How to update the certificate for Dell Encryption services using an existing certificate in the Microsoft keystore

1. Enter Start | Run | MMC.

Figure 56: (English Only) Run MMC

2. Click File | Add/Remove Snap-in.

Figure 57: (English Only) Click Add/Remove Snap-in

3. In the Add or Remove Snap-ins window, select Certificates, and click Add.

Figure 58: (English Only) Add Certificates

4. Select the Computer account radio button when prompted and click Next.

Figure 59: (English Only) Computer account

5. Select Local computer (selected by default) and click Finish.

Figure 60: (English Only) Local computer: (the computer this console is running on)

6. In the Add or Remove Snap-ins window, click OK.

Figure 61: (English Only) Click Ok

7. In the MMC main console, click the plus (+) symbol to expand the Certificate snap-in.

Figure 62: (English Only) Import

8. Go to the Personal | Certificates pane.
9. Right-click within the Certificates panel and click All Tasks | Import to start the Certificate Import Wizard.

Figure 63: (English Only) Certificate Import Wizard

10. Follow the wizard to import the signed certificate along with the private key. The certificate file must be in a container format having both the end-user certificate and its private key.

Figure 64: (English Only) Click Next and follow the wizard to import the signed certificate

11. Click Browse.

Figure 65: (English Only) Click Browse

12. In the Open dialog box:
    1. Change the file to Personal Information Exchange (*.pfx, *.p12).
    2. Browse to and select the cert you want to import (ddpe.pfx is the cert that is used in the example).
    3. Click OK.

Figure 66: (English Only) Personal Information Exchange (*.pfx, *.p12)

13. On the Private key protection screen:
    1. Optionally, input a password
    2. Put a check-in, Mark this key as exportable. This allows you to back up or transport our keys later.
    3. Put a check-in, Include all extended properties.
    4. Click Next.

Figure 67: (English Only) Private key protection

14. Check Place all certificates in the following store: Personal and click Next.

Figure 68: (English Only) Certificate Store

15. Click Finish.

Figure 69: (English Only) Click Finish

Export the certificate with the private key and certification path from the MMC.

1. Open the start menu and select Run.

Figure 70: (English Only) Open Run 

2. Type MMC and press OK.

Figure 71: (English Only) Type MMC

3. Click File in the top menu of the MMC and select Add/Remove Snap-in.

Figure 72: (English Only) Select Add/Remove Snap in

4. From the Available snap-ins pane of the Add or Remove Snap-ins window, select Certificates then click the Add > button which opens the Certificates snap-in window.

Figure 73: (English Only) Open Certificate snap-in

5. Select the Computer Account radio button then click the Next > button.

Figure 74: (English Only) Computer account

6. Click the Finish button to close the Certificates snap-in window.

Figure 75: (English Only) Local computer (the computer this console is running on)

7. Click OK on the Add or Remove Snap-ins window to finish adding the snap in.

Figure 76: (English Only) Click Ok

8. In the MMC window, expand Certificates (Local Computer) and the Personal folder. Then select the Certificates folder.

Figure 77: (English Only) Select Certificates

9. Determine the certificate that you want to export. Right click on the certificate and select All Tasks and choose Export.

Figure 78: (English Only) Export

10. On the Certificate Export Wizard, click the Next > button.

Figure 79: (English Only) Certificate Export Wizard

11. On the Export Private Key screen select the Yes, export the private key radio button, and click the Next > button.

Figure 80: (English Only) Export Private Key

12. On the Export File Format screen, select the Personal Information Exchange - PKCS #12 (.PFX) radio button, select the Include all certificates in the certification path if possible, and the Export all extended properties checkbox then click the Next.

