Configuring NetIM 2.x with a certificate authority signed certificate
By default, NetIM is installed with a self-signed certificate.
To install a CA-signed certificate
1. Log in to NetIM core as netimadmin. The default password is netimadmin.
2. Stop all NetIM core services by entering the following command within the netimsh shell:
stop ALL
3. Exit to the bash shell, navigate to the NetIM install directory, and execute the https_setup script with appropriate commands as shown below:
bash
cd <NetIM-core-install-dir> (for example: cd /data1/riverbed/NetIM/2.0.1_295)
./https_setup.sh /secure true
You are prompted for several inputs.
4. Enter the fully qualified host name (for example, myhost.myco.com) or IP address.
Enter the hostname exactly as you will enter it in the URL to connect to the web server using a web browser.
5. Specify whether you will use the existing certificate or generate a new certificate. Your response will depend on whether you have already obtained and imported a CA-signed certificate for NetIM previously or if this is the first time you are configuring NetIM with a CA-signed certificate.
Generating a new certificate removes the existing server certificate from the keystore. If a CA-signed certificate is already present in the NetIM keystore, do not generate a new certificate.
– If you have a CA-signed certificate in the NetIM keystore, enter
R to reuse the existing certificate and go to
Step 9.
– If this is the first time this NetIM is being configured with a CA-signed certificate, proceed to step 5.
6. Enter G to generate a new certificate.
– The default key size is 2048 bits. Enter either Y to use the default key size or enter N and then specify the key size that is appropriate for your organization.
– When prompted to set domain attribute, enter Y.
– Provide each of the following values as you are prompted. Enter valid information as these values will be used when generating the server certificate.
Name of your organization unit
Name of your organization
Name of your city or locality
Name of your state or province
Two letter country code of your unit (for example, US)
After you have entered country code, the script echoes a summary of the domain information that you have entered. Review each value to make sure it is correct.
– Enter
N to reenter information. Enter
Y when these values are correctly entered. A Certificate Signing Request (CSR) file is created in NetIM's security directory (for example,
/opt/riverbed/security or
/data1/riverbed/security). The file is named
<host>.csr where
<host> is the fully qualified host name that you entered in
Step 4.
7. Obtain a signed certificate.
The certificate signing process is external to the NetIM application. Follow your organization’s procedures for obtaining a signed certificate from a CA. The CSR file may be sent via e-mail communication between the user and the CA. The validity of the server certificate must be negotiated between the user and the CA.
– Locate the CSR file in the security directory (for example, /data1/riverbed/security) and provide it to a Certificate Authority (CA) for signing.
– Proceed to the next step when you receive the signed certificate reply from your CA.
If the CA is known to Java, (for example, VeriSign, DigiCert, Thawte, and so on), you only need a signed server certificate from the CA. If you use a private CA, you also need the CA root certificate and any intermediate CA certificates.
8. Import the signed server certificate and CA certificates (when needed). In this step you import the signed certificate into the keystore. Import the CA root certificate and all intermediate CA certificates as appropriate.
– Exit to the bash shell and navigate to the NetIM installation directory (for example /data1/riverbed/NetIM/<version_number>).
– Enter the following command, where <signed_cert> is the full path to the signed server certificate and <ca_root_cert> is the full path to a CA root certificate:
./https_setup.sh /server_cert <signed_cert> [/ca_cert <ca_root_cert>]=
X.509 certificates encoded in the DER, PEM, and PKCS#7 formats are supported.
The CA root certificate (specified by the /ca_cert option) is required only for a private CA root certificate.
You are prompted to enter the path to all intermediate CA certificates or N if you do not have any intermediate CA certificates.
– Your responses depend on whether you have intermediate CA certificates in the signed server certificate chain.
Enter N if you do not have intermediate CA certificates.
If you have intermediate CA certificates, enter the full path to the intermediate CA certificate. If you have more than one intermediate CA certificate, enter them one at a time in the order they appear in the certificate chain.
The certificate chain can be seen by opening the signed certificate reply file in a supported browser and viewing the Certification Path tab. Supported browsers include:
Google Chrome 115 (64-bit Edition) and later. (Chrome does not cache content from self-signed servers. For best web interface performance, replace NetIM’s self-signed certificate with a signed certificate from a trusted CA.)
Mozilla Firefox 116 (64-bit Edition) and later
Microsoft Edge 115 and later
Safari 16.6 and later
The CA root certificate is at the top, and the server certificate is at the bottom of the chain. The order in which the intermediate CA certificates are listed between the CA root certificate and the server certificate while going down the chain is the order that needs to be followed while specifying the full path to each of the intermediate CA certificate files. The details of each certificate can be seen by clicking View Certificate.
When you have finished specifying all intermediate CA certificates files, enter N at the prompt.
The script imports the server certificate and CA certificates for use by NetIM.
9. Enter the netimsh shell and start all services by entering the following commands:
netimsh
start ALL
10. Verify communication with the NetIM Web Server via HTTPS by opening a web browser and entering the URL for the NetIM web console. For example, if the NetIM host is myhost.myco.com and the https port is 8543 enter the following:
https://myhost.myco.com:8543
If the web console does not open, verify that you have specified the hostname exactly as it appears in the server certificate and that you have imported all CA certificates in the order in which they appear in the certificate chain.