Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
198
Views
0
Helpful
0
Comments

How to enable SSL on MP7.x solution using 2048-bit SSL certs

dpetrovi
Cisco Employee
Cisco Employee

‎03-01-2016 05:24 AM - edited ‎03-12-2019 10:22 AM

Since Public Certification Authorities don't issue 1024-bit SSL certs any longer, and since MP7.x design doesn't allow generating 2048-bit  CSRs you cannot use MP Web Admin GUI or MP App server GUI to generate the 2048-bit CSRs. Instead you will need to use openssl tool on your MP Application server (or any other Linux machine) to generate CSRs and private keys for MP Application and MP Web servers. 

The renewal process will require a short downtime as it will involve restart of services on MP Application Server (if you have SSL enabled on MP Application server) and the MP Web server(s).

 

Here are the steps to follow:

 

  1. MP Application Server

  Creating a new 2048-bit CSR and the private key

a. SSH to the active MP Application server

b. Log in as ‘mpxadmin’

c. Change to ‘root’
    $ su
    Enter ‘root’ password

d. Run the following command that will generate 2048-bit private key (privatekey.pem) and the appropriate CSR (server.csr)
    # openssl req -new -newkey rsa:2048 -nodes -keyout privatekey.pem -out server.csr

• Fill out the information for the CSR including CN as the hostname (Eth0 - shared hostname of the MP Application Server)
• Do not enter in a password/passphrase when prompted to. Leave this blank.

e. Once you complete this, in /home/mpxadmin you will have two files:
    privatekey.pem
    server.csr

f. Set the appropriate permissions on these two files so you can copy them from the server:
   # chmod 777 privatekey.pem
   # chmod 777 server.csr

g. Use WinScp tool to connect to MP Application server, and copy the two files to your desktop
    i. Download and run WinSCP (free SFTP client): http://winscp.net/download/winscp439.zip

    ii. Open WinSCP and click New.
    iii. Enter the hostname or IP address of the MeetingPlace Application Server as the Host name.
    iv. Use the default port 22
    v. Enter 'mpxadmin' for the username and then enter the password and connect
    vi. Once connected drag the two files over from MeetingPlace Application Server file system on the right window pane to your Desktop

 Obtaining a new SSL cert

a. Once you have the two files, you will keep privatekey.pem file on your machine, and send the server.csr to CA for them to generate the SSL cert.

b. Once you receive a certificate, and most likely primary and/or secondary intermediate certificate from CA, you will need to bundle them into a single file by doing the following:
    i. Open the newly received SSL certificates (server cert, secondary intermediate cert, and primary intermediate cert) in Notepad
    ii. In Notepad, copy the content of the “Secondary Intermediate Certificate” and then paste it into the server certificate file immediately under the server certificate content.
    iii. Then, In Notepad, copy the content of the “Primary Intermediate Certificate” and then paste it into the server certificate file immediately under the “Secondary Intermediate Certificate” you pasted in the previous step.

Example of what the server SSL cert plus a Secondary and Primary intermediate certs would look like:
----BEGIN CERTIFICATE-----
MIIFLzCCBBegAwIBAgIQGXyI4NRucd6RG1333
QWEQRWGEASDFGRT%ER%W#%WTFSSG333
wE5NM0JaptJNp7SpMx8xXDaQHmrY2H++93
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
werQRWGEASDFGRT%ER%W#%WTFSDSGDG
wgdfg0JaptJNp7SpMx8xXDaQHmrY2H+9oF48
MIIFLzCCBBegAwIBAgIQGXyI4NRucd6RG1FRe
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
wE5NM0JaptJNp7SpMx8xXDaQHmrY2H++242
sdfsRWGEASDFGRT%ER%W#%WTFSDRETE233
-----END CERTIFICATE-----

Note that in the above example that the SSL certs are pasted immediately on top of each other (no spaces/rows in between).
   

    iv. Once you have a file with all these three certs bundled together, save it.
    v. Verify this bundled cert file against your private key to ensure they match.
        i. The easiest way to match them is using the SSLSHOPPER tool (https://www.sslshopper.com/certificate-key-matcher.html) – Use Internet Explorer with this tool.
        ii. By using this tool, you can copy the content of the entire bundled cert in the top text box (Enter your Certificate) and content of your private key (in the bottom text box – Enter your Private Key; open privatekey.pem file in Notepad to get the content) and the tool shows us if they match (all should be green; 3 check marks).
        iii. If they match, you are ready to apply this new bundled cert and the private key to the MP Application server

