HCL Compass uses SSL to secure
access to its user interface and REST APIs. A self signed certificate is provided out of the box,
but some proxies and gateways will accept self-signed certificates.
About this task
By default, the
HCL Compass REST API
Server ships with a self-signed SSL certificate. To maintain security, you must obtain and
install your own SSL certificate for the machine that the REST API Server is running on. You
must have the following:
- SSL certificate in .p12 (PKCS12) format. For example,
c:\cert\mycertstore.p12 must be on your local disk.
- SSL certificate alias. For example,
apiserver
.
- SSL certificate password. For example,
mypass
.
To create and install an SSL certificate, you will OpenSSL.
Procedure
-
Create a folder and open a command prompt or terminal.
-
If you do not already have a root certificate from a root certificate authority, create
one. Create a root certiciate authority and then self-sign it.
openssl genrsa -out compassRootCA.key 2048
openssl req -x509 -new -nodes -key compassRootCA.key -sha256 -days 1024 -out compassRootCA.crt
-
Import the root certificate into your browser or your operating system trust store. If you
plan to use a proxy or a gateway, the computer that runs the proxy or gateway requires your
root certificate to be installed.
Your
HCL Compass server needs its
own certificate. Use the servers fully qualified domain
name.
openssl genrsa -out YOUR.FULLY.QUALIFIED.DOMAIN.NAME.key 2048
-
Create a certificate signing request. When prompted for the Common
Name, supply the fully qualified domain name.
openssl req -new -key YOUR.FULLY.QUALIFIED.DOMAIN.NAME.key -out YOUR.FULLY.QUALIFIED.DOMAIN.NAME.csr
-
Generate the certificate using the certificate signing request and key, along with the
certificate authority root key that you created in step 2.
openssl x509 -req -in YOUR.FULLY.QUALIFIED.DOMAIN.NAME.csr -CA
compassRootCA.crt -CAkey compassRootCA.key -CAcreateserial -out
YOUR.FULLY.QUALIFIED.DOMAIN.NAME.crt -days 500 -sha256 -extfile
openssl.ext
You must supply a configuration file. The file should include the
following:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = YOUR.FULLY.QUALIFIED.DOMAIN.NAME
-
Convert your crt/key to .p12 for Java. Remember the export password that you choose, you
will need it when you configure HCL Compass.
openssl pkcs12 -export -out keystore.p12 -inkey
YOUR.FULLY.QUALIFIED.DOMAIN.NAME.key -in
YOUR.FULLY.QUALIFIED.DOMAIN.NAME.crt -certfile compassRootCA.crt
-
To run HCL Compass with a custom
SSL certificate, import the compassRootCA.key file into the browser.