4Generating and Deploying DISA Certificate

Generating and Deploying DISA Certificate

This chapter includes the following topics:

• Setting Up DISA Environments and Generating DISA Certificates

Setting Up DISA Environments and Generating DISA Certificates

Perform the following configurations to manage DISA certificate related issues, if any:

1. Enabling DISA for Siebel HTTPS Environment

2. CA Signed DISA Certificate Generation and Deployment Process

Enabling DISA for Siebel HTTPS Environment

This configuration is applicable only for a Siebel HTTPS environment in which Transport Layer Security (TSL) protocol is enabled using a self-signed certificate. If you are using recognized CA certificates, this configuration is not required because the configurations are already set in the JVM truststore.

To enable DISA for a Siebel HTTPS environment

1. Identify the JVM DISA used.

   DISA uses its bundled JVM in <DISA_INSTALL_DIR>\jre by default. To identify the JVM, refer to Identifying the JVM DISA used on Windows.

2. Export the X.509 public key certificate file that the Siebel HTTPS environment uses.

   Note: The Administrator responsible for enabling SSL for Siebel can provide the certificate. You can also export the certificate from browsers such as Chrome and Firefox when visiting the Siebel HTTPS environment. For more information, refer to Exporting the certificate from Google Chrome.

   Validate the certificate content before you import and ensure that the Java keytool can parse the certificate and display its content with cmd keytool -v -printcert -file C:\certname.cer.

3. Import the certificate to the truststore of JVM and do the following:

   1. Run the following command in cmd.exe with Administrator privileges:

      "C:\DISA\jre\bin\keytool.exe" -import -noprompt -trustcacerts -alias testalias -
      file "C:\certname.cer" -keystore "C:\DISA\jre\lib\security\cacerts" -storepass 
      changeit
      

   2. Make the following changes in information in the cmd.exe:

      <C:\DISA\jre>: replace the path of the JVM path from step 1 
      <testalias>: replace the alias name
      

      <C:\certname.cer>: replace the path of certificate from step 2
      <changeit>: replace with the trust store password; by default the password is the 
      string "changeit"
      

4. Restart DISA to make the updates to truststore take effect.

5. Refresh or log in to Siebel.

   Tip: After you enable DISA in the Siebel HTTPS environment, you can use the updated cacerts file (C:\DISA\jre\lib\security\cacerts in the example) across different client machines in which DISA is installed and skip the configuration steps.

Identifying the JVM DISA used on Windows

To identify the JVM DISA used on Windows

1. Open Windows Task Manager.

2. From View menu option, select Select Columns.

3. In the Select Process page columns window, select the Image Path Name check box in Windows Task Manager, and click OK.

4. Run DISA.

   Locate the process javaw.exe or javaw.exe *32 in the Processes tab in the Windows Task Manager and note down the Image Path Name.

Exporting the certificate from Google Chrome

To export the certificate from Google Chrome

1. Open the Siebel application using the format: http://<server>.us.oracle.com:<port>/siebel/app/<appname>/<lang>. For example http://slc06wyt.us.oracle.com:16660/siebel/app/callcenter/enu.

   Disregard the security error that may appear and proceed until the Siebel login page displays with an HTTPS URL.

2. Open Google Chrome Developer Tools.

3. Select the Security tab.

4. Click View Certificates. The certificate viewer opens up.

5. Export the certificate file with the following steps:

   1. Click the Details tab in the Certificate window.

   2. Click the Copy to File… button.

   3. The Certificate Export Wizard opens. Follow the instructions in the wizard.

      1. Select the export file format and click Next.

      2. Click Browse to export the file.

      3. Select the certificate file name in the Save As screen and click Save. The certificate name and path displays in the File to Export screen. Note it down for later use.

      4. Click Finish.

CA Signed DISA Certificate Generation and Deployment Process

The DISA installer gathers necessary information and generates a key store file (disa.jks) required for DISA secured communication. The key store file is a repository where DISA private key and public key certificates are stored.

DISA, by default, generates a self-signed certificate for a secure connection with the browser. The default DISA certificate has a basic constraint for security reason - the DISA certificate is restricted to server and client authentication and cannot be used as a Certificate Authority (CA) certificate. However, DISA can use the signed enterprise certificate authority X.509 certificate.

The default self-signed certificate can be replaced with a valid CA signed certificate to match enterprise security policy.

To generate and deploy a CA signed DISA certificate, perform the following tasks:

1. Generating Certificate Signing Request File

2. Sending the DISA Certificate Signing Request (CSR) to CA

3. Determining the Certificate Chain

4. Exporting Certificate from Certificate Path View

5. Importing Certificates to DISA Key Store

6. Deploying DISA Using the New Key Store File

Generating Certificate Signing Request File

You can generate a Certificate Signing Request file from an existing key store file.

To generate

1. Run DISA installer to install a copy of the DISA application.

   1. Select the option Generate Keystore and Certificate in the DISA Certificate install step.

   2. Provide correct details about the organization and address in accordance with CA policy.

   3. Clear the option Import Certificate into Trusted Root.

   4. Retain other configurations in the other install steps. Click Next to reach the Install Complete step. Click Finish.

   5. Create a backup of the disa.jks file in DISA installed directory to ensure a safe copy in case the following steps fail.

2. Start a command prompt window; navigate to <DISA_HOME>\DesktopIntSiebelAgent folder using the cd command.

3. Make sure no DISA instance is running. In the command window, run command:

   disa.exe keymgr -certreq -file <path_to_output_csr_file>
   

   Replace the place holder <path_to_output_csr_file> with the expected .csr file generate location.

   For example:

   disa.exe keymgr -certreq -file disa_to_be_signed.csr
   

   This command will generate a Certificate Signing Request file named disa_to_be_signed.csr in the current folder.

Sending the DISA Certificate Signing Request (CSR) to CA

Send the Certificate Signing Request to CA. CA issues a new X.509 certificate based on the CSR.

For example, disa_signed.cer

Note: Make sure the machine on which the DISA is deployed, the root CA certificate is trusted and the new DISA certificate is valid.

Determining the Certificate Chain

A valid certificate may be trusted through a Certificate Chain.

To determine a Certificate Chain

1. Open a certificate.

2. Navigate to the Certificate Path tab. The certificate chain for the current certificate is displayed.

   The certificate chain may include the certificate path:

   • Root Certificate

   • Intermediate Certificate

   • End Entity Certificate

   Note: For DISA certificates, if there is a root certificate and intermediate certificate in the Certificate Path, they need to be imported to the DISA key store together with the DISA certificate.

Exporting Certificate from Certificate Path View

To export a certificate from Certificate Path View

1. Select the certificate and click View Certificate in the Certificate window.

2. Navigate to the Details tab and then click Copy to File.

3. Follow the Certificate Export Wizard instructions using the default options.

4. Export the root certificate and any intermediate certificate.

Importing Certificates to DISA Key Store

To import certificates to DISA key store

1. Import the root and the intermediate certificate to DISA key store so DISA can use them for the secure connection. The import command is:

   disa.exe keymgr -importcert -file <path_to_certificate> [-alias <alias name>]
   

2. Replace the place holder <path_to_certificate> with the actual certificate file name and path.

   To import the DISA certificate, the parameter -alias is optional. However, for root and intermediate certificates, the -alias parameter is required to indicate the alias for the certificate.

   • Use the following command to import Root Certificate:

     disa.exe keymgr -importcert -file rootca.cer -alias root
     

   • Use the following command to import Intermediate Certificate, if any:

     disa.exe keymgr -importcert -file intermediate1.cer -alias intermediate1
     disa.exe keymgr -importcert -file intermediate2.cer -alias intermediate2
     

   • Use one of the following command to import new DISA Certificate:

     disa.exe keymgr -importcert -file disa_signed.cer
     disa.exe keymgr -importcert -file disa_signed.cer -alias disa
     

   Note: The DISA certificate must either use the -alias disa or not specify it in the command at all. The other alias for DISA certificate will not be accepted.

Deploying DISA Using the New Key Store File

The new disa.jks file now contains the new certificate.

To deploy DISA using the disa.jks file

1. Deploy DISA on other machines using the disa.jks file.

2. Select the installer option Generate Certificate Using Existing Keystore.

3. Clear the option Import Certificate into Trusted Root option.