How To: iMC Webserver Certificate

This post will describe the process of installing your own iMC webserver certificate for the iMC webserver. We will create a certificate template for Windows Server 2008R2 and use this template for the certificate. This certificate is than exported and used as the iMC webserver certificate. Most of the information comes from the HP documentation on this site:

HP iMC – How to install User Certificates on the iMC Server

I use the latest iMC version for this post, which is iMC 7.1. The certificate in iMC is stored in a Java keystore. The file is located at “[iMC installation dir]iMCclientsecurity” and the file name is “newks”. We need to create a new keystore file with the new certificate information. The good news is, that iMC has all the needed tools included. Before we start with iMC, we need to create the certificate. I will use windows server 2008R2 as a certificate server.

Create a certificate with Windows Server 2008R2

I assume that windows server is installed with the certificate authority role.I will use a modified version of the web server template as the iMC webserver certificate. Simply open the “Certificate Authority” management console, right-click on “Certificate Templates” and select “Manage”:

CA-Manage-Templates
CA-Manage-Templates

You will see a list with all available certificate templates. Look for the “Web Server” template and duplicate this certificate by using a right-click on the certificate and click “Duplicate Template”. Select Windows Server 2003 Enterprise and click “OK”. The properties window will appear. Click on “Request Handling” and check the check box for exporting the private key:

CA-private-key-export
CA-private-key-export

Go to the “Security” tab and add the iMC server to the list of objects who can get access to the certificate:

CA-Template-Security
CA-Template-Security

Don’t forget to assign a name to the template and click “OK”. This will save the template. Close the “Certificate Template Console” and  do a right-click on “Certificate Templates” and navigate to “New–>Certificate Template to Issue”:

CA-Add-Certificate-Template
CA-Add-Certificate-Template

Select the created certificate template and click on “OK”. The created certificate will now be in the list of available certificate templates.

The next step is to request this certificate from the CA with the iMC server. Head over to the iMC server and open the certificate MMC by open the “Microsoft Management Console”. Click on “File–>Add/Remove Snap-in” to add the “Certificates” Snap-in:

MMC
MMC

When asked, select “Computer account” and click “Next” and select the “Local Computer”. Click “OK” to add the console. Navigate to the “Personal” certificates and right-click on “Certificates” to select “All Tasks–>Request New Certificate”:

MMC-Request-New-Certificate
MMC-Request-New-Certificate

Click “Next” and select the “Active Directory Enrollment Policy” and click again “Next”. On this page check the check box for the template, we created earlier. Click on the yellow warning triangle to insert additional information for the certificate:

MMC-Certificate-Properties
MMC-Certificate-Properties

I only use “Alternate Name” for DNS and IP. Click “OK” to save the settings. Click “Enroll” and you will find the certificate in your certificate store. You can now export the certificate using the certificate snap-in. Just right-click on the enrolled certificate and navigate to “All Tasks–>Export”:

MMC-Export-Certificate
MMC-Export-Certificate

The wizard will guide you through the process of export. Just make sure, you select to export the private key:

MMC-Export-with-Private-Key
MMC-Export-with-Private-Key

On the next page select to include the whole certificate chain:

MMC-Export-Certificate-Chain
MMC-Export-Certificate-Chain

The rest of the wizard is obvious and self explaining. After you have finished the export of the certificate you can start to import this certificate into iMC and use it as the new iMC webserver certificate.

Import the iMC Webserver Certificate

To start the import of the iMC webserver certificate you need to use the tools provided by iMC. Open a command line and navigate to “[iMC installation directory]\deploy\jdk\bin”. The first step is to convert the certificate to a java keystore:

 

C:\Program FilesiMC\deploy\jdk\bin:keytool.exe -importkeystore -srckeystore c:\Users\Administrator\Desktop\imc.pfx -destkeystore c:\Users\Administrator\Desktop\newks_imc -srcstoretype pkcs12 -deststoretype JKS -storepass iMCV500R001 -v
Geben Sie das Passwort f³r den Quell-Keystore ein:
Eintrag f³r Alias le-newwebserver-72c54659-887d-47e5-b845-b7f56dd3b9ea erfolgrei
ch importiert.
Importbefehl abgeschlossen:  1 Eintrõge erfolgreich importiert, Fehler oder Abbr
uch bei 0 Eintrõgen
[c:\Users\Administrator\Desktop\newks_imc wird gesichert.]

 

********UPDATE August 21st 2017********

Since version 7.3 E0506 you do not need to use the password from above. You can use your own password.

*****************************************

The password is needed, as the iMC server is expecting a password for the keystore. Use the iMC default password for the keystore, which is “iMCV500R001”, since version 5.1. After you have converted the certificate to a keystore you need the alias, which was generated. In my case it is:

le-newwebserver-72c54659-887d-47e5-b845-b7f56dd3b9ea

We need this alias for the next steps.

