2.8.4.6 Generating Certificate for PGX Server

This section describes how to generate certificates for PGX server.

We recommend getting a certificate issued by a certificate authority (CA), which is trusted by your organization for the Linux server where the PGX server will be installed. If a CA certificate is not available, then generate it.

Generating a Self-Signed Server Keystore

To generate a self-signed server keystore:
  1. Execute the following command.
    keytool -genkey -alias pgx -keyalg RSA -keystore server_keystore.jks
  2. Provide the requested details.

    For example:

    Enter keystore password:

    Re-enter new password:

    What is your first and last name?

    [Unknown]: my.hostname.domain.com

    What is the name of your organizational unit?

    [Unknown]: OU What is the name of your organization?

    [Unknown]: MyOrganization What is the name of your City or Locality?

    [Unknown]: MyTown What is the name of your State or Province?

    [Unknown]: MyState What is the two-letter country code for this unit?

    [Unknown]: US

    Is CN= my.hostname.domain.com, OU=OU, O=MyOrganization, L=MyTown, ST=MyState, C=US correct?

    [no]: yes

Configuring PGX Server

Users need to update config.sh file for configuring the PGX server. For more information, see the Configure the PGX Service section.

Trust Compliance Studio’s SSL Certificate

To trust Compliance Studio’s SSL certificate:
  1. Navigate to <COMPLIANCE_STUDIO_INSTALLATION_PATH>/deployed/mmg-home/mmgstudio/ conf directory.
  2. Obtain the Compliance Studio’s SSL certificate, “studio_server.p12”.
  3. Import the generated certificate to JAVA CA certs by executing the following command.
    keytool -importcert -keystore $JAVA_HOME/lib/security/cacerts -storepass
changeit -alias studio_server -file <ca_cert_dir>/studio_server.cer

    Note:

    Replace <keystore path> with the absolute path of “studio_server.p12” and replace <ca_cert_dir> with the directory where studio_server.cer should be generated.

Configuring Compliance Studio Server

Users need to trust PGX Server’s certificate for configuring the Compliance Studio server.

Trust PGX Server’s Certificate

To trust PGX Server’s certificate:
  1. Copy “ca_certificate.pem” from the PGX server to the Compliance Studio server.
  2. Import the copied certificate to the java ca certs by executing the following command.
    keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts
-storepass changeit -alias pgx -file /path/of/ca_certificate.pem -
noprompt

    Note:

    Replace /path/of/ca_certificate.pem with the path where the certificate is copied.
  3. If the PGX server keystore is generated, copy “server_keystore.jks” from the PGX server to the Compliance Studio server.
  4. Import the copied keystore to the java ca certs by executing the following command.
    keytool -importkeystore -srckeystore /path/of/server_keystore.jks -
destkeystore $JAVA_HOME/lib/security/cacerts -deststorepass changeit -
srcstorepass <keystore password> -noprompt

    Note:

    Replace <keystore password> with the password generated while creating the PGX server keystore.
  5. Update the PGX URL to set it as “https” using the following steps:
    1. Navigate to <COMPLIANCE_STUDIO_INSTALLATION_PATH>/bin directory.
    2. Open the config.sh file and update the “PGX_SERVER_URL” as https://<FQDN of PGX Server>:7007
    3. Reinstall Compliance Studio with updated configuration.

      (OR)

      To Update the PGX URL in an alternative way as follows:

    1. Navigate to the <COMPLIANCE_STUDIO_INSTALLATION_PATH>/deployed/mmg-home/mmgload- to-graph/graph-service/conf directory.
    2. Open the application.yml file and update the PGX_SERVER_URL.
    3. Navigate to <COMPLIANCE_STUDIO_INSTALLATION_PATH>/deployed/mmg-home/mmgstudio/ server/builtin/interpreters directory.
    4. Open the pgx.json and update the PGX URL in the PGX interpreter’s JSON file.
    5. Restart Compliance Studio.