for SuccessFactors
...
docuflow for Integrations (d4i...
docuflow Middleware Installati...

SSL Certificates Modifications

6min

docuflow requires SSL certificates to secure communications amongst applications within the platform. docuflow does provide the ability to create its own self-signed certificates. Certificates are generated through the Certificate Manager application.

The following are execution guidelines for managing the certificates for docuflow .



Regenerate and Configure Certificates

After completing file modifications, such as those noted below, the following steps are required to regenerate and configure the new certificates for use with the docuflow platform.

  1. Stop all docuflow applications
  2. Rename (or delete) the <docuflow INSTALL LOCATION>\x509 directory e.g. x509.old
  3. Start the Certificate Manager application
    1. <docuflow INSTALL LOCATION>\start-cert-mgr.ps1
    2. Upon successful completion, exit/stop the Certificate Manager application
  4. Start docuflow
  5. Close and open a new browser instance
  6. Import the newly generated certificates; follow the existing steps here.
    1. Note: it not required, but recommended, to remove the previously configured certificates:
      1. Personal > VersaFile Configuration Manager Client
      2. Trusted Root Certification Authorities > VersaFile TRex Root CA


Modify the Expiry Length

  • The expiry length for certificates is located within the <docuflow INSTALL LOCATION>\config\trex-certmgr-application.json file
    • within the defaults.validity object
    • default value 3650 (units in days; 10 years)
  • To modify the expiry length of all certificates, edit the trex-certmgr-application.json file
    1. Modify the defaults.validity value e.g. for 1 year expiry length "validity": 365
    2. Save the file edit
    3. Execute the Regenerate and Configure Certificates steps, noted above.


Modify a Password

  • Each application with the docuflow platform is created with its own trustore and keystore, to permit or restrict communication amongst applications.
  • Passwords exist for each application's truststore and keystore. These passwords exist in:
    • <docuflow INSTALL LOCATION>\config\trex-certmgr-application.json
    • One of the following:
      • <docuflow INSTALL LOCATION>\config\application-cfgmgr.yaml
      • <docuflow INSTALL LOCATION>\config\application-dao.yaml
      • <docuflow INSTALL LOCATION>\config\application-ngin.yaml
      • <docuflow INSTALL LOCATION>\config\application-cnn.yaml
        • each connector has its own respective yaml config file; however, the application-cnn.yaml is inherited in each case as well
  • A password configuration also exists for the client certificate, which exists in <docuflow INSTALL LOCATION>\config\trex-certmgr-application.json. Specifically:
    • exports.privatekeys.storepass object
  • To modify a password, edit the trex-certmgr-application.json file and edit the respetive yaml file, as required.
    • For example, to modify the password for both Configuration Manager certificates and the client certificate:
      1. trex-certmgr-application.json edits:
        1. Navigate to keystores.keystore : "trex.cfgmgr.keystore.p12"
        2. Edit the storepass object, e.g. { "keystore": "trex.cfgmgr.keystore.p12", "storepass": "newPassword1", "aliases": ["trex.cfgmgr.server"] },
        3. Navigate to truststores.truststore : "trex.cfgmgr.truststore.p12" Edit the storepass object, e.g. { "keystore": "trex.cfgmgr.truststore.p12", "storepass": "newPassword2", "aliases": [ "trex.cfgmgr.client", ... "trex.cnn-trex-websvc.server" ] },
        4. Navigate to exports.privatekeys Edit the storepass object, e.g. "privatekeys": [{ "alias": "trex.cfgmgr.client", "file": "exports/trex.cfgmgr.client.p12", "storepass": "newPassword3" }]
      2. application-cfgmgr.yaml edits
        1. Navigate to and edit the server.ssl object
        2. Edit the key-store-password and trust-store-password values, e.g. server: port: 8443 ssl: key-store: ./x509/trex.cfgmgr.keystore.p12 key-store-password: newPassword1 key-alias: trex.cfgmgr.server trust-store: ./x509/trex.cfgmgr.truststore.p12 trust-store-password: newPassword2
      3. Execute the Regenerate and Configure Certificates steps, noted above.
    • Password creation guidlines:
      • It is recommended not to use, but if using the \ or " characters, these must be escaped with the \ character within the json and yaml files, e.g.
        • not escaped: this"is\aPwd
        • escaped: this\"is\\aPwd
      • Although not used by default, it is recommended to surround the passwords in the yaml file with double quotes. e.g. server: port: 8443 ssl: key-store: ./x509/trex.cfgmgr.keystore.p12 key-store-password: "newPassword1" key-alias: trex.cfgmgr.server trust-store: ./x509/trex.cfgmgr.truststore.p12 trust-store-password: "newPassword2"


Modify Access to Configuration Manager

  • By default, Configuration Manager is configured as accessible locally through a browser through http://localhost:8443
  • An IP or DNS configuration can be added and included in the certificate creation.
    1. Edit the trex-certmgr-application.json file
    2. Navigate to the master.certificates object
    3. Edit the "alias": "trex.cfgmgr.server" object
      1. For a new DNS entry, add in a new entry in the "dns" array. For example, to add a DNS config with a name of trex.cfgmgrtest.com with an IP of 188.77.166.88 { "alias": "trex.cfgmgr.server", "dn": { "commonName": "VersaFile Configuration Manager Application" }, "san": { "dns": ["localhost", "trex.cfgmgrtest.com"], "ip": ["127.0.0.1", "188.77.166.88"] } }, Note: an IP can be added on its own, without a DNS entry
    4. Execute the Regenerate and Configure Certificates steps, noted above.





PREVIOUS
Connecting to docuflow Configuration
NEXT
docuflow Base Configuration
Docs powered by Archbee