Solved: Re: SSL certificates for attunity replicate on lin... - Qlik Community

Pierretim · ‎2020-06-03

I tried to replace the self-signed certificate by certifcates delivered by the security department. But it is not working, the only thing which is particular is that the certificate I received is signed by a sub-ca (intermediate CA) and not directly by the root CA. So what I did is

- copied the private key in agent-private-key.pem

- copied the received certificate in agent-certificate.pem

- copied the bundle (root-ca certificate + sub-ca certificate) in agent-ca.pem

- created the file agent-private-key-passphrase.dat with the passphrase of the private key

the agent-certificate is signed by a sub-CA. In agent-ca.pem I have two certificates: the root CA certificate and the sub-CA

but when I access the web console it shows that the connection is not secure and it does not prompt me to accept the exception.

My question is: is it supported to have a certificate that is signed by a Sub-CA (intermediate CA) as opposed to a certificate signed directly by the root ca ?

Thanks, Pierre

Pierretim · ‎2020-06-12

Hi Steve,

It worked (at least with IE and Chrome, with Firefox the root CA is apparently not known but I'll check with security).

So the process is;

copy the private key to agent-private-key.pem

create a file agent-private-key-passphrase.dat with as content "/clear:12345" (replace 12345 by passphrase)

copy the site certificate to agent-certificate.pem

copy a file with the list of certificates (sub-ca and root ca -in in agent-ca.pem

chown of the files to attunity owner (it will need to write to agent-private-key-passphrase.dat )

some useful commands:

* to verify that the passphrase is correct (in case you forgot it)

openssl rsa -in agent-private-key.pem -inform PEM -text -noout -outform PEM

* to see the certificate

openssl x509 -in agent-certificate.pem -text -noout

nb: if you do it on the bundle, agent-ca, you will see only the first certificate.

thanks a lot. I think the first time I did overlook something, maybe there was something wrong in my csr.

Pierre

View solution in original post

Steve_Nguyen · ‎2020-06-03

from the user guide :

You can replace the default self-signed certificates with you own, as follows:
1. Stop the Attunity Replicate Server service.
2. Create the required certificates using names that are identical to the certificates listed
above.
3. Copy the certificates to the ssl/data directory (<product-dir>/<datadirectory>/
ssl/data by default).
4. Edit the agent-private-key-passphrase.dat file as follows:
/clear:PRIVATE_KEY_PASSWORD
Example:
/clear:12345
When Attunity Replicate Server starts it will scramble the private key passphrase as
shown in Examples of the Scrambled Private Key Password.

===

i have not try the sub-ca , but from what you did :

- copied the bundle (root-ca certificate + sub-ca certificate) in agent-ca.pem ,,, this sound correct .

===

- When you stop and start the Replicate service, and access the UI, what certificate it is using ? did you check the certificate information ?

- is your certificate match your URL comment name ?

- did you get a PFX file from your security department ?

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!

Pierretim · ‎2020-06-08

Hi

Thank you for your reply

I made a new CSR and I submitted it to the security department, so I will receive a new certificate and also ca certificate. I will then follow the instructions from the user guide and let you know exactly the result.

In my previous attempt I could not see the site certificate from the browser, I just had the security exception. Also the private key passphrase was still in cleartext, i.e. attunity did not scramble it, as it would normally

I'll update this thread when I get the new certificate

Pierre

Pierretim · ‎2020-06-12

Hi Steve,

It worked (at least with IE and Chrome, with Firefox the root CA is apparently not known but I'll check with security).

So the process is;

copy the private key to agent-private-key.pem

create a file agent-private-key-passphrase.dat with as content "/clear:12345" (replace 12345 by passphrase)

copy the site certificate to agent-certificate.pem

copy a file with the list of certificates (sub-ca and root ca -in in agent-ca.pem

chown of the files to attunity owner (it will need to write to agent-private-key-passphrase.dat )

some useful commands:

* to verify that the passphrase is correct (in case you forgot it)

openssl rsa -in agent-private-key.pem -inform PEM -text -noout -outform PEM

* to see the certificate

openssl x509 -in agent-certificate.pem -text -noout

nb: if you do it on the bundle, agent-ca, you will see only the first certificate.

thanks a lot. I think the first time I did overlook something, maybe there was something wrong in my csr.

Pierre

Steve_Nguyen · ‎2020-06-12

great that you got it working and share the finding.

thanks.

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!

cannot_touch · ‎2022-02-23

I hope it is ok to hijack this comment. Is there a way to use private key files without a passphrase? I tried to just inseart "/clear:" in agent-private-key-passphrase.dat but in the log files it says that an empty string is not allowed.

Best regards,

Artur

Steve_Nguyen · ‎2022-02-23

short answer to : Is there a way to use private key files without a passphrase?,,, no

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!

cannot_touch · ‎2022-02-23

Hi, thanks for the fast response, that helps.

SSL certificates for attunity replicate on linux

Configuration

Security