Verifying a Data Protection for VMware self-signed web server certificate

Edit online

For enhanced security, you can verify the contents of a web server Secure Sockets Layer (SSL) self-signed certificate produced by Data Protection for VMware against the equivalent certificate on the installed certification server.

About this task

When you are presented with the details of a web server SSL certificate the first time a connection is established in the plug-in, you can accept or reject the certificate. At this point, you might want to verify the contents of the certificate that you have received with the equivalent certificate in the web server keystore. The following instructions are for a Liberty keystore. For other web server-based certificate services, see the system documentation.

Procedure

To access and verify certificate details in the keystore:

  1. On the workstation on which the Data Protection for VMware vSphere GUI is installed, ensure that the JAVA_HOME environment variable is correctly set. Complete the appropriate actions for your operating system: Windows operating systems
    1. Obtain the Java virtual machine version by going to the C:\Program Files\Common Files\Tivoli\TSM directory and noting the value of the subdirectory jvm. For example, if the directory name is "jvm80520", note the numeric value 80520.
    2. To set the environment variable, issue the following command: set JAVA_HOME=C:\Program Files\Common Files\Tivoli\TSM\jvm80520\jre.
    Linux operating systems
    1. Run the following command: 
      export JAVA_HOME=/opt/tivoli/tsm/tdpvmware/common/jre/jre
  2. Add the keytool to your path:
    Windows operating systems 
    set PATH=%JAVA_HOME%\bin;%PATH%
    Linux operating systems 
    export PATH=$JAVA_HOME/bin:$PATH

    If the JAVA_HOME and PATH variables are correctly set, you can now invoke the keytool.

  3. At the command prompt, enter keytool and press Enter.

    If you receive the keytool help output, the tool is correctly configured. If the Command not found message is displayed, verify that the JAVA_HOME and PATH variables were updated correctly.

  4. Go to the location of the key store:
    Windows operating systems

    cd C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\resources\security

    Linux operating systems cd /opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfile/resources/security
  5. At the command prompt, list the directory contents. Verify that the certificate file key.jks is present in the directory listing.
  6. Issue the following command: 
    keytool -list -keystore key.jks -v
  7. When prompted for the password, press Enter.

    The password is randomly generated and enables only the ability to verify the certificate details that the prompt presents.

  8. Compare the output from the keytool with that of the certificate prompt. The serial number and fingerprints of the self-signed certificate and the equivalent certificate on the keystore must match.
  9. If the certificate details do not match, contact the administrator of the web server-based certificate services.