You can use the Java™ keytool utility to create a truststore file from the Copy Services Manager server and certificate authority (CA) certificates.
Obtaining the certificate chain
You can obtain the Copy Services Manager server and CA certificates by using one of the following
options.
- If the DS8000®
self-signed certificate is exchanged with a CA signed certificate, you can use the CA signed
certificate to create the truststore file.
- Use a web browser to view and export the Copy Services Manager certificates when the browser is
connected to the DS8000
Storage Management GUI or Copy Services
Manager GUI.
- If OpenSSL is installed on your system, use the OpenSSL s_client command to
retrieve the Copy Services Manager certificates from the DS8000 HMC.
- Using the OpenSSL s_client command to obtain certificates
- Use the OpenSSL s_client command to display the Copy Service Manager
certificates. You can copy the certificate text into files that you import into the truststore file.
- Use the -showcerts parameter with the OpenSSL s_client
command to display the Copy Service Manager certificates. Specify the IP address of the HMC with the
-connect
parameter.
openssl s_client -connect <HMC_IP>:443 -showcerts
- The s_client command displays the text for each certificate within the
strings -BEGIN CERTIFICATE- and -END
CERTIFICATE-. Copy the text for each certificate, including the enclosing
-BEGIN CERTIFICATE- and -END CERTIFICATE-
strings, into a separate text file.
Note: Ensure that the server certificate is copied into a file.
This certificate displays the text Server certificate before the
-BEGIN CERTIFICATE- string.
- Using Firefox to obtain certificates
- Use Firefox to connect to the Copy Services Manager GUI and obtain the Copy Services Manager certificates.
- Click to open the Page Info window.
- Select the Security tab.
- Click View Certificate to open the Certificate
page.
- In the Miscellaneous section, click PEM (chain)
and save the certificate chain file.
- Using Google Chrome to obtain certificates
- Use Google Chrome to connect to the Copy Services Manager GUI and obtain the Copy Services
Manager certificates.
- In the URL address bar, click the View site information icon (for a
secure connection, the icon is in the shape of a padlock) to open Connection
menu.
- Click Certificate to open the Certificate
window.
- Select the Details tab.
- Click Copy to File to open the Certificate Export wizard.
- On the Export Format page, select Base-64 encoded X.509
(.CER).
- Complete the wizard.
- Using Microsoft Edge to obtain certificates
- Use Microsoft Edge to connect to the Copy Services
Manager GUI and obtain the Copy Services Manager certificates.
- In the URL address bar, click the View site information icon (for a
secure connection, the icon is in the shape of a padlock) to open Website
Identification menu.
- Click View Certificate to open the Certificate
Information window.
- Click Export to File to export the certificate.
Using the Java keytool utility
Use the Java keytool utility to import Copy Services Manager server and CA certificates into a truststore file. You can create the truststore file as part of the import process.
The Java keytool utility is available with the Java JRE, which is not available on the HMC. You must use the keytool utility from a computer where Java JRE is installed.
You can use any name and password for the truststore file. You must run the command separately
for each certificate that you import.
Use the following syntax for the Java keytool utility to import a certificate file into a truststore file.
keytool -import -trustcacerts -keystore <truststore_file> -storepass <keystore_password> -noprompt -file <certificate_file> -alias <unique_alias_name>
You must provide values for the following parameters.
- -keystore
- The name of the truststore file.
- -storepass
- The password for the truststore file.
- -file
- The name of the certificate file to import.
- -alias
- The alias for the certificate.