Article #: KA-03665
Published: March/28/2024
Last reviewed: Nov/21/2024

Panduit Smartzone Server Certificate replacement
 

Contents

 

1. Introduction
2. Purpose
3. Requirements
4. Procedure
5. Troubleshooting
6. Appendix

 

Introduction

Smartzone is built on an Apache/Tomcat webserver. When Smartzone is initially installed it generates a self-signed certificate that is valid for 1 year. This can be replaced with a new self-signed certificate or CA assigned certificate.

Purpose

The procedure in this document can replace the Smartzone application and reports servers certificates using the server’s name or FQDN name but this would not be recommended for a production environment as you will need to trust this on each client that need to access Smartzone application.
This document also covers the certificate replacements with a certificates from a trusted CA.

 

Requirements

Administrative access to the Smartzone application and reports servers.

Procedure

 

Smartzone Application creation of a new keystore.

It would recommend that you create a new keystore for certificate replacement so that you can continue to use the old certificate until you are ready with your new certificate.

1. Open the command prompt using the run as administrator.
2. Change the directory to the “<DRIVE>\Program Files\Panduit SZ\jre\bin\” folder.
3. Type in the keytool command below to generate a keystore. You can choose the alias for the keystore to be whatever you like; the example below uses SMARTZONECERT. You can also choose a keystore name you would prefer other than the example SMARTZONE.keystore. For the “san=” details please choose appropriate details such as the FQDN and the server’s name as well as the IP address of the server.  The “3650” is the number of days the certificate is valid for so I have set this for 10 years, but you can choose something more appropriate.

keytool -genkeypair -alias SMARTZONECERT -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 3650 -keystore SMARTZONE.keystore -storepass panduit2018 -ext san=dns:Labtest24.panduit.com,dns:Labtest24,IP:10.118.32.44

4.  You will be prompted to fill in the detail for the keystore so please insert your organizations details. The request for First and Last name I recommend you type in the servers FQDN (Fully Qualified Domain Name) but you could just use the server name.

Keep the key the same as the keystore password to keep things simple, but you can choose and alternative password if you prefer.
 

5. Check that you have a file called SMARTZONE.keystore in the “<DRIVE>\Program Files\Panduit SZ\jre\bin\” folder which will contain a new self-signed certificate.

At this point if you wish to just use the self-signed certificate go to the change the Smartzone active keystore section. Else continue to generate your request for a CA generated certificate.

 

Creating a request for a CA Certificate Authority to generate a certificate.

1. From the administrative command prompt as used previously enter the command below changing the “san=” entries to match your server and if you have chosen a different keystore name and password change those as well.

keytool -certreq -alias SMARTZONECERT -sigalg SHA256withRSA -keystore SMARTZONE.keystore -storepass panduit2018 -keysize 2048 -ext san=dns:Labtest24.panduit.com -file Labtest24.csr

2. You should now have a csr file and in the case above its Labtest24.csr .This file needs to be sent to your CA (Certificate Authority).
3. If the CA is an external CA such as Thawte or Go Daddy then request the certificate period of validity in days when you submit your request.

Once your CA has generated your certificate you should receive the primary.crt file which will probably match the name you used such as Labtest24.cer in my example. You should also have available the RootCA.cer and an Intermediate.cer certificates. You may also find the certificates are in a zip file you will need to extract first before importing. Some CA provide a file with the “.p7b” extension. This is PKCS#7 (Public Key Cryptography Standards) file. This file may contain all the certificates you need. If you receive the “.pem” file extension, then treat them in the same way as the “.cer” files.
Depending on how you received your certificates you will need to use the commands below to import them using the administrator command prompt in the “jre/bin” folder as previously mentioned.

Note: It’s important that you import the certificates in a specific order. Intermediate, root and then the server certificate as you may encounter trust errors. You would expect the root to be the first but for some unknown reason the trust relationship does not work sometimes inserting it in that order.
 
Using the “.cer” file types:

1. Keytool -import -alias intermediate -keystore SMARTZONE.keystore -trustcacerts -file Intermediate.cer
2. Keytool -import -alias root -keystore SMARTZONE.keystore -trustcacerts -file RootCA.cer
3. Keytool -import -alias SMARTZONECERT -keystore SMARTZONE.keystore -trustcacerts -file Labtest24.cer

You will be prompted to enter the keystore password.

Using the “.p7b” file type:

4. Keytool -import -alias SMARTZONECERT -file Labtest24.p7b -keystore SMARTZONE.keystore

Once the certificates have been added to the keystore please move on to the change the Smartzone active keystore section.

 

 
Change the Smartzone active keystore.
Using Smartzone 9.6 and above:

 

1. Use the interface in Smartzone to change the keystore as encryption is now used to store the username and password for the keystore.

Using a Smartzone application before 9.6

1. Stop the “PIM Application Server” and “PIM Agent” services

 

2. Copy the keystore to the “<DRIVE>\Program Files\Panduit SZ\tomcat\conf\” folder. If you already have a keystore in this folder of the same name, then please rename it. I would normally add the extension of the date YYYYMMDD. 
3. Open Notepad as administrator

4. Browse to the “<DRIVE>\Program Files\Panduit SZ\tomcat\conf\” folder in notepad and open the server.xml file.

5. Find the first “Connector SSLEnabled=”true”” line. You have two in this file the second one has the webservice.keystore which we will not be altering.
6. If required change the “keystoreFile=” file and “keystorePass=” password to the ones matching the keystore created previously. From the example show earlier to create the keystore it would be keystoreFile="conf/SMARTZONE.keystore" keystorePass="panduit2018"
7. Save the file and restart the services.
8. After waiting a couple of minutes open the Smartzone application in your browser and you should now have your new certificate associated with the Smartzone website.

Generate Self-Signed certificate for reports
For this method you will need powershell running in administrator mode.

1.The sample command below will need to be modified to suit the server you are creating the certificate on. The store location in the command below should put the certificate in the personal computer store.  -106.Panduit-Unite.com,GBM-LAB-TST-106,10.118.32.106 -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(2)

From the powershell prompt


2.Copy the Thumbprint and follow procedure in Check Certificate bound to port 443. There are powershell commands for this but its simpler to use the command.

Generate a CSR

Procedure using Certificate snap-in in MMC

1. From the start menu type in MMC.exe and then open.

2. On the file menu select Add or Remove snap-ins.
Select Certificate snap-in click Add button.
Choose Computer account.

3. Select Local Computer and then Finish button.

4. Click OK to open Certificate Snap-in.

5. Open the Personal store
Right Click and select All Tasks>Advanced Operations>Create Custom Request.

6. Click Next button until you see the screen below and choose Details then properties.

7. Enter server name in friendly name.

8. On the subject tab in the subject name box select the information you wish in the certificate. Common choices are:
Common Name CN – Enter the server name and domain
Country C
Locality L
Organization O
Organization unit OU
State S 
Enter details for each you select in turn and click Add
In the Alternate name box
Choose DNS and enter server name and domain and click add
Choose DNS again and just enter Server name and add
Choose IP Address (v4) and enter IP address of server and add

9. On the Private Key tab
Make sure RSA option is selected on Cryptographic options.

10. Expand the key options and select 2048 and choose “Make private key exportable”.

11. On the Hash algorithm choose sha256.

12. Apply and ok.
13. Save the file and send to your CA.
Your CA should send you a back a certificate file which using this same MMC you can import into the Personal store.

Importing the Report server Certificate.

1. In the Certificate Snap-in, open the Personal store.
Right Click and choose All Tasks>Import…

2. Next browse to the file and then next, follow the prompts to import.

Check the certificate bound to port 443

1. Open the command prompt and type “netsh http show sslcert”

2. From the screenshot above you can see the certificate hash of the certificate bound to port 443 this should match the thumbprint of the certificate you are expecting to use.

3. If they do not match, then copy the thumbprint of the certificate you would like bound to port 443 and paste it into notepad and remove the spaces between the characters.

4. From the administrator command prompt delete the binding of the certificate currently bound to port 443

Netsh http delete sslcert ipport=0.0.0.0:443

You should receive a response of “SSL Certificate successfully deleted”

5. Type in
“netsh http add sslcert ipport=0.0.0.0:443 certhash=44623b602a720614807363abb310dbca9bc817a2 appid={58f109c3-c552-4540-882d-3f3e105ac840}”
The appid is not important so you can make it up, but it needs to match the format of the example above. You could just copy the appid of the previous certificate bound to port 443.

6. When pasting in the thumbprint details of your certificate into the command certhash= you may find that a “?” is added to the front of the string as seen in the example below, so please delete this before hitting the enter.

7. Restart the Qlikview Webserver Service and check the application in the browser has the correct certificate.

 

Troubleshooting

Issues I’ve encountered when provided the certificates to install.
Customer has provided a certificate using the previous certificate request. I might have missed something, but I encountered errors trying to import the new certificate. I did attempt to remove the old certificate, but this also deletes the private key so when you import the certificate it does not have the key to encrypt communications with clients.

You can check the certificates in the keystore using the command below:

Keytool -list -v -keystore <keystore name>
Enter the password when prompted. If you are unsure of the password, check the server.xml file if using Smartzone before version 9.6, else you will need to create a new keystore and start the process from the begining.

You should see all the certificates contained in the keystore. What you need to ensure is the server certificate Entry Type is show as PrivateKeyEntry. If it is not, then you do not have the private key for the certificate provided matched in this keystore.
 

Appendix

 

Configure the server to use Java commands in any directory. (optional)

This process will allow you to use the keytool from the command prompt without having to be in the java folder where the keytool application is. This can make the process easier using the keytool command in the folder you need to create the keystore in. The server will require a reboot to implement this change.
To generate a new keystore you need to use a java tool called keytool. This tool is in the “<DRIVE>\Program Files\Panduit SZ\jre\bin”. I would recommend you add this path to your server Path.

If you choose not to add this path in the server environmental variables, then you can work in the keytool application folder “<DRIVE>\Program Files\Panduit SZ\jre\bin” and copy the newly created keystore to the Smartzone Apache/Tomcat working folder “<DRIVE>\Program Files\Panduit SZ\tomcat\conf\” afterwards.

Adding the Java application path.
Add “; <DRIVE>\Program Files\Panduit SZ\jre\bin” to the end of the path replacing the <DRIVE> for the drive you installed Smartzone on and then click OK.

CA provided certificates formats.

If the CA provides .p7b, .pfx or .pem files instead of .cer files it might not be clear what they have sent you as the .p7b, .pfx or .pem might contain all the certificates or just the root and intermediate certificates. The easiest way to check this is just import them into the certificate snap-in as used for the report server certificate import in this document.

If you have issues trying to import .p7b, .pfx or .pem files you can import them into the windows certificate store and then export the .cer file from there to import into the java keystore.

Panduit.com    SystemsSupport@panduit.com    1-866-721-5302    Article: KA-03665