 Enabling SSL with the new SSL cert and the private key

a. Go the MP Application Server Administration Center > Certificate Management > Disable SSL and click Disable SSL. This will restart tomcat service on MP Application server (2 minutes down time)

b. Once SSL is disabled, and the services are up, go the MP Application Server Administration Center > Certificate Management > Enable SSL

c. In the “Certificate file” section browse to the bundled certificate file you created.

d. In the “private key file” section browse to the privatekey.pem file you generated at the beginning.

e. Leave the “Password” field empty (no password should be entered there).

f. Click Upload Certificate.

g. The system should upload the certs and restart the services. SSL should be enabled and new certs applied with validity of several years (depending how you renewed them)

 Replicate the new SSL information to the Standby MP Application Server

a. SSH to the Primary MP Application Server (active)

b. Log in as ‘mpxadmin’

c. Change to ‘root’:
    $ su
    Enter ‘root’ password.

d. Run the following:
    # failoverUtil copyConfigFiles
    Enter the Secondary MP Application server Hostname/IP Address (unique one; Eth0:0):

    User name on the remote machine:
    mpxadmin

    Password on the remote machine:
    <enter mpxadmin password>

e. SSH to the Secondary MP Application Server (standby)

f. Log in as ‘mpxadmin’

g. Change to ‘root’:
    $ su
    Enter ‘root’ password.

h. Run the following:
    # failoverUtil restoreConfigFiles

    Now, both MP Application servers have the SSL information in order to have SSL on the secondary server if you ever failover to it.

  1. Renewing SSL certs on the External MP Web server

 

  Generate the CSRs and the private key for MP Web server:

 

a. SSH to the active MP Application server

b. Log in as ‘mpxadmin’

c. Change to ‘root’
    $ su
    Enter ‘root’ password

d. Run the following command that will generate 2048-bit private key (priexternal_key.pem) and the homepage CSR (priexthomepage.csr)
    # openssl req -new -newkey rsa:2048 -nodes -keyout priexternal_key.pem -out priexthomepage.csr

• Enter the information for the MP Web server homepage (homepage.domain.com).
• Do not enter in a password/passphrase when prompted to. Leave this blank

e. Once we have the homepage CSR and the private key created, we use the same priexternal_key.pem private key to generate the second CSR for webconf component (priextwebconf.csr):
    # openssl req -out priextwebconf.csr -key priexternal_key.pem -new

• Enter the information for the MP Web server web conferencing component (webconf.domain.com).
• Do not enter in a password/passphrase when prompted to. Leave this blank

f. Now, we have 3 files created that we can pull from the MP App server using the WinSCP:
    priexthomepage.csr
    priextwebconf.csr
    priexternal_key.pem (private key)

h. Set the appropriate permissions on these two files so you can copy them from the server”
    # chmod 777 priexternal_key.pem
    # chmod 777 priexthomepage.csr
    # chmod 777 priextwebconf.csr

i. Use WinScp tool to connect to MP Application server, and copy the two files to your desktop
    i. Open WinSCP and click New.
    ii. Enter the hostname or IP address of the MeetingPlace Application Server as the Host name.
    iii. Use the default port 22
    iv. Enter 'mpxadmin' for the username and then enter the password and connect
    v. Once connected drag the three files over from MeetingPlace Application Server file system on the right window pane to your Desktop

 Obtaining new SSL certs

 

The next step is to send the first two files to Certification Authority (e.g. VeriSign) in order to get the new certificates for the homepage.domain.com and webconf.domain.com FQDNs (certificates should be in the Apache format).

a. Once you have the three files, you will keep priexternal_key.pem file on your machine, and send the priexthomepage.csr and priextwebconf.csr to CA for them to generate the SSL cert.

b. Once you receive these certificates, you should verify that those two certificates match the private key we created when generating the CSRs.
The easiest way to match them is using the SSLSHOPPER tool (https://www.sslshopper.com/certificate-key-matcher.html).
    i. We first copy the content of the homepage SSL cert and the private key and see if they match.
    ii. Then we copy the content of the webconf SSL cert and the same private key and see if they match.