Now, we need to change the alias to the one, iMC is expecting. Run this command on the created keystore:

 

C:\Program Files\iMC\deploy\jdk\bin:keytool.exe -keyclone -keystore c:\Users\Administrator\Desktop\newks_imc -alias le-newwebserver-72c54659-887d-47e5-b845-b7f56dd3b9ea -dest imc
Geben Sie das Keystore-Passwort ein:
Geben Sie das Passwort f³r  ein.
Geben Sie das Passwort f³r  ein.
        (EINGABETASTE, wenn selber Name wie f³r )

For the guys with no german skills :), after issuing the command, you will be asked to provide the keystore password, which is “iMCV500R001”. Afterwards you need to provide the password, which was used to export the certificate from the certificate store. Last but not lest, you will be asked which password should be used for the cloned entry. Use the keystore password for that one, which is “iMCV500R001”.

********UPDATE August 21st 2017********

Since version 7.3 E0506 you do not need to use the password from above. You can use your own password but it should be the same, which was used for the keystore file itself.

*****************************************

Now, we need to remove the original alias from the keystore:

 

C:\Program Files\iMC\deploy\jdk\bin:keytool.exe -delete -keystore c:\Users\Administrator\Desktop\newks_imc -alias le-newwebserver-72c54659-887d-47e5-b845-b7f56dd3b9ea
Geben Sie das Keystore-Passwort ein:

You need to provide the password for the keystore. Afterwards, only the “imc” alias is in the keystore. You can check this by using this command:

 

C:\Program Files\iMC\deploy\jdk\bin:keytool.exe -list -v -keystore "c:\Users\Administrator\Desktop\newks_imc"

 

********UPDATE August 21st 2017********

Since version 7.3 E0506 you do not need to copy the key store file manually into a folder in the iMC directory. You can use the iMC GUI to import the file. Log into iMC and go to  “System–>System Configuration–>HTTPS Access Settings”:

iMC Webserver Certificate - Import the Java Key Store File
iMC Webserver Certificate – Import the Java Key Store File

On this page, you can select the key store file from above and you need to enter the password for the file itself and for the key itself. Afterwards, you have to restart iMC and the new key file with the new certificate is used.

*****************************************

The last step is to copy the new keystore into the imc directory to use the new iMC webserver certificate. Before you do that, stop imc with the imc agent.

As mentioned above, the iMC webserver certificate is stored in the “[iMC installation dir]\iMC\client\security” directory in the “newks” file. I recommend to backup the original iMC weberver certificate by rename the “newks” file to “newks.backup”. Now, copy the new iMC webserver certificate by copying the create keystore file into the directory.

Afterwards, restart iMC and check with a browser of choice if the new iMC webserver certificate is used.

For this post I also used the information from those two blogs:

Importing a Digital Certificate to HP’s Intelligent Management Center (iMC)

Installing HP iMC – Intelligent Management Center

*** Update 25.11.2014***
It looks like iMC will override the “newks” file when doing an update. At least, the upgrade from 7.1 E0302 to 7.1 E0303 changed my certificate back to the default one. Simply copying the created “newks” file into the “security” directory solved the issue. Looks like this has to be one step in my upgrade path.
*** End of Update***

For any questions or feedback, please us the comment function.

22 thoughts on “How To: iMC Webserver Certificate”

  1. Hello Florian
    i use your method with imc 7.3 but i think the password is wrong iMCV500R001, because i have the following message :
    failed to decrypt safe contents

    thank for help
    Alain

    • Hi defrance, with iMC 7.3 you can change the certificate in the web GUI of iMC. I will write an update to this post in the next weeks. There is no need anymore to use the old way.

        • Currently, I was not able to test this procedure by myself so I do not know which certificate format you need. But will figure this out in the coming weeks.

          • Hi Alain,
            I have updated the post above with the latest information. You cannot upload a certificate. You have to upload a java key store file. I have altered the post to reflect this new option.

  2. Hello,
    I tested this procedure with the latest iMC version (7.3 E0504P04) and it works.
    I had to take my time. You should explain that we should use a temporary folder until the last step, copy the “newks” file in the “%iMC installation folder%\client\security”.

    Thanks a lot !

    Seb

    • Hi Seb,
      thanks for the feedback, You are correct, you should use the temp folder until the last step to not override the existing file.
      With the latest version (E0504P04) you can change the web server cert using the web gui. Just go to “System–>System Configuration–>HTTPS Access Settings”. I will write a post to this as well. As an update the one above.
      Many thanks,
      Florian

  3. Hello Florian!

    Are there any changes in process for IMC7.2 and 7.3? Seems like this method doesn’t work with them.

    Ilya

  4. Hi lavanya,

    The purpose of the iMC webserver certificate is to encrypt the connection between the operator, using iMC, and the iMC server. With the help of this certificate you can connect to iMC sing HTTPS instead of plain HTTP. If you would like to use your own certificate instead of the standard certificate which comes with the iMC installation, the post above will help guide you through.

    BR
    Florian

  5. I received the info from HP Support, that updates after E0303P08 no longer overwrite the certificate eg. newks. So the first update without this fault would be E0303P09. The newest update E0303P06 for IMC Platform also overwrites the newks.

    Absolute incomprehensibly for me, that this fault isn't solved after first responses from customers, but so it is…

  6. Hi Daniel,

    I did the update from iMC PLAT 7.1 (E0303P06) to iMC PLAT 7.1 (E0303P10) and the certificates was overwritten. I will test again with the next update.
    If you have a support case open for this issue, please use this one to escalate the issue further.

    Many thanks,
    Florian

  7. E0303P10 definitely (still) overwrites the newks store (so keep the backup if you do not want to spend time redoing it)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: