Talk:Data Synchronizer Mobility Connector SSL Issues

From MicroFocusInternationalWiki
Jump to: navigation, search

Alphassl (Subsidary of Globalsign)

AlphaSSL work perfect with Data Synchronizer. http://www.alphassl.com

Howto create / replace the SSL certificates

Hi.

I had to be replace the DataSynchronizer's SSL certificate for organisational reasons. Anyway, every certificate will expire some day... ;-) so I noted down the steps, hoping to save others some time to do the same.

After some struggeling, this worked for me:

  • Create a new private key, without password protection:

You might want to create a folder like "/root/my-new-certs/" as a working directory for all actions below.

openssl genrsa -out privkey-datasync-company-com.pem 2048
  • Create a CSR for this private key:
openssl req -new -key privkey-datasync-company-com.pem -out my-csr-for-datasync-company-com.csr

The resulting CSR file will look like this:

 -----BEGIN CERTIFICATE REQUEST-----
<encoded certificate request>
-----END CERTIFICATE REQUEST-----


  • Order an offically signed certificate

Visit the web page of one of the many SSL vendors out there to order your offically signed SSL certificate, using this CSR file (GoDaddy, Geotrust, Comodo, Thawtee, psw, ...)

Depending on who's your vendor, the certification process will differ. Finally you will receive the certificates, we got two of them:
1.) "our" certificate:

-----BEGIN CERTIFICATE-----
<certificate, endcoded>
-----END CERTIFICATE-----

2.) A "<vendor name> certificate chain" certificate:

-----BEGIN CERTIFICATE-----
<certificate, endcoded>
-----END CERTIFICATE-----

Due to the web pages I found, you also might need one or more additional, "intermediate certificates" in the certificate chain.

  • Create your SSL certificate file: "mobility.pem"

Copy your private key and the certificates into one file, to create you personal, officially signed PEM format SSL certifiate.
The order is important:
Topmost place your private key, followed by "your" SSL certificate, that you've received from your vendor -- optional: followed by one or more intermediate certificates -- finally: the last one in the "certificate chain".
the resulting file should look like this:

 -----BEGIN RSA PRIVATE KEY-----
<private key enocded>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<certificate, endcoded>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<chain certificate, encoded (optional: One or more, additional intermediate certificates first)>
-----END CERTIFICATE-----
  • Save this file as "mobility.pem":

Copy this one to some folder on your DS-Server, e.g. "/root/my-new-certs/" mentioned on top.

  • Note upon mobility.cer:

I found that file "/var/lib/datasync/device/mobility.cer", iirc this one is for certain mobile devices, that expect the certificate endoced in DER key format, not really sure about this!!

  • Create the file "mobility.cer":
openssl x509 -outform der -in mobility.pem -out mobility.cer
  • Copy the files to this folder:

if you are replacing your certificate, you might want to backup the old file(s) first.

 /var/lib/datasync/device/mobility.pem
/var/lib/datasync/device/mobility.cer
  • Restart DataSynchronizer:
 rcdatasyc restart
  • Check the SSL certificate:

open the URL of your data synchronizer, Firefox, IE, ..., e.g.:

 https://datasync.yourcompany.com/

You should see a blank page, no errors should show up.
Use the browser to check the SSL certificate. If it is fine, you should be done.

You can also check the certificate locally at your DS-server:

openssl s_client -connect 127.0.0.1:443
... or from a different SLES box ...
openssl s_client -connect ds-ip-address:443


Regards, Rudi.