 Apply the new private key

a. Disable SSL on the MP Web server
   i. RDP to the MPWeb server
   ii. Open the following URL: http://localhost:8002/mpweb/admin/ which will bring us to the Administration interface
   iii. Click on the “SSL/TLS” link
   iv. Then, click on the “Toggle SSL” to switch SSL OFF
   v. Reboot the server
   vi. Once the server is up, proceed with the next step

b. Insert the new private key to the MPWeb database
   i. RDP to the server hosting a SQL Server (possibly this Primary Internal MP Web server, or a remote SQL server)
   ii. For SQL Server 2000 Launch --> Start > Programs > Microsoft SQL Server > Enterprise Manager.
   iii. Go to Tools > SQL Query Analyzer (if a Connect to SQL server popup window opens, just click ‘OK’; you might need to select ‘local’ for DB and enter ‘sa’ password)
   iv. Select the “MPWEB” from the drop down list of available DB on the top where default may be “master”.
   v. Then, go to Tools > Options > Results tab, then change Default results target to “Results to Text”, and then change the “Maximum characters per column” to “8000” to export the private key in a readable format and click ‘OK’.
 vi. In the Query section enter the query that should look like this (use the content of the priexternal_key.pem file in the private key section):

update web set sslprivatekey = ‘-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAtJTvmYxEvxRggeXVTLKL2+K+goXRN7F5rCRf19R0CXHHNuHOtlU5+98Q2ohzxZElLQqMPlu5dWwLv3EvxzipT8J3q6zx7nRne+WiGf+3p1n4I+T7PtgXGb5uvFVcZ1ANfd9MflpVvzZ2yHXRPB+xU0TnQko/A2iEH0cuLJWDqx4WDRFjVsv4XLT8n4AC4k7fcG0fyxFQNvovx8dTI+BFq0CyfNUaV5Z2Bws1A0rtGY7bQ72kGCh9Fv+qYTI4IN4jnGOEnV9NE3ThxchpoCK087Cz+TORq7P1nBv8qUj2Fkqt80VkViW77CC+HEbVIC7UTL4Nc2A+N8rxafgPBUuwIDAQABAoIBACCimfqi

AvqVcCuJodbOncALZmqoTHtIM7kMidWzq5TZXytn+6blZdaLFASwdziZi29oUBVv8eDJJQCH98sSnL761ec8ou4zo5B0q44WbZdBNmixXRmCZvXx1j8RdQRfbV3N

pWtLhRExYPfcAUqs+22pE17qVoTaMMDHSqpImiK7ipykO5SmZHuKKBdblPPc5

vZvISOL9WBsFcWl9sV75r1G6ZRuVh5GTIIGt9G4+6NoNqfoMIz+YHa+CF6939coGHrg/QmPZ0Cf/XC9
-----END RSA PRIVATE KEY-----‘ where hostname = ‘homepage.domain.com’

Note: Instead of homepage.domain.com enter the FQDN of your homepage component on the Primary External MP Web server. Don’t remove inverted commas, as they should be included in the query.

   vii. Once you entered the query, press F5 key on your keyboard to execute the query and you should get the following output:

(1 row(s) affected)


c. To verify the private key was properly set, enter the following query:

select sslprivatekey from web where hostname = ‘homepage.domain.com’

d. Once you entered the query, press F5 key on your keyboard to execute the query and you should get the following output:

You should receive output looking like this:


sslprivatekey
------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAtJTvmYxEvxRggeXVTLKL2+K+goXRN7F5rCRf19R0CXHHNuHOtlU5+98Q2ohzxZElLQqMPlu5dWwLv3EvxzipT8J3q6zx7nRne+WiGf+3p1n4I+
T7PtgXGb5uvFVcZ1ANfd9MflpVvzZ2yHXRPB+xU0TnQko/A2iEH0cuLJWDqx4WDR
FjVsv4XLT8n4AC4k7fcG0fyxFQNvovx8dTI+BFq0CyfNUaV5Z2Bws1A0rtGY7bQ7
2kGCh9Fv+qYTI4IN4jnGOEnV9NE3ThxchpoCK087Cz+TORq7P1nBv8qUj2Fkqt80
VkViW77CC+HEbVIC7UTL4Nc2A+N8rxafgPBUuwIDAQABAoIBACCimfqiAvqVcCuJ
odbOncALZmqoTHtIM7kMidWzq5TZXytn+6blZdaLFASwdziZi29oUBVv8eDJJQCH
98sSnL761ec8ou4zo5B0q44WbZdBNmixXRmCZvXx1j8RdQRfbV3NpWtLhRExYPfc
AUqs+22pE17qVoTaMMDHSqpImiK7ipykO5SmZHuKKBdblPPc5vZvISOL9WBsFcWl
9sV75r1G6ZRuVh5GTIIGt9G4+6NoNqfoMIz+YHa+CF6939coGHrg/QmPZ0Cf/XC9
-----END RSA PRIVATE KEY-----

(1 row(s) affected)

e. Verify the the private key content matches what you have in priexternal_key.pem file on your desktop. If it does, you can close query analyzer without saving any outputs (there will be a pop-up confirming the change).

