Previous Topic: How to Reinstall Individual Catalog ClassesNext Topic: Correcting Application States on Controller Boot

Reference InformationCA AppLogic Support Knowledge BaseOverview of Support Knowledge BaseHow to Replace BFC and Controller Server SSL Certificate

How to Replace BFC and Controller Server SSL Certificate

Both controller and BFC work with https, which in turn uses ssl. SSL was a protocol designed by Netscape to ensure secure communications. It is based upon certificates and it uses asymmetric key encryption. Both the BFC and the Controller use self-signed certificates and keys to ensure communications are kept secure. When the BFC or the controller are installed, these certificate and key files are automatically generated, so that no option is required on the part of the user.

However, in some circumstances it may be necessary to change the self-signed ssl certificate for logging in to the BFC or to the Controller. For instance some customers may want to change the 2048 bit SSL certificate to use a 4096 bit one on security considerations (rsa/sha-1).

We will not go in this document on how to generate these certificates or keys. An overview, as well as a utility to do so may be found in this site. We will assume that both the self-signed certificate and the private key file have already been created by whatever means. In what follows we will describe how to change the BFC and Controller http interfaces to use the new SSL certificates.

Procedure

The controller web interface is based upon an Apache web server. Its main certificate and key files are kept in the /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key directories. Within these directories, the actual certificate and key files point to other files in /var/applogic/conf:

In /etc/httpd/conf/ssl.crt:
lrwxrwxrwx  1 root root   31 Mar 27 14:11 server.crt -> /var/applogic/conf/applogic.crt
In /etc/httpd/conf/ssl.key
lrwxrwxrwx  1 root root   31 Mar 27 14:11 server.key -> /var/applogic/conf/applogic.key

Follow these steps:

  1. Copy your new certificate and its private key to the controller
  2. Bring down the httpd service in the controller (after making sure nobody is editing or logged in to the GUI): 
    service httpd stop
  3. Replace the applogic.crt file and the applogic.key file in /var/applogic/conf by your server.crt and server.key files respectively (basically the root certificate and the key file respectively: the names may be different depending on how you have generated them). You may want to keep a copy of the old files, just in case
  4. Start the httpd service again: 
    service httpd start
  5. Test correct GUI functionality

The BFC web interface is based upon MochiWeb, which is a lightweight http interface based upon Erlang. As such, the procedure for replacing its root ssl certificate is not so evident. It this needs to be done, please follow these steps:

  1. Copy your new certificate and its private key to the BFC machine
  2. Stop the BFC: 
    service bfc stop
  3. Change to the /opt/bfc/lib/client_interface-0.1/priv directory: 
    cd /opt/bfc/lib/client_interface-0.1/priv
  4. Save aside the original "server.crt" and "server.key" files
  5. Copy your new cert and private key to "server.crt" and "server.key" respectively. You must retain those file names.
  6. Make sure the modes and ownership of the new files are correct (both should be mode 0600 and owned by bfcadmin:bfc)
  7. Start the BFC: 
    service BFC start
  8. Test correct GUI functionality