No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CloudEC V600R019C00 Security Maintenance (Enterprise On-premises, Only Conference)

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Replacing the USM-EUA Security Certificate

Replacing the USM-EUA Security Certificate

The security certificate supports encrypted data transmission for websites to ensure data confidentiality, integrity, and non-repudiation. The USM-EUA has embedded a security certificate. To fortify security, it is recommended that enterprises replace the embedded security certificate with commercial security certificates issued by CA. Additionally, enterprises should ensure that their security certificates and private key files are available only for authorized personnel.

Prerequisites

The JDK 1.6 or a later version has been installed. (The IBM JDK is not supported.)

To check the JDK version on the Windows operating system, choose Start > Run, enter cmd, and press Enter. In the CLI window that is displayed, run the java -version command.

Context

  • The USM-EUA can use Java keytool to generate a security certificate.
  • Before replacing the original security certificate, backup the certificate and configuration file. In case of a replacement failure, they can be used to restore the system.
  • After replacing the original security certificate, restart the USM-EUA. During the restart, USM-EUA services are unavailable. Therefore, perform the replacement task during off-peak hours.

Creating a Security Certificate

  1. Log in to the Linux operating system as the root user. The OpenSSL tool has been installed on the system.
  2. Go to the root directory.

    cd /

  3. Run the following command to generate the private key file serverkey.pem. The default encryption password for the private key is Huawei@123. Replace the password based on the site requirements.

    openssl genrsa -aes256 -out serverkey.pem 2048

    Set the following information as prompted:

    Enter pass phrase for serverkey.pem:  
    #Enter the private key encryption password Huawei@123.  
    Verifying - Enter pass phrase for serverkey.pem:  
    #Enter the private key encryption password Huawei@123 again. 

  4. Run the following command to generate the certificate request file server.csr.

    Here, use the same private key encryption password Huawei@123 that you have set.

    openssl req -new -key serverkey.pem -out server.csr-sha256

    Set the following information as prompted:

    Enter pass phrase for serverkey.pem:
    #Enter the private key encryption password Huawei@123.
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    # Here, CN is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to UK.
    State or Province Name (full name) [Some-State]:zhejiang
    # Here, zhejiang is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to beijing.
    Locality Name (eg, city) []:hz
    # Here, hz is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to London.
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:huawei
    # Here, huawei is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to bank.
    Organizational Unit Name (eg, section) []:huawei
    # Here, huawei is used as an example. Set this parameter based on the site requirements. For example, you can set this parameter to bank.
    Common Name (eg, YOUR name) []:Joy
    # Here, Joy is used as an example. The parameter is user-defined.
    Email Address []:111111.com
    # Enter an email address. Here, 111111.com is used as an example.
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    # Enter the certificate password and the name of the company that issues the certificate. Here Huawei@123 and huawei are used as examples.
    A challenge password []:Huawei@123
    An optional company name []:huawei

  5. Send the certificate request file server.csr to a certificate maker to apply for a public key certificate. Name the obtained public key certificate file servercert.pem.
  6. Rename serverkey.pem and servercert.pem files as eua_key.pem and eua.pem respectively.

Generating the .keystore File

The OpenSSL is embedded in the Linux operating system. You are advised to perform this step in the Linux operating system.

  1. Log in to the Linux operating system as the root user.
  2. Upload the eua.pem and eua_key.pem files to the /opt directory on the destination server. For details, see Using the PuTTY to Upload Software Installation Packages.
  3. Go to the root directory.

    cd /opt

  4. Use the .p12 file that is generated using the OpenSSL.

    openssl pkcs12 -export -in eua.pem -inkey eua_key.pem > euatest.p12

    Enter the private key password and the password for exporting the .p12 file (this section uses Huawei@123 as an example) following onscreen instructions.

