Legacy ID:KA312143
To resolve any of the above issues or generate a new self-signed certificate should it be expiring soon, follow the steps below.
- Stop all Application Server(s), Process Spawner (if used) and PXE (if used) services
- Generate a new certificate and bladelogic.keystore (make sure the <install_dir>\br\bladelogic.keystore does not already exist.)
Skip this step if you only need to syncronize the keystores between servers
- For 7.x:
-
In an NSH shell navigate to the 'java' directory in the Application Server Installation
- Run: keytool -genkey -alias blade -keyalg RSA -keysize 1024 -dname "CN=hostname" -keypass <keystore_password> -storepass <keystore_password> -keystore "<install_dir>\br\bladelogic.keystore" -validity 1000
- For 8.x run this command in an NSH Shell:
- blmkcert CN=hostname “C:\Temp\bladelogic.keystore” <keystore_password> (Windows)
- blmkcert CN=hostname /tmp/bladelogic.keystore <keystore_password> (Unix)
- Using this command generates a 2048-bit RSA key and a self-signed certificate for an Application Server. The certificate will be valid for three years, and it will be stored under the "blade" alias.
- Copy the keystore to the correct location on the appserver
- For 7.6 through 8.3.x
- Copy the bladelogic.keystore generated in step 2 to each deployment directory in <install_dir>/br/deployments/ such as the following:
- <install_dir>/br/deployments/_launcher/
- <install_dir>/br/deployments/_spawner/
- <install_dir>/br/deployments/_template/
- <install_dir>/br/deployments/_pxe/ (if pxe is installed)
- <install_dir>/br/deployments/default/ (if it still exists)
- <install_dir>/br/deployments/<custom_instances>/ (if any additional instances were created by the user)
- Run the following blasadmin commands in an NSH Shell to update the Application Server, Process Spawner, PXE (if used) and Launcher deployments with the new keystore password
- blasadmin –a set appserver certpasswd <keystore_password>
- blasadmin –s _launcher set appserverlauncher keystorepassword <keystore_password>
- blasadmin –s _spawner set appserver certpasswd <keystore_password>
- (if pxe is installed) blasadmin –s _pxe set appserver certpasswd <keystore_password>
- In 7.x also run these:
- blasadmin -a set proc KeyStorePassword <keystore_password>
- blasadmin -s _spawner set proc KeyStorePas sword <keystore_password>
- For 8.5 and higher
- Copy the bladelogic.keystore generated in step 2 to the <install_dir>/br/deployments directory on each application server.
- blasadmin –a set appserver certpasswd <keystore_password>
In 8.5 and higher there is a common bladelogic.keystore and CertPassword setting used across all instances of the appserver on the single system.
- Start the Application Server, Process Spawner (if used) and PXE Server(if used) services.
- Repeat steps 1,3,4 (skip step 2) for all other physical (VM) servers that have Application Server(s) or PXE services for this environment using the same bladelogic.keystore generated in step 2 (no need to create a new keystore on each physical server)
- Remove the temporary copy of the bladelogic.keystore in C:\Temp or /tmp.
The attached script attempts to automate steps 2-4 for 8.3 and below. It is not guaranteed to work. Use the -h option to display usage. It must be run via an NSH shell and in <install_dir> of the Application Server.
To verify everything went correctly:
- Open the BSA RCP Console and in the ‘options’ menu select the certificates tab. Delete any certificates for your Application Server(s).
- Attempt to login to the Application Server(s) the new bladelogic.keystore was used
- The console should prompt to accept a new certificate. Accept it.
- After connecting, goto ‘File | Reconnect’ in the console and look at the 'options' > Certificates tab again. Inspect the certificate from this appserver and confirm the new expiration date.
Related Products:
- BMC BladeLogic Server Automation Suite