How-To change/install an SSL Certificate on Skyformation Server - Step by step guide
This guide will help you to change the default https server certificate with one provided by the customer.
In all the steps, make sure you have root access.
Steps:
- Locate the sk4_conf directory under /opt/exabeam/data/sk4/conf.
If you can't find it under the above directory, run the following command to locate it:docker volume inspect sk4_conf
If the directory doesn't exist, please contact our support team at support@skyformation.com. - (IMPORTANT) backup sk4cacerts, sk4keystore.jks files.
- Copy your certificate to the sk4_conf volume located in step 1.
- Run this command to enter the tomcat container:
docker exec -ti $(docker container ls | grep sk4 | grep tomcat | cut -f1 -d" ") bash - Navigate to the sk4conf directory inside the container:
cd /usr/local/tomcat/sk4conf/ - Based on your certificate file format, run the corresponding command:
pem format:
Rename your certificate file to SF_cert.pem
p7b format:openssl pkcs7 -inform der -print_certs -in <your-certificate-file>.p7b -out SF_cert.pem
crt format:openssl x509 -inform der -print_certs -in <your-certificate-file>.crt -out SF_cert.pem - Merge your PEM certificate with the private key (app.key) into p12:
openssl pkcs12 -export -name skyformation -in SF_cert.pem -inkey app.key -out merged.p12
Note: the alias "skyformation" is important! - Remove the existing skyformation certificate:
keytool -delete -alias skyformation -keystore sk4keystore.jks - Import p12 into keystore:
keytool -importkeystore -srcstoretype pkcs12 -srckeystore merged.p12 -destkeystore sk4keystore.jk -
If the certificate password is not 'changeit' and the keystore password was left unchanged, then change the password in this case:
keytool -keypasswd -alias skyformation -keypass <old-password> -new changeit -keystore sk4keystore.jks -storepass changeit
The password for the keystore by default is changeit and must be equal to the SkyFormation alias password. -
(OPTIONAL) if you would like to set a password other than the default password, then follow these steps:
-
Run the following command to add your new password to the keystore:
keytool -storepasswd -new <new-password> -keystore sk4keystore.jks -storepass changeit - Open /usr/local/tomcat/conf/server.xml for the update, change password from "changeit" to your new password:
-
- Exit the container:
exit - Restart the app to take effect:
sudo systemctl restart sk4compose - DONE!
Comments
7 comments
Hi,
the sk4 directory is located at /opt/ and not in /opt/exabeam/data/
Can i follow the procedure anyway?
Hi,
If you know the volume location you can proceed, anyway, you will get help how to detect sk4 directory location during the procedure
Actually i'm getting some permission errors
Make sure you are running on root, and not on exabeam:
sudo su -
I updated the cert using your procedure, no errors with commands but actually i can't see the login page anymore...it goes in time out.
I also updated the password of the keystore from the xml file because i can't use "changeit" for the new customer certificate.
is the Skyformation alias mandatory?
Yes it is mandatory. Please redo the procedure exactly as described, with the alias
Please sign in to leave a comment.