Exchanging and configuring certificates

Last Updated : Oct 18, 2023 |

About this task

Use this procedure to exchange and configure certificates for Avaya Orchestration Designer on a single or multiple application servers.

Important:

For multiple application servers, repeat all steps for each application server.

Before you begin

Configure the POM database.

Procedure

Using the browser window, log in to the EPM as an administrator.

Note:
For multiple POM servers, log in to the primary EPM.
In the navigation pane, click Security > Certificates.
On the Root Certificates tab, click Export, and then save the certificate on the local system.
In the navigation pane, click Proactive Outreach > Manager.
Click Configurations > Servers.
Click Export on the listed certificate tab and save it on your local system.

Note:
For multiple POM servers, you must export and save all the POM certificates.
You can install the Avaya Orchestration Designer application server on the same server where you install POM. In such cases the IP address of the application server and the IP address of the EPM primary server is the same. The default port is 7443. If you are using an external application server and you have installed POM Avaya Orchestration Designer application package then while installing POM, you must:
1. Copy the *.war files from $POM_HOME/DDapps to $APPSERVER_HOME/webapps of the external application server.
2. If the file log4j-1.2.15.jar is present in $CATALINA_HOME/lib, then delete it from your external application server.
  
  Note:
  The Primary server folder $POM_HOME/DDapps/lib* and the External Application Server folder $CATALINA_HOME/lib must contain the same files. If the External Application Server folder $CATALINA_HOME/lib contains any other files than the Primary server folder $POM_HOME/DDapps/lib, ensure you keep only JAR versions of files that are available in $POM_HOME/DDapps/lib.
3. Copy files from $POM_HOME/DDapps/lib/* to $APPSERVER_HOME/lib of your external application server. After copying the files, edit $APPSERVER_HOME/conf/server.xml and add the following:
```
<Connector protocol="HTTP/1.1"
port="7443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100"  maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/opt/AppServer/Tomcat/tomcat/conf/myTrustStore" keystoreType="JKS" keystorePass="changeit"
clientAuth="false" sslEnabledProtocols="TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_EMPTY_RENEGOTIATION_INFO_SCSV"/> 
```
  Note:
4. In the Command Line Interface (CLI), navigate to $APPSERVER_HOME/conf.
5. Run the command keytool -keystore myTrustStore -genkey -alias dummy -keyalg RSA
6. Type the password as changeit and type other appropriate details.
Using the browser window, log in to the Avaya Orchestration Designer application server by specifying the URL https://<application server IP address>:port number/runtimeconfig using the default user name and the password as ddadmin.

The system prompts to set runtimeconfig password at the first login to the local application server.
On the Avaya Orchestration Designer web interface, do the following:
1. In the navigation pane, Click Certificates.
2. On the Certificates page, select the default certificate and click Delete.
3. Click Change.
  
  The system displays Change Keystore page.
4. In the Keystore Path field, type Absolute-path appserver-home>/conf/myTrustStore.
  
  If you have installed the application server on the same server where you install POM, then the <Absolute-path-appserver-home> is set in the {$APPSERVER_HOME} environmental variable.
5. In the Password field, type changeit.
  
  Note:
  To use a different trust store and the password, change the Absolute-path-appserver-home>/conf/server.xml file accordingly, and ensure that the server.xml keystore path is valid and matches with Avaya Orchestration Designer application certificate as <Absolute-pathappserver-home>/conf/myTrustStore.
6. In the Confirm field, type changeit.
7. Click Save.
8. On the Certificates page, click Generate.
9. Enter the appropriate values in all fields. Input for all fields is mandatory. You can enter any custom defined values.
  
  Note:
  For SAN field, enter the values in the IP:<IP address> or DNS: <hostname> format.
  
  The self-signed certificate is valid only for 1186 days.
  
  The Common Name (CN) field should have Hostname/FQDN.
  
  If Enable Server Identity Validation parameter is set to Yes under the security settings, in the Certificate tab of the Experience Portal, then you must have Hostname/FQDN set in SAN field.
  
  If you have configured orchestration designer applications with the URI containing the IP address under the Applications tab of the system configuration in the Experience Portal, then you must have the IP address set in the SAN field.
10. Click Continue.
  
  The system displays the Certificates page.
11. Click Save.
12. Click Add.
  
  The system displays the Add Certificate page.
13. Type a name for the EPM certificate and browse to find the path where you saved the primary EPM root certificate exported in step 3.
14. Click Continue.
  
  The system displays the Certificates page.
15. Click Save.
16. Select the application server self-signed certificate generated and export the certificate on your local system.
17. Click Fetch to fetch the primary EPM certificate.
  
  The system displays the Add Certificate page.
  
  Note:
  In a multiple POM server environment, you must fetch the primary EPM certificate from all auxiliary EPM servers.
  
  If EPM certificate signing is disabled using the Disable Signing button from Security > Certificate > EP signing certificate and custom CA signed certificates are used, you must import all the CA certificates into POM truststore using POM trusted certificates page under Configurations.
  
  If EPM signing is enabled, you must import the EP root certificate, that is, EP signing certificate, into POM trust store using POM trusted certificate page.
18. In the Name field, type the name of the certificate. For example, axis_prim or axis_aux.
19. In the Enter Certificate Path field, type the client URL as https://<EPM IP address>/axis2.
  
  The Avaya Orchestration Designer application fetches the axis2 certificate and adds it to the list of certificates.
20. Click Continue.
  
  The system displays the Certificates page.
21. Click Save.
1. Click Add.
  
  The system displays the Add Certificate page.
2. In the Name field, type a name of the POM certificate.
3. In the Enter Certificate path field, click Browse and browse the path where you saved the certificate exported in the step 6.
4. Click Continue.
  
  The system displays the Certificates page.
5. Click Save.
6. Restart the application server.
Using the browser window, log in to the primary EPM as administrator.
Click Security > Certificates.
Click the Trusted Certificates tab and do the following:
1. Click Upload.
2. On the Upload Trusted Certificate page, type the name and browse the path where you have saved the certificate exported in step 9p.
3. Click Continue.
  
  The system displays the Certificates page.
4. Click Save.
5. Click Import.
  
  The system displays the Import Trusted Certificate page.
6. On the Import Trusted Certificate page, type the name and type the axis2 certificate path as https://<EPM Server IP address>/axis2.
  
  For a multiple POM server environment, you must fetch the primary EPM certificate from all auxiliary EPM servers.
7. Click Continue.
  
  The system displays the Certificates page.
8. Click Save.
Using the browser window, log in to the EPM as an administrator.

Note:
For multiple POM servers, log in to the primary EPM.
In the navigation pane, click Proactive Outreach > Manager.
Click Configurations > Trusted Certificates.
Import the certificate exported in step 9h.
In the Name field, type the name of the certificate. For example, appserver.
Click Continue.
Click Save.
Restart the application server, all MPPs, and all auxiliary servers.

Send Feedback

AVAYA DOCUMENTATION CENTER

No results found