Figure 81: (English Only) Personal Information Exchange - PKCS#12(.PFX)

13. Assign a password to the file and click the Next > button.

Figure 82: (English Only) Create password

14. Choose the location, and name of the export file then click the Next.

Figure 83: (English Only) Choose the location and name of the export file

15. Click the Finish button.

Figure 84: (English Only) Click Finish

• Create a folder on the root of C called Cert and move the exported PFX from the "Export the certificate with the private key and certification path from the MMC" step into this folder.
• Take a copy of the cacerts file from the C:\Program Files\Dell\Enterprise Edition\Security Server\Conf directory and copy it into the C:\Cert folder.
• Get the alias name from the exported certificate.
  • Open an administrative command prompt.
  • From the command prompt, add the Java bin directory to the path. The following example command uses the default installation folder for the Java bin folder and may have to be updated.
  • Set path=%path%;C:\Program Files\Dell\Java Runtime\jre1.7\bin

Figure 85: (English Only) Type set path=%path%;C:\Program Files\Dell\Java Runtime\jre1.7\bin

• From the command prompt, go to the directory C:\Cert Folder.
• Run the key tool utility to list the information in the exported certificate. The following command must be updated with the values used when exporting the certificate (PFX). After the command is run, the password to the exported certificate must be provided to access the information.
  • Command:
    • keytool -list -v -keystore <PFX filename> -storetype PKCS12
  • Parameters:
    • <PFX filename> - The name of the exported certificate file

Figure 86: (English Only) Type keytool -list -v -keystore <PFX filename> -storetype PKCS12

• Record the value after Alias name, from the output of the previous command.
• Import the certificate into the cacerts file.
  • From the command prompt opened in the first step, run the key tool utility to import the exported PFX file to a cacerts file. The following command must be updated with information that is gathered throughout the process so far. After the command is run, the password to the exported certificate must be provided to access the information to import.
  • Close the command prompt.
    • Command:
      • keytool -importkeystore -v -srckeystore <PFX filename> -srcstoretype  PKCS12 -srcalias<PFX alias> -destkeystore<cacerts file> -deststorepass <java keystore password> -destalias <cacerts alias> -destkeypass <cacertsalias password>
    • Parameters:
      • <PFX filename> - The name of the exported certificate file
      • <PFX alias> - The alias name recorded in previously
      • <cacerts file> - The filename of the cacerts file that is updated.
      • <java keystore password> - The password that protects all information that is stored in the cacerts file. This must match the value for cacerts alias password.
      • <cacerts alias> - The alias that the certificate information is stored under in the cacerts file. It is recommended, but not necessary, to make this ddpe.
      • <cacerts alias password>- The password that protects the information that is stored in the specified alias in the cacerts file. This must match the value for <java keystore password>.

Figure 87: (English Only) Type keytool -importkeystore -v -srckeystore <PFX filename> -srcstoretype  PKCS12 -srcalias<PFX alias> -destkeystore<cacerts file> -deststorepass <java keystore password> -destalias <cacerts alias> -destkeypass <cacertsalias password>

• Back up the existing cacerts file for the Java services:
  • Stop each service from the list below. Depending on the architecture of the environment and the server version that is installed, all the services in the list may not be present.
  • Rename the existing cacerts file to cacerts. DDMMYY where DDMMYY is the date in two-digit day, month, and year format. The cacerts file is in the conf folder within the service install folder.
    • Compliance Reporter - The default location for the Compliance Reporter service is C:\Program Files\Dell\Enterprise Edition\Compliance Reporter.
    • Device Server - The default location for the Device Server service is C:\Program Files\Dell\Enterprise Edition\Device Server.
    • Identity Server - The default location for the Identity Server service is C:\Program Files\Dell\Enterprise Edition\Identity Server.
    • Security Server - The default location for the Security Server service is C:\Program Files\Dell\Enterprise Edition\Security Server.
    • Console Web Services - The default location for the Console Web Services is C:\Program Files\Dell\Enterprise Edition\Console.
    Note: Console Web Services was deprecated in Dell Security Management Server (formerly Dell Data Protection | Enterprise Edition) v9.2.
• Copy the generated cacerts file into the conf folder for each service that has been backed up.

• Update the application.properties and eserver.properties files with the new cacerts values.

