Creating the HCL Compass REST API SSL Certificate

HCL Compass uses SSL to secure access to its user interface and REST APIs. A self signed certificate is provided out of the box, but some proxies and gateways will accept self-signed certificates.

About this task

By default, the HCL Compass REST API Server ships with a self-signed SSL certificate. To maintain security, you must obtain and install your own SSL certificate for the machine that the REST API Server is running on. You must have the following:
  • SSL certificate in .p12 (PKCS12) format. For example, c:\cert\mycertstore.p12 must be on your local disk.
  • SSL certificate alias. For example, apiserver.
  • SSL certificate password. For example, mypass.

To create and install an SSL certificate, you will OpenSSL.

Procedure

  1. Create a folder and open a command prompt or terminal.
  2. If you do not already have a root certificate from a root certificate authority, create one. Create a root certiciate authority and then self-sign it. 
    openssl genrsa -out compassRootCA.key 2048 
openssl req -x509 -new -nodes -key compassRootCA.key -sha256 -days 1024 -out compassRootCA.crt
  3. Import the root certificate into your browser or your operating system trust store. If you plan to use a proxy or a gateway, the computer that runs the proxy or gateway requires your root certificate to be installed.
    Your HCL Compass server needs its own certificate. Use the servers fully qualified domain name.
    openssl genrsa -out YOUR.FULLY.QUALIFIED.DOMAIN.NAME.key 2048
  4. Create a certificate signing request. When prompted for the Common Name, supply the fully qualified domain name. 
    openssl req -new -key YOUR.FULLY.QUALIFIED.DOMAIN.NAME.key -out YOUR.FULLY.QUALIFIED.DOMAIN.NAME.csr
  5. Generate the certificate using the certificate signing request and key, along with the certificate authority root key that you created in step 2. 
    openssl x509 -req -in YOUR.FULLY.QUALIFIED.DOMAIN.NAME.csr -CA 
compassRootCA.crt -CAkey compassRootCA.key -CAcreateserial -out 
YOUR.FULLY.QUALIFIED.DOMAIN.NAME.crt -days 500 -sha256 -extfile 
openssl.ext
    You must supply a configuration file. The file should include the following:
    authorityKeyIdentifier=keyid,issuer 
basicConstraints=CA:FALSE 
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment 
subjectAltName = @alt_names 
  
[alt_names] 
DNS.1 = YOUR.FULLY.QUALIFIED.DOMAIN.NAME
  6. Convert your crt/key to .p12 for Java. Remember the export password that you choose, you will need it when you configure HCL Compass. 
    openssl pkcs12 -export -out keystore.p12 -inkey 
YOUR.FULLY.QUALIFIED.DOMAIN.NAME.key -in 
YOUR.FULLY.QUALIFIED.DOMAIN.NAME.crt -certfile compassRootCA.crt
  7. To run HCL Compass with a custom SSL certificate, import the compassRootCA.key file into the browser.