 Now, since the private key is successfully installed into the ‘MPWEB’ database (‘Web’ table), you can proceed with installing the server and intermediate certificates

a. RDP to the MP Web server

b. Open the following URL: http://localhost:8002/mpweb/admin/ which will bring us to the Administration interface

c. Click on the “SSL/TLS” link

d. For homepage.domain.com click Edit

e. In the Step 3 section in the GUI, delete the existing content (old certificate), open the new certificate for homepage.domain.com in Notepad, and copy and paste the content of the new certificate (ensure there are no extra spaces before or after the certificate)

f. Click on Install certificate

g. Click ‘Back’ button

h. For webconf.domain.com click Edit

i. In the Step 3 section in the GUI, delete the entire content

j. Open the webconf.domain.com certificate in Notepad, copy the new certificate for “Web Conferencing” and then paste it into the text area box located in “Step 3” on the page.

k. In Notepad, copy the new “Secondary Intermediate Certificate” and then paste it into the text area box immediately under the certificate you pasted in the previous step.

l. In Notepad, copy the new “Primary Intermediate Certificate” and then paste it into the text area box immediately under the “Secondary Intermediate Certificate” you pasted in the previous step.

Example of what 1 Web Conferencing SSL Cert plus a Secondary and Primary Cert would look like:
----BEGIN CERTIFICATE-----
MIIFLzCCBBegAwIBAgIQGXyI4NRucd6RG1333
QWEQRWGEASDFGRT%ER%W#%WTFSSG333
wE5NM0JaptJNp7SpMx8xXDaQHmrY2H++93
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
werQRWGEASDFGRT%ER%W#%WTFSDSGDG
wgdfg0JaptJNp7SpMx8xXDaQHmrY2H+9oF48
MIIFLzCCBBegAwIBAgIQGXyI4NRucd6RG1FRe
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
wE5NM0JaptJNp7SpMx8xXDaQHmrY2H++242
sdfsRWGEASDFGRT%ER%W#%WTFSDRETE233
-----END CERTIFICATE-----

Note that in the above example that the SSL certs are pasted immediately on top of each other (no spaces/rows in between).

m. Click on Install Certificate

n. Click ‘Back’ button

NOTE: Do not enable SSL yet, but proceed to the next step to install the intermediate certificates for the homepage.domain.com.

o. Install the intermediate certificates for the priexthomepage.domain.com
    i. In Windows on the Web server click Start > Run and then in the text box type: mmc
    ii. Click the “OK” button
    iii. From the Microsoft Management Console (MMC) menu bar, select File > Add/Remove Snap-in
    iv. From the list of snap-ins, select “Certificates”
    v. Click the “Add” button   
    vi. Select “Computer account”
    vii. Click the “Next” button
    viii. Select “Local computer (the computer this console is running on)”.
    ix. Click the “Finish” button
    x. In the Add/Remove Snap-in window, click OK.
    xi. In the left pane expand Certificates (Local Computer) > Intermediate Certification Authorities > Certificates
    xii. Right-click “Certificates” and select All Tasks > Import…
    xiii. At the Certificate Import Wizard, click the “Next” button
    xiv. Using the “Browse…” button, select the Secondary Intermediate Certificate file.
    xv. Click the “Next” button
    xvi. Select “Place all certificate in the following store: Intermediate Certification Authorities”
    Note: If “Intermediate Certification Authorities” is not automatically listed, use the “Browse…” button to select it.
    xvii. Click the “Next” button
    xviii. Click the “Finish” button
    xix. Right-click “Certificates” and select All Tasks > Import…
    xx. At the Certificate Import Wizard, click the “Next” button
    xxi. Using the “Browse…” button, select the Primary Intermediate Certificate file.
    xxii. Click the “Next” button
    xxiii. Select “Place all certificate in the following store: Intermediate Certification Authorities”
    Note: If “Intermediate Certification Authorities” is not automatically listed, use the “Browse…” button to select it.
    xxiv. Click the “Next” button
    xxv. Click the “Finish” button

 Turn ON SSL

a. Open the following URL: http://localhost:8002/mpweb/admin/ which will bring us to the Administration interface

b. Click on the “SSL/TLS” link

c. Then, click on the “Toggle SSL” to switch SSL ON

d. Reboot the server


The server and services should come up. If you use IE to access this page (homepage.domain.com), you should see a little Lock icon on the right side of the Address bar. Click on it and click on View Certificate. Verify you have the new cert and no warnings or anything similar. Do the same for the other address: webconf.domain.com

Repeat the process for the other MP Web servers if existing in your deployment.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents