Mar 2, 2020 8:15 AM
| Last Modified: Mar 4, 2020 11:31 AM
Need help getting and using the certificates that JMP Live requires? Here you go!
Are you setting up SSL certificates for JMP Live? The process described here will help you get and use the certificates that JMP Live requires.
SSL certificates are text files containing cryptographic keys that enable a browser and the web server to have secure communication. The primary reason for using SSL certificates is to keep sensitive information sent across the web encrypted so that only the intended recipient can access it. The keys are specific to an organization and are typically provided by third-party vendors like DigiCert, Symantec, and Network Solutions. JMP Live cannot run without these certificates.
JMP Live requires three certificate files:
A file containing the certificate itself.
A file containing the certificate’s private key.
A file containing the root certificate chain, also known as the Certification Authority (CA) certificate chain.
The JMP Live installer provides this set of certificates that allows for minimal testing on a local host setup. However, it generates warnings when the site is viewed in the local browser, and the site is inaccessible from browsers outside the install machine. You can get certificates yourself using the following process.
Requesting certificates from a Certification Authority (CA)
The certificate and private key are configured for your organization. The root certificate comes from the third-party vendor.
If you need to purchase a certificate from a third-party vendor, please refer to their documentation on how to obtain the required files.
If certificates are available in your organization, the CA Web Enrollment role service provides a set of web pages that allow interaction with the CA role service. These web pages are typically located at https://<servername>/certsrv, where <servername> is the name of the server that hosts the CA Web Enrollment pages (for example, https://certificates.company.com/certsrv).
Once you find the location of the certificate enrollment service, follow these steps:
Get the certificate: Request a certificate from the CA Web Enrollment role service web page. Follow the instructions provided by your organization to submit the request for a certificate. Once the certificate has been issued, download and save it to the install machine. When prompted for an encoding, select Base64. The certificate contained in the downloaded file is an encoded piece of data that usually starts with -----BEGIN CERTIFICATE ----. The downloaded file will be file Nr. 1.
Get the certificate’s private key: The private key is generated simultaneously with the certificate request. You won’t see the private key while generating the certificate request. It is usually created in the background and saved in the server’s filesystem without any notification. There are several ways to find a certificate’s private key (see Helpful Links at the end of this blog post or use Google for options). Use one of the following methods to change the format of the private key into one that JMP Live can accept:
After exporting all certificates in the certification path and the private key, the downloaded file (PKCS #12) is usually password-protected. JMP Live cannot use the password-protected file. To remove the password, you can use OpenSSL (see Helpful Links at the end of this blog post or use Google for options). Run the following command to remove the password, where cert.pfx is the exported certificate and private key file: openssl pkcs12 -in cert.pfx -nodes -out cert.pem If the above command does not work for your version of OpenSSL, use this command instead: openssl pkcs7 -print_certs -in cert.pfx -out cert.pem After running the above command, the cert.pem file contains the unprotected private key that is needed by JMP Live as well as all certificates. Open cert.pem using the Notepad tool and copy and paste the private key into a new file. The private key contained in cert.pem is an encoded piece of data that usually starts with: -----BEGIN RSA PRIVATE KEY ---- This new file is file Nr. 2.
Some certificate utilities might allow you to export the certificate and key in Apache format. Doing so usually does not require a password, and the certificate and key are exported into two separate files. These two files can be used as File Nr. 1 and 2 without having to transform them using OpenSSL.
Get the root certificate: The role service web site usually contains a menu item "Download a CA certificate, certificate chain, or CRL." JMP Live needs the CA certificate chain. This item can be used to download file Nr. 3. When prompted for an encoding select Base64. If the downloaded file is password-protected, use the same steps to remove a password as described for the private key (step 2 above). If the file is in PKCS#7 or P7B format, it needs to be converted to Privacy Enhanced Mail or PEM format. To do that, run the following command: openssl pkcs7 -in certnew.p7b -nodes -out root.pem
Verify the certificates (optional)
You can verify your PEM files by running the following command: openssl x509 -in root.pem -text
This will display the content of the certificate and the different pieces, like Issuer, Subject, and expiration date, can be verified.
Using the certificates in JMP Live
Once you have the required certificates, you can begin using them in JMP Live: Keep the files in a central location or copy them to the SSL directories in the JMPLive and JMPPool folders, typically at: C:\Program Files\SAS\JMP Live\JMPLive\ssl C:\Program Files\SAS\JMP Live\JMPPool\ssl
Edit the .env files of JMPLive and JMPPool to reflect the appropriate paths to the three files (certificate, private key, and root certificate).
Edit the JMP Live .env file. Note that the root certificate for JMP Live is in the JMPPool/ssl directory. SSL_CERT_FILE='c:\Program Files\SAS\JMP Live\JMPLive\ssl\ cert.pem' SSL_KEY_FILE='c:\Program Files\SAS\JMP Live\JMPLive\ssl\key.pem' SSL_CA_FILE='c:\Program Files\SAS\JMP Live\JMPPool\ssl\root.pem'
Edit the JMP Pool .env file (root certificate only). SSL_CA_FILE='c:\Program Files\SAS\JMP Live\JMPPool\ssl\root.pem'
Use the Services tab of the Task Manager to start or restart the JMP Live web application (websjmpsvc.exe) and the JMP Pool Manager (jmpppolsvc.exe).
Finally, here are a few links to reference as you set up SSL certificates: