Set Up a Client Keystore on the Agent
In this procedure, you create a signed certificate and import it into the client keystore. These steps use the Controller to sign the certificate, but you can also use a third-party Certificate Authority (CA).
- Create a new keypair in a new keystore, enter:
The keytool prompts you for your name, organization, and other information it needs to generate the key. Splunk AppDynamics App Agents use SunX509 as the default keystore factory algorithm. If keystores in your environment use something other than SunX509, you need to specify the algorithm to the App agent. You can do so using the system property<java-home>/bin/keytool -genkey -alias client-alias -keyalg RSA \ -keystore clientkeystore.jks \ -storepass changeit \ -keypass changeitappdynamics.agent.ssl.keymanager.factory.algorithm. For example, to set the algorithm to PKIX, add this to the startup command of the agent-monitored JVM:-Dappdynamics.agent.ssl.keymanager.factory.algorithm=PKIX - Generate a certificate signing request (
client.csr) that can be signed by a Certificate Authority (CA).<java-home>/bin/keytool -certreq -v -alias client-alias -file client.csr \ -keystore clientkeystore.jks \ -storepass changeit \ -keypass changeit - Get the request (
client.csr) signed by a trusted CA. This command uses the Controller as a CA, which creates a new file (signedClient.cer) with the Controller-signed certificate.<java-home>/bin/keytool -gencert -infile ./client.csr -outfile signedClient.cer -alias s1as \ -keystore ./keystore.jks \ -storepass changeit \ -keypass changeit - (Optional) To view information about the signed certificate, enter:
<java-home>/bin/keytool -printcert -v -file ./signedClient.cer - (Optional) To view the contents of
clientkeystore.jks, enter:
The keystore should show entries for client-alias (which is still unsigned).<java-home>/bin/keytool -list -v -keystore clientkeystore.jks -storepass changeit - Import the signed public key certificate into the client keystore. This command imports
signedClient.cerintoclientkeystore.jks.
You now have a password-protected clientkeystore.jks file on the agent with a signed certificate that verifies the Controller's authenticity.<java-home>/bin/keytool -importcert -v -alias client-alias -file ./signedClient.cer \ -keystore clientkeystore.jks \ -storepass changeit \ -keypass changeit - If you get the error "Failed to establish chain from reply", install the issuing Certificate Authority's root and any intermediate certificates into the client keystore. The root CA chain establishes the validity of the CA signature on your certificate. Although most common root CA chains are included in the bundled JVM's trust store, you may need to import additional root certificates, such as certificates belonging to a private CA. To do so:
<java-home>/bin/keytool -import -alias [Any_alias] -file <path_to_root_or_intermediate_cert> -keystore clientkeystore.jks -storepass changeit - Verify that the trusted root certificate on the Controller includes the signing authority's public key. This procedure used the Controller as the Certificate Authority, so the public key is already included. To verify, enter:The signing authority's public key should now be part of the agent's public key certificate.
The signing authority's public key should now be part of the agent's public key certificate.<java-home>/bin/keytool -list -v -alias client-alias \ -keystore clientkeystore.jks -storepass changeit