    Enter pass phrase for eua_key.pem:
    Enter Export Password:
    Verifying – Enter Export Password:

    ll

    Verify that a .p12 file similar to the following .p12 file is generated.

    drwxr-xr-x 4 root root 20480 Mar 27  2014 certs
    drwxr-xr-x 3 root root  4096 Oct  9 09:30 demoCA
    -rw-r----- 1 root root  2146 Oct  9 17:55 eua.pem
    -rw-r----- 1 root root  1669 Oct  9 17:56 euatest.p12
    -rw-r----- 1 root root  2146 Oct  9 14:02 lpf.pem
    -rwxr-xr-x 1 root root  9374 Oct  9 10:55 openssl.cnf
    -rw-r----- 1 root root  1038 Oct  9 10:55 root.crt
    -rw-r----- 1 root root   963 Oct  9 10:55 root.key
    -rw-r----- 1 root root  2976 Oct  9 11:36 server.cer
    -rw-r----- 1 root root  2976 Oct  9 10:55 server.crt
    -rw-r----- 1 root root   619 Oct  9 10:55 server.csr
    -rw-r----- 1 root root   963 Oct  9 10:55 server.key
    -rw-r----- 1 root root  1669 Oct  9 13:50 server.pfx
    drwxr-xr-x 2 root root  4096 Mar 27  2014 servercerts

  5. Download the euatest.p12 file to any folder in the Windows operating system. For details, see Using the PuTTY to Download Files.
  6. Use Keytool to generate the .keystore file.

    In the Windows operating system, the Keytool is installed after you install the JDK. You are advised to perform this step in the Windows operating system.

    keytool -importkeystore -srckeystore euatest.p12 -destkeystore eua_server.keystore -srcstoretype pkcs12

    NOTE:

    Run the javac command in the CLI. If the javac command can be executed successfully, run the preceding command in any directory. If the javac command fails to be executed, go to the directory where the keytool is located and run the preceding command.

    Enter the generated .keystore file password following onscreen instructions.

    Enter destination keystore password:
    Re-enter new password:
    Enter source keystore password:
    Entry for alias 1 successfully imported.
    Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
    The certificate files are generated on the Windows operating system, as shown in Figure 7-13.
    Figure 7-13 Certificate files

Replacing the Certificate on the Windows Operating System

  1. Go to the USM-EUA installation path D:\EUA\EUA_OpenAS\tools\tools\encryption.
  2. Enter cmd in the address box and press Enter to bring up the CLI window.
  3. Use the encryption tool to encrypt the cipher key and generate the key value encryptedKey and the encrypted keystore password encryptedPassword.

    openas_encrypt 0 CBC BMEIMPL@YYYYMMDD Huawei@123

    NOTE:

    Huawei@123 is the certificate private key password, which must be changed to the actual password.

    The key value and keystore password similar to the following are displayed:
    encryptedKey: 7ba17e9bbf8c5762dc11374200a9813841b7588ad7b97082453712ac19e1c7be79
    be01daaf292e7a2351b23021620e14
    encryptedPassword: 1e90ae522f97903a5f866bf1d534e4c49a26224b230d6c6ac039695eab703
    203

  4. Go to the USM-EUA certificate path D:\EUA\EUA_OpenAS\kernel\OpenAS_Tomcat7\conf.
  5. Use the new eua_server.keystore file to replace the original one.
  6. Replace the value of keystorePass in the server.xml file.
    1. Go to D:\EUA\EUA_OpenAS\kernel\OpenAS_Tomcat7\conf\ and open the server.xml file.
    2. Find the following information in the configuration file and replace the value of keystorePass with the value of encryptedPassword generated in 3, and save and exit the file.

