alias intermed1 -keystore /opt/isr/security/keys/tomcat.keystore

The following command imports received ISRAPI/Face certificates to the tomcat keystore:

keytool -import -file CASigned_ISRAPI.cert -alias israpi-key -keystore /opt/isr/security/keys/tomcat.keystore

Or:

keytool -import -file CASigned_Face.cert -alias face-key -keystore /opt/isr/security/keys/tomcat.keystore

Additional CSR Details

You may need to attach additional information to your CSR. The following shows the general format for using keytool to create a CSR:

keytool -certreq -alias <alias> -keyalg RSA -file <alias>.csr -keystore /opt/isr/security/keys/tomcat.keystore

The following shows the general format for using openssl to create a CSR:

openssl req -out <alias>.csr -key /opt/isr/security/keys/<keyfile> -new

Examples of Generating ISR Component CSRs

This section provides examples of generating ISR component CSRs.

RSS Certificate Signing

• RSS Services Certificate

  openssl req -out rss.csr -key /opt/isr/security/keys/rss_key.pem -new

• ISR API Certificate

  keytool -certreq -alias israpi-key -keyalg RSA -file israpi.csr -keystore /opt/isr/security/keys/tomcat.keystore

Dashboard Certificate Signing

• Dashboard Certificate

  openssl req -out dash.csr -key /opt/isr/security/keys/server.key -new

FACE Certificate Signing

• FACE API Certificate

  keytool -certreq -alias face-key -keyalg RSA -file face.csr -keystore /opt/isr/security/keys/tomcat.keystore