Micro Focus OO has a feature called Studio Remote Debugging that allows an OO user to troubleshoot and debug flow runs in a remote Central.
The main use for this feature is to allow customers to use Studio when investigating issues in their Central environments without having to manually deploy fixes and modify the Central Flow Library.
Recently, I decided to use it during designing a workflow but I have got the following error.
First thing to do when you get errors is to check the right log file, so I have checked OO Studio log files located in C:\Users\<username>.oo\logs\ and found the following issue javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException:
This error means that my self-signed certificate has expired, check the certificate and it was expired.
So I decided to renew OO certificate and share related step in this article.
1- Locate openssl command and change directory to its location; in the screenshots, in our example, we have “openssl” command on the following path “C:\Program Files\Hewlett-Packard\HP Operations Orchestration\java\bin”
2- Generate a private key for your certificate. The file will be named “central.key” and its size will be 2048
openssl genrsa -out central.key 2048
3- Create public key certificate request (not yet signed by any entity)
We will need to include some certificate details with our certificate request, to do this you will need to create a file named “openssl.cfg” and to include the below details:
CN is common name that users will use to access your service; in this case the URL for central server. for other parameters, please check this link https://github.com/openssl/openssl/blob/master/apps/openssl.cnf
| # This is required for TSA certificates. # extendedKeyUsage = critical,timeStamping [req] distinguished_name = req_distinguished_name prompt = no[ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE [req_distinguished_name] [alt_names] |
4- Execute the following command mentioning your newly created “openssl.cfg” file and your private key “central.key”, this command will create your certificate request file as “central.csr”
openssl req -config openssl.cfg -new -key central.key -out central.csr
4- Next step is to sign the certificate request and to generate a signed Public key.
In our example, as it is self-signed, it is signed by the certificate central.key we have just generated
openssl x509 -req -days 365 -in central.csr -signkey central.key -out central.crt
5- Now we have the public key and the private key for our self-signed certificate but in two files format. OO web service uses certificate store to store multiple public and private keys in one file, there are many formats for these stores, but the one used by OO is using PKCS 12 format.
The best way is to import newly generated certificates to OO Certificate store is to convert recently made keys to PKCS 12 format and then import the certificate in its new format to OO certificate store.
The following command will convert existing certificates to PKCS 12, and we will name the certificate tomcat as this is the name originally used by OO Central service. The output file will be named “central.p12”
openssl pkcs12 -export -in central.crt -inkey central.key -out central.p12 -name tomcat –clcerts
You can list the content of the newly created store by running the below command.
keytool -list -keystore central.p12 -v -storetype PKCS12
6- Remove old certificate from OO central key store.
By default OO central store is named key.store file, located in <installation dir>/central/var/security.
keytool -delete -alias tomcat -keystore “C:\Program Files\Hewlett-Packard\HP Operations Orchestration\central\var\security\key.store” -storepass changeit
7- Now, it’s time to import the certificate to OO Central key store.
“keytool” command can do this with importkeystore parameter
keytool -importkeystore -srckeystore central.p12 –destkeystore “C:\Program Files\Hewlett-Packard\HP Operations Orchestration\central\var\security\key.store” -srcstoretype pkcs12 -deststoretype JKS -alias tomcat -destalias tomcat
8- last step is to restart OO central service.
References that you may check:
Micro Focus Operations Orchestration Hardening Guide.
https://docs.microfocus.com/OO/10.80/Content/Adminster/Security_Hardening_OO/ServerCertificate.htm
Mahmoud Ibrahim