About Controller SSL and Certificates

For production use, we recommend that you replace the self-signed certificate with a certificate signed by a third-party Certificate Authority (CA) or your own internal CA. If you are deploying .NET Agents, you must replace the self-signed certificate with one signed by a CA, since the .NET agents do not work with self-signed certificates.

Controller SSL Certificates

You can manage your Controller SSL certificate using the command line or the Enterprise Console UI under Configurations. On the UI, the Appserver Configurations and Reports Service Configurations and Fleet Management Configurations pages both contain sections that display the SSL certificate information and provide an Edit Certificateo ption.

See Import an Existing Keypair into the Keystore Using the Command Line and Import an Existing Keypair into the Keystore Using the Enterprise Console UI.

Controller Keystore and Artifacts

This page describes how to replace the existing key in the default keystore. Replacing the entire keystore is not recommended unless you first export the existing artifacts from the default keystore and import them into your own keystore.

The default Controller keystore includes the following artifacts:

  • s1as: A self-signed private key provided with the Glassfish application server used by the Controller for secure communication on port 8181.
  • reporting-instance: A private key used by the reporting service, the service that enables scheduled reports.

Update Keystore Passwords

You can modify the password for the keystore.jks and cacert.jks files that are used to generate the keystore artifacts. The password for both files must be the same.

You cannot modify, however, the password for the reporting-service.pfx file that is generated by the keystore artifact reporting-instance and used by the Reporting Service.

How to View the Keystore

You can view the contents of the keystore yourself using the keytool utility in your jre/<version>bin directory. Enter the default keystore password changeit when prompted.

keytool -list -v -keystore controller_home/appserver/jetty/etc/ keystore.jks

The exact steps to implement security typically vary depending on the security policies for the organization. For example, if your organization already has a certificate to use, such as a wildcard certificate used for your organization's domain, you can import the existing certificate into the Controller keystore. Otherwise, you'll need to generate a new one along with a certificate signing request. The following sections take you through these scenarios.