prompts for values required for the certificate generation as shown in the
appropriate values for the fields when prompted and follow the steps displayed
on the console to install the regenerated certificates on RMS.
exceptions are seen on the console about aliases, remove the respective aliases
from the cacerts using the following commands
keytool -delete -alias <server-ca> -keystore /rms/app/CSCObac/jre/lib/security/cacerts -storepass changeit
[root@blrrms-serving-MR post_install]# ./dpe_certificate_regenarate.sh
Enter RMS App Password
Connection closed by foreign host.
What is your first and last name(Common Name)? ( ex: rms-serving-blr13.cisco.com )
What is the name of your organizational unit? (Min 2 characters)
What is the name of your organization? (Min 2 characters)
What is the name of your City or Locality? (Min 2 characters)
What is the name of your State or Province? (Min 2 characters)
What is the two-letter country code for this unit?
Is CN=rms-serving-blr13.cisco.com OU=CC, O=CISCO, L=BLR, ST=KA, C=IN Correct (yes/no) ?
Which signing algorithm would you like to choose for your certificates? [sha1/sha256]
Is CN=femtoacs81.movistar.cl OU=CC, O=CISCO, L=BLR, ST=KA, C=IN , default_md=sha256 Correct (yes/no) ?
Deleting server-ca , root-ca alias from cacerts
*NOTE: Ignore the error if certs are installed with different naming convention and delete them manually
keytool error: java.lang.Exception: Alias <server-ca> does not exist
keytool error: java.lang.Exception: Alias <root-ca> does not exist
create dpe keystore, private key and certificate request
Enter keystore password: Re-enter new password: Enter key password for <dpe-key>
(RETURN if same as keystore password): Re-enter new password: Enter destination keystore password:
Re-enter new password: Enter source keystore password: MAC verified OK
Connection closed by foreign host.
fix permissions on secure files
Dpe certificate regenerated Successfully
DPE CSR and keystore are regenerated and placed in '/rms/app/CSCObac/dpe/conf/self_signed' directory.
Follow the below steps to make TLS communication using the regenerated files
1.Sign the dpe.csr using signing authority and place the '<intermediate-ca>.cer, <root-ca>.cer and <client-ca>.cer' certificate files in '/rms/app/CSCObac/dpe/conf/self_signed' directory
2.Import '<intermediate-ca>.cer and <root-ca>.cer' certificates into the dpe cacerts using below commands:
NOTE: Provide the 'cacerts' password when prompted
/rms/app/CSCObac/jre/bin/keytool -import -alias server-ca -file <intermediate-ca.cer> -keystore /rms/app/CSCObac/jre/lib/security/cacerts
/rms/app/CSCObac/jre/bin/keytool -import -alias root-ca -file <root-ca.cer> -keystore /rms/app/CSCObac/jre/lib/security/cacerts
3.Import '<client-ca>.cer' certificate into dpe.keystore. using the below command:
NOTE: Provide the 'RMS_App_Password' password when prompted
/rms/app/CSCObac/jre/bin/keytool -import -trustcacerts -file <client-ca.cer> -keystore /rms/app/CSCObac/dpe/conf/self_signed/dpe.keystore -alias dpe-key
4.Copy dpe.keystore to conf/ folder using the below command:
cp /rms/app/CSCObac/dpe/conf/self_signed/dpe.keystore /rms/app/CSCObac/dpe/conf/
5.Change the permission of the keystore file and restart the dpe using below command:
chmod 640 /rms/app/CSCObac/dpe/conf/dpe.keystore
/etc/init.d/bprAgent restart dpe
Verify the TLS communication between the AP and DPE
DPE CSR and
keystore are regenerated and placed in the
/rms/app/CSCObac/dpe/conf/self_signed directory on
execution of the script.