  
  Figure 88: (English Only) Update application.preperties and eserver.properties

  • Open the application.properties/eserver.properties file and update the following values. All values may not be present in one or more configuration files for each service. If a value is not present skip it, and update the remaining values present in the files.
  • eserver.keystore.password - This must be updated with the java keystore file, cacerts, assigned password. The value must be formatted like the example below.
    • eserver.keystore.password=password
  • keystore.password - This must be updated with the java keystore password, cacerts, alias password. The value must be formatted like the example below.
    • keystore.password = CLR(password)
  • Once the service is started the value is encrypted, and the setting looks like.
    • keystore.password = ENC(encrypted password)
  • keystore.alias.ssl - This value is case sensitive and must be updated to exactly match cacerts alias.
  • keystore.alias.signing - This value is case sensitive and must be updated to exactly match cacerts alias.
  • Sample file locations and configuration settings
  • Security Server:
    • application.properties file location
    • application.properties settings
    • keystore.password=CLR(changeit)
    • keystore.alias.ssl=ddpe
    • keystore.alias.signing=ddpe
  • Compliance Reporter:

    
    Figure 89: (English Only) eserver.properties

    • eserver.properties file location
    • eserver.properties settings
    • eserver.keystore.password=changeit
  • Device Server:
    • application.properties file location

      
      Figure 90: (English Only) application.properties

      • application.properties settings
      • keystore.password=CLR(changeit)
      • keystore.alias.ssl=ddpe
• Restart services stopped in the previous step.
• Validate the thumbprint by browsing to https://server:8443/xapi/, https://server:8084/reporter, and https://server:8081/xapi and performing the following steps for each URL
  • Click the lock icon.

    
    Figure 91: (English Only) Go to server URL

  • Click View Certificates.

    
    Figure 92: (English Only) View Certificate

  • Click the Details tab.

    
    Figure 93: (English Only) Click the Details tab

  • Scroll down and click Thumbprint to view the Thumbprint to validate each service is using the proper certificate.

    
    Figure 94: (English Only) Click Thumbprint

Note: Import DM Certificate may be unavailable when using Windows Authentication to SQL. Run the Action of "Test Database Configuration" to enable the option.

• Update the .net service certificates using the Server Configuration Tool.
  • Stop the Core Server and Compatibility Server services.
  • Start the Server Configuration Tool and select Configure Certificates from the Actions menu item which opens the Certificate Wizard.

    
    Figure 95: (English Only) Configure Certificate

  • Click the Next button then select the Advanced radio button on the Certificate Wizard Mode screen, then click Next.

    
    Figure 96: (English Only) Advanced

  • On the Core Server SSL Certificate screen: Select the Select Certificate radio button, then click Next.

    
    Figure 97: (English Only) Select Certificate

  • On the Select Core Server SSL Certificate screen, click the Browse… button.
  • Then on the Browse For Certificate screen select the certificate to use and click OK.
  • Once back on the Select Core Server SSL Certificate screen click Next.

    
    Figure 98: (English Only) Select Certificate and click next

  • Repeat the steps for the Message Security Certificate.
  • Click Finish.
• Update the Dell Manager certificate.
  • Select Import DM Certificate from the Actions menu item.

    
    Figure 99: (English Only) Import DM Certificate

  • Locate the exported PFX file and click the Open button.

    
    Figure 100: (English Only) Open exported PFX file

  • Input the password to the exported PFX file and click the OK button.

    
    Figure 101: (English Only) Enter password

  • Close the Server Configuration Tool and start the Core Server and Compatibility Server services.

During a new install or upgrade of Dell Data Protection | Encryption 8.x the Master Installer may cause the certificate that is generated for the Security Server to have missing information. The information that may be missing could include but is not limited to: the alias for the signing server does not provide the default Fully Qualified Domain Name (FQDN), or the Security Server may not have a server certificate at all. This article shows you how to work around this issue.

Error Message

Security Server Service will not start and review of the Security Server "Wrapper.log" displays the following error message "Error: Invocation of init method failed; nested exception is java.lang.Exception: SSL cert with alias not found in keystore"

Workaround

To work around this issue, using the keytool alone does not properly generate a replacement certificate. Do the following steps to generate the replacement certificate.

1. Replace the current Security Server cacerts file with a cacerts file copied from the Device Server.
2. Stop the Security Server Service if it is running.
3. Rename the cacerts file that is found in the \Program Files\…\Security Server\conf folder as a backup.
4. Copy the cacerts file from the DS\conf folder to the Security Server\conf folder.
5. Run the keytool from a command prompt and locate the alias for the cacerts file.

6. Enter the keystore password