      <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" allowTrace="false" ciphers="SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" clientAuth="false" connectionTimeout="20000" keystoreFile="conf/eua_server.keystore" keystorePass="d4bc5387e641b19e6633930e146cfd2a857e0161905b4d47f5f9fdfd87cae477
      " maxHttpHeaderSize="8192" maxKeepAliveRequests="100" maxPostSize="10240" maxThreads="150" port="8542" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" server="WebServer" sslEnabledProtocols="TLSv1.2,TLSv1.1" sslProtocol="TLS" xpoweredBy="false"/>

  7. Replace the value of ebus.ssl.keystore.pwd in the ebus.properties file.
    1. Go to D:\EUA\EUA_OpenAS\kernel\OpenAS_Tomcat7\webapps\EUA\WEB-INF\classes and open the ebus.properties file.
    2. Replace the value of ebus.ssl.keystore.pwd with the value of encryptedPassword generated in 3, and save and exit the file.
  8. Replace the value of common.key in the secretkey.properties file.
    1. Go to D:\EUA\EUA_OpenAS\kernel\OpenAS_Tomcat7\ conf and open the secretkey.properties file.
    2. Replace the value of common.key with the value of encryptedKey generated in 3, and save and exit the file.
  9. Replace the value of bme.encryption.key in the bme.secretkey.properties file.
    1. Go to D:\EUA\EUA_OpenAS\kernel\OpenAS_Tomcat7\ webapps\EUA\WEB-INF\conf and open the bme.secretkey.properties file.
    2. Replace the value of bme.encryption.key with the value of encryptedKey generated in 3, and save and exit the file.
  10. Use the encryption tool to encrypt the password of the USM-EUA database and generate the key value encryptedKey and the encrypted database password encryptedPassword.

    openas_encrypt 0 CBC BMEIMPL@YYYYMMDD Change_Me

    NOTE:

    Change_Me is the default password of the USM-EUA database. Change it based on the site requirements.

    The key value and the encrypted database password similar to the following are displayed:

    encryptedKey: 950099101db927d46d3fd0a648699ebb44b0e07604967626f96193e29c44358
    ac55058d1dd985acb258cb617a5fe8b0a
    encryptedPassword: 4d75d79fc08ef8038652d0c4eb4a066ee597692e8c5725e807686e9c44
    7afddb

  11. Replace the value of bme.password in the jdbc.properties file.
    1. Go to D:\EUA\EUA_OpenAS\kernel\OpenAS_Tomcat7\ webapps\EUA\WEB-INF\classes and open the jdbc.properties file.
    2. Replace the value of bme. password with the value of encryptedPassword generated in 10, and save and exit the file.
  12. Replace the value of bme.password in the jdbc.properties file.
    1. Go to D:\EUA\EUA_OpenAS\kernel\OpenAS_Tomcat7\ webapps\EUA\WEB-INF\classes and open the proxool.xml file.
    2. Replace the value of password with the value of encryptedPassword generated in 10, and save and exit the file.
  13. Restart the USM-EUA for the new certificate to take effect.

    net stop "EUA SERVICE"

    net start "EUA SERVICE"

Replacing the Certificate on the Linux Operating System

  1. Log in to the USM-EUA server as the OMUSER user.

    NOTE:

    The OMUSER user is the maintenance user that is manually created by the operation personnel. Its password is user-defined.

  2. Switch to the euauser user.

    su - root

    su - euauser

  3. Use the encryption tool to encrypt the cipher key and generate the key value encryptedKey and the encrypted keystore password encryptedPassword.

    cd /home/euauser/EUA_OpenAS/tools/tools/encryption

    chmod +x openas_encrypt.sh

    ./openas_encrypt.sh 0 CBC BMEIMPL@YYYYMMDD Huawei@123

    NOTE:

    Huawei@123 is the certificate private key password, which must be changed to the actual password.

    The key value and keystore password similar to the following are displayed:
    encryptedKey: 7ba17e9bbf8c5762dc11374200a9813841b7588ad7b97082453712ac19e1c7be79
    be01daaf292e7a2351b23021620e14
    encryptedPassword: 1e90ae522f97903a5f866bf1d534e4c49a26224b230d6c6ac039695eab703
    203

  4. Upload the new eua_server.keystore file to the /home/euauser/EUA_OpenAS/kernel/OpenAS_Tomcat7/conf/ directory, and replace the original eua_server.keystore file.
  5. Replace the value of keystorePass in the server.xml file.

    cd /home/euauser/EUA_OpenAS/kernel/OpenAS_Tomcat7/conf/

    vim server.xml

    Find the following information in the configuration file and replace the value of keystorePass with the value of encryptedPassword generated in 3, and save and exit the file.

