How To
Summary
The following document describes the steps to generate a certificate from a certificate authority (CA). IBM zAware ships with a self-signed certificate. It is recommended that you replace the self-signed certificate with a certificate from a certificate authority. This document assumes that the appropriate root and intermediate certificates are installed in the browser.
Steps
Expand Administration
Select Configuration
Select the <Security> Tab
Click <Generate Certificate Signing Request>
- Common name
- Organization
- Organization unit
- Locality
- State or province
- Postal code
- Country Code
For example, we used the following values:
Common name = <redacted>
Organization = IBM
Organization unit = zAware
Locality = Poughkeepsie
State or province = New York
Postal code = <left blank>
Country Code = US
Click <Generate>
You will get the following screen:
4. Copy and paste the certificate request into a file on your PC called zAware.cert.request (we are using this file name as an example), including the ---BEGIN and END--- statements:
-----BEGIN CERTIFICATE REQUEST-----
MIICjDCCAXQCAQAwRzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQwwCgYDVQQK
DANJQk0xHTAbBgNVBAMMFGFxYXdhcmUxLnBvay5pYm0uY29tMIIBIjANBgkqhkiG
…
…
oj2E6YTn5pco8ivTfrinT145G84feqRVpbxiLw6QjRQ=
-----END CERTIFICATE REQUEST-----
5. Input/upload the certificate request to your CA.
6. Download the CA issued certificate.
Note: We downloaded the CA issued certificate as a pkcs7b (public-key cryptography standards – PKCS #7) file; which requires additional processing, see step 7.
7. Extract the certificates.
openssl pkcs7 -in zAware.cert.issued.pem -print_certs -out zAware.cert.issued.out
The above command will extract the issued, intermediate and root certificates into one file, in the above example, called zAware.cert.issued.out.
8. Logon to the zAware GUI with the ADMIN id and receive the certificate.
Go to Administration -> Configuration, then select Security
Click <Receive Certificate Request Reply>
Copy and paste the contents of the zAware.cert.issued.out file (no need to remove the blank lines and do not add blanks or blank lines in between certificates, in other words, leave as-is).
Click <Receive>
9. Logout then login and you should see the new certificate in your browser.
**Be aware, there is only support for 1 entry in the common name field, so if you attempt to access the zAware GUI with the IP address or another name, you will get the certificate pop-up error.
10. If you have the OMEGAMON – zAware connection, you will need to import the new certificate on the z/OS system, along with the root and/or intermediate CA certificate.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
22 April 2019
UID
ibm10881448