> CommCell Console > Deployment > Installations > Server Installations > Other Server Packages > Post-Installation Configurations for Web Server and Command Center > Changing the HTTP Ports for IIS and Tomcat for Web Console > Configuring Secured Access for Web Applications

Adding CA Certificates to the Commvault JRE Keystore

The Commvault JRE keystore holds public key certificates issued by certificate authorities (CAs) , and is used by Commvault applications to open secure connections to other servers. For example, if the Commvault Web Server is secured using a CA-signed certificate, then the Command Center will not be able to connect to it unless the JRE keystore that is located on the machine where the Command Center is installed contains the CA's public key certificate.

By default, the keystore contains public key certificates for many well-known CAs, but it will not contain certificates for internal CAs and some lesser-known CAs. You can use the Commvault importcert script to manually or automatically import such certificates into the Commvault JRE keystore file as needed.

Note

The Commvault installer automatically executes the importcert script whenever it installs a new version of the JRE. This automates the process of importing CA certificates each time an old JRE (and its keystore) is overwritten by a Commvault update.

Procedure

  1. Copy one or more CA certificate (*.cer) files containing CA public keys into the software_installation_path\certificates folder. For example:

    • For Windows systems, copy to C:\Program Files\Commvault\ContentStore\certificates.

    • For Linux systems, copy to /opt/commvault/certificates.

      Note

      The Commvault software installation path varies according to the folder or drive selected during installation.

  2. From the command prompt, run the importcert file:

    • For Windows systems, run C:\Program Files\Commvault\ContentStore\certificates\importcert.cmd.

    • For Linux systems, run /opt/commvault/certificates/importcert.sh.

      Note

      The file path to the importcert file varies according to the folder or drive selected during installation.

Results

  • A log file is generated for every CA certificate import process, whether it is initiated manually or by the Commvault installer.

  • You can access the log file for importing CA certificates at software_installation_path\certificates\cvcertutil_{timestamp}.log to check if all certificates were imported successfully. In addition, the log file includes the full keytool command used to import certificates.

  • The script imports every *.cer file in the certificates folder using an alias equal to the file name, but without the .cer extension. For example, a myCaCert.cer file is imported with the myCaCert alias. Since aliases in a keystore must be unique, a given *.cer file can be imported only one time into the JRE keystore file. So, unless a new version of the Commvault JRE is installed, running the script a second time will not re-import the myCaCert.cer file. If you need to import a new certificate with the same name as an already-imported certificate, you must rename the file before running the script.

  • The script imports certificates from CA certificate files that are not password protected.

Page contents

×

Loading...