You can import your existing CA-signed certificate in ABS. To import the CA-signed certificate, stop ABS if it is already running. Complete the following steps to import the CA-signed certificate:
- Export your CA-signed certificate to PKCS12 store by entering the following
command:
For example:# openssl pkcs12 -export -in <your_CA_cerficate.crt> -inkey <your_certificate_key.key> -out abs.p12 -name <alias_name>
# openssl pkcs12 -export -in ping.crt -inkey ping.key -out abs.p12 -name exampleCAcertificate Enter Export Password: Verifying - Enter Export Password:
Note: If you have intermediate certificate from CA, then append the content to the <your_CA_certificate>.crt file. - Import the certificate and key from the PKCS12 store to Java Keystore by entering the
following command. The command requires the destination keystore password. The
destination keystore password entered in the command should be same that is configured
in the abs.properties file.
The following is a snippet of the abs.properties file where the destination keystore password is stored. The password is obfuscated.
# Java Keystore password jks_password=OBF:AES:Q3vcrnj7VZILTPdJnxkOsyimHRvGDQ==:daYWJ5QgzxZJAnTkuRlFpreM1rsz3FFCulhAUKj7ww4=
Enter the following command:
# keytool -importkeystore -destkeystore abs.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias <alias_name> -storetype jks
For example:
# keytool -importkeystore -destkeystore abs.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias exampleCAcertificate -storetype jks Importing keystore abs.p12 to abs.jks... Enter destination keystore password: Re-enter new password: Enter source keystore password:
- Copy the
abs.jks
file created instep 2
to/opt/pingidentity/abs/config/ssl
directory. - Start ABS by entering the following
command:
# /opt/pingidentity/abs/bin/start.sh Starting API Behavioral Security 4.0... please see /opt/pingidentity/abs/logs/abs/abs.log for more details
ABS supports only TLS 1.1 and TLS 1.2 and requires Open JDK 11.0.2. By default SSL is enabled between ABS and ASE. If you need to disable SSL contact Ping Idenity support team.
ABS ships with a default self-signed certificate with Java Keystore at abs/config/ssl/abs.jks and the default password set to abs123 in the abs.properties file. The default password is obfuscated in the abs.properties file. It is recommended to change the default passwords and obfuscate the new passwords. See Obfuscate passwords for steps to obfuscate passwords.