Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Setting up third-party certificates on InterScan Messaging Security Virtual Appliance (IMSVA)

    • Updated:
    • 29 Jan 2016
    • Product/Version:
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • Platform:
    • N/A N/A
Summary

Set up third-party signed certificates to be used in the central controller of IMSVA management console.

Details
Public

Do one of the following options to configure third-party signed certificates in IMSVA.

  1. Create a keystore using the following commands:

    [root@imsva_server ~]# cd /opt/trend/imss/UI/javaJRE/bin
    root@imsva_server bin]# ./keytool -genkey -alias apache -keyalg RSA -keystore keystore_imsva

    Sample output after entering the commands:

    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
    [Unknown]: imsva_server.mydomain.com (This should reflect the FQDN of the IMSVA server.)
    What is the name of your organizational unit?
    [Unknown]: MY
    What is the name of your organization?
    [Unknown]: Test Systems
    What is the name of your City or Locality?
    [Unknown]: Anytown
    What is the name of your State or Province?
    [Unknown]: CA
    What is the two-letter country code for this unit?
    [Unknown]: US
    Is CN= imsva_server.mydomain.com, OU=MY, O=Test Systems, L=Anytown, ST=CA, C=US correct? [no]: yes
    Enter key password for .
    (Press ENTER if the key password is the same as keystore password.)

  2. Create the certificate request (CSR) using the following commands:

    [root@imsva_server ~]# cd /opt/trend/imss/UI/javaJRE/bin
    [root@imsva_server bin]#./keytool -certreq -keyalg RSA -keysize 2048 -alias apache -file
    imsvacert.req -keystore keystore_imsva

    Use a certificate authority (CA) to sign the request or send this to a third-party CA for signing.

  3. Export the private key from the keystore_name and copy to /opt/trend/imss/UI/apache/conf/ssl.key/server.key.
    1. Export the private key from Tomcat keystore using the following commands:

      [root@imsva_server ~]# cd /opt/trend/imss/UI/javaJRE/bin
      [root@imsva_server ~ ]#./keytool -importkeystore -srckeystore -
      destkeystore -srcstoretype JKS -deststoretype PKCS12 -srcstorepass
      -deststorepass -srcalias apache -destalias apache -srckeypass
      -destkeypass

    2. Transform the private key format from PKCS12 to a format supported by Apache PEM. Use the following:

      [root@imsva_server ~ ]# openssl pkcs12 -in out.keystore.p12 -out server.key.pem -passin pass:-passout pass:

    3. Decrypt the private key to get rid of the password-input dialog when starting Apache. Use the following:

      [root@imsva_server ~]# openssl rsa -in server.key.pem -out server.key

    4. Decrypt the private key to get rid of the password-input dialog when starting Apache. Use the following:

      [root@imsva_server ~]# openssl rsa -in server.key.pem -out server.key

    5. Copy the server.key private key to /opt/trend/imss/UI/apache/conf/ssl.key/server.key using the following commands:

      [root@imsva_server ~ ]# cd /opt/trend/imss/UI/apache/conf/ssl.key/
      [root@imsva_server ssl.key ]# cp server.key server.key.old
      [root@imsva_server bin ]# cp /opt/trend/imss/UI/javaJRE/bin/server.key /opt/trend/imss/UI/apache/conf/ssl.key/server.key

  4. Copy the imsvacert.cer public key to the ssl.crt folder. The path is /opt/trend/imss/UI/apache/conf/ssl.crt.
  5. Copy the chain file and certificate files to a temp folder on the IMSVA server, and then import and import the files to the keystore. Use the following commands:

    [root@imsva_server ~]# cd /opt/trend/imss/UI/javaJRE/bin
    [root@imsva_server ~]# ./keytool -importcert -keystore keystore_imsva -alias rootCA -file ROOTCA.cer
    [root@imsva_server ~]# ./keytool -importcert -keystore keystore_imsva -trustcacerts -alias intermediateCA -file CAIssued.cer
    [root@imsva_server ~]# ./keytool -importcert -keystore keystore_imsva -keyalg "RSA" -trustcacerts -file imsvacert.cer

  6. Open the /opt/trend/imss/UI/adminUI/conf/server xml file and add the "keystoreFile" line as shown below:

    scheme="https" secure="true"
    clientAuth="false"
    keystoreFile=/opt/trend/imss/UI/javaJRE/bin/keystore_imsva keystorePass=
    sslProtocol="TLS" />

  7. Restart the IMSVA administration console using the following:

    [root@imsva_server ~]# /opt/trend/imss/script/S99ADMINUI restart

  1. Create a new certificate from a Windows CA.
    1. Go to http://<localhost>/certsrv/.
    2. Click Request a certificate.
    3. Select Advanced certificate request and then click Create a request to this CA and submit.
    4. Select Subordinate CA and enter the necessary information.

      It is recommended to provide the host name of the IMSVA on the Name field.

    5. Click Submit.
    6. Click Install this certificate.
    7. When the installation is complete, navigate to Internet Explorer > Tools > Internet Options > Content > Certificates.
    8. Export the certificate you just installed and the private key.
    9. Enter "trend" for the password.
    10. Select Export and then click Finish.
  2. Export the certificate to IMSVA.
    1. Copy server.pfx to /opt/trend/imss/UI/tomcat/SSLKey/.
    2. Open /opt/trend/imss/UI/euqUI/conf/server.xml.
    3. Search for "8446" and change the following:

      <Connector port="8446" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="sslkey/.keystore" clientAuth="false" sslProtocol="TLS"/>

      to:

      <Connector port="8446" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="sslkey/server.pfx" keystorePass="your_password" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS" />

    4. Run the following command:

      openssl pkcs12 -in /opt/trend/imss/UI/tomcat/sslkey/server.pfx -out server.pem -nodes

    5. Open server.pem and copy the content between "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----", and then save to server.key file.
    6. Open server.pem and copy the content between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE -----", and then save to server.crt file.
    7. Go to /opt/trend/imss/UI/apache/conf/ssl.crt/server.crt secure and replace it with server.crt.
    8. Go to /opt/trend/imss/UI/apache/conf/ssl.key/server.key secure and replace the server.key.
    9. Execute the following commands:

      /opt/trend/imss/script/S99ADMINUI restart
      /opt/trend/imss/script/S99EUQ restart

    10. Distribute the certificates to the EUQ clients.
Premium
Internal
Rating:
Category:
Configure
Solution Id:
1061019
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.