    <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" allowTrace="false" ciphers="SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" clientAuth="false" connectionTimeout="20000" keystoreFile="conf/eua_server.keystore" keystorePass="d4bc5387e641b19e6633930e146cfd2a857e0161905b4d47f5f9fdfd87cae477
    " maxHttpHeaderSize="8192" maxKeepAliveRequests="100" maxPostSize="10240" maxThreads="150" port="8542" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" server="WebServer" sslEnabledProtocols="TLSv1.2,TLSv1.1" sslProtocol="TLS" xpoweredBy="false"/>
    
    <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" allowTrace="false" ciphers="SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" clientAuth="false" connectionTimeout="20000" keystoreFile="conf/eua_server.keystore" keystorePass="d4bc5387e641b19e6633930e146cfd2a857e0161905b4d47f5f9fdfd87cae477
    " maxHttpHeaderSize="8192" maxKeepAliveRequests="100" maxPostSize="10240" maxThreads="150" port="8543" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" server="WebServer" sslEnabledProtocols="TLSv1.2,TLSv1.1" sslProtocol="TLS" xpoweredBy="false"//>

  6. Replace the value of ebus.ssl.keystore.pwd in the ebus.properties file with the value of encryptedPassword generated in 3, and save and exit the file.

    cd /home/euauser/EUA_OpenAS/kernel/OpenAS_Tomcat7/webapps/EUA/WEB-INF/classes

    vim ebus.properties

  7. Replace the value of common.key in the secretkey.properties file with the value of encryptedKey generated in 3, and save and exit the file.

    cd /home/euauser/EUA_OpenAS/kernel/OpenAS_Tomcat7/conf

    vim secretkey.properties

  8. Replace the value of bme.encryption.key in the bme.secretkey.properties file with the value of encryptedKey generated in 3, and save and exit the file.

    cd /home/euauser/EUA_OpenAS/kernel/OpenAS_Tomcat7/webapps/EUA/WEB-INF/conf

    vim bme.secretkey.properties

  9. Use the encryption tool to encrypt the password of the USM-EUA database and generate the key value encryptedKey and the encrypted database password encryptedPassword.

    cd /home/euauser/EUA_OpenAS/tools/tools/encryption

    ./openas_encrypt.sh 0 CBC BMEIMPL@YYYYMMDD Change_Me

    NOTE:

    Change_Me is the default password of the USM-EUA database. Change it based on the site requirements.

    The key value and the encrypted database password similar to the following are displayed:

    encryptedKey: 5c9402aa0c85a0da3bbfe80bd40cb50dea3aaa58543526b39e3edb070bd94c33a93317358846
    a4ba5c8d1e4c4ce2cafb
    encryptedPassword: 34e205f8178dbad531101cdaafc5415001f22d520ed66e2b2097449cceb791fc

  10. Replace the value of bme.password in the jdbc.properties file with the value of encryptedPassword generated in 9, and save and exit the file.

    cd /home/euauser/EUA_OpenAS/kernel/OpenAS_Tomcat7/webapps/EUA/WEB-INF/classes

    vim jdbc.properties

  11. Replace the value of password in the proxool.xml file with the value of encryptedPassword generated in 9, and save and exit the file.

    cd /home/euauser/EUA_OpenAS/kernel/OpenAS_Tomcat7/webapps/EUA/WEB-INF/classes

    vim proxool.xml

  12. Restart the USM-EUA for the new certificate to take effect.

    su - root

    service EUAService restart

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100059091

Views: 16944

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next