Creating a keystore and import certificate for the Admin Console

These steps can be performed on a single clock and then the keystore copied to all the other clocks once the configuration has been verified.

The steps outline how to create a self-signed certificate on the clock and how to import the certificate into the machine that will be used for Admin Console access.

  1. Open a PuTTY session to the clock.
  2. Login with the root user.
  3. Make sure the keytool file is in this path: 
    
cd /usr/lib/jvm/openjre-8/bin
ls -l

    The keytool file should be listed.

  4. Create a folder called cert in /opt/infor/clock: 
    
cd /opt/infor/clock
mkdir cert
cd /cert/
  5. Provide the appropriate parameters and execute this command: 
    /usr/lib/jvm/openjre-8/bin/keytool -genkey -alias <alias> -keyalg RSA -keysize
2048 -dname "CN=<IP Address of Clock>, O=Default, C=CA" -keystore <clocks
keystore>

    For example:

    /usr/lib/jvm/openjre-8/bin/keytool -genkey -alias myalias -keyalg RSA -keysize
2048 -dname "CN=192.168.0.16, O=Default, C=CA" -keystore clockkeystore
  6. Respond to these prompts: 
    
Enter keystore password: <password>
Re-enter new password: <password>
Enter key password for myalias (RETURN if same as keystore password): <return>

    This will create a file named clockkeystore containing a public/private key and certificate. Make sure the passwords provided are documented.

  7. List the contents of the directory to confirm the file exists: 
    
# ls -l
-rw-r--r-- 1 root 2136 Apr 27 11:48 clockkeystore
  8. Create an Export Certificate from the Clock by executing this command: 
    /usr/lib/jvm/openjre-8/bin/keytool -export -keystore <clocks keystore> 
-alias <alias> -file <exported.crt>

    For example:

    /usr/lib/jvm/openjre-8/bin/keytool -export -keystore clockkeystore 
-alias myalias -file mycertificate.crt
  9. Respond to these prompts: 
    Enter keystore password: <password>

    The certificate will be stored in the current directory.

  10. Using WinSCP copy the certificate mycertificate.crt file from the clock and place it in a temporary folder (C:\temp) of the machine where the Admin Console is running.
  11. On the machine running the Admin Console open a command prompt as an Administrator.
    Note: Make sure keytool.exe file is in the path and can be executed. The file is in the default Java installation, for example: <JRE Location>\bin.
  12. Type this command and press Enter: 
    cd /
  13. Execute this command in the command prompt and ensure that the JRE location corresponds to the JRE specified while installing the Admin Console (to verify what JRE was used while installing the Admin Console check the file called AdminConsole.lax in the Admin Console installation path): 
    
keytool -import -trustcacerts -alias <alias> -file <certificate> -keystore
"<JRE Location>\lib\security\cacerts"

    For example:

    
keytool -import -trustcacerts -alias myalias -file C:\temp\mycertificate.crt -
keystore "C:\Java\jdk1.8.0_172\jre\lib\security\cacerts"
  14. Enter the password for the Java keystore (default password is changeit).
  15. Respond to this prompt with Y: 
    
Trust this certificate? [no]: Y

    This message will be displayed if successful:

    
Certificate was added to keystore
    Note: These steps can be repeated on every machine that has the Admin Console installed.