Troubleshooting
How to troubleshoot and solve issues configuring the EcoStruxure IT Gateway
Contact Support
Submit a support request for additional assistance with EcoStruxure IT software.
Link copied. Please paste this link to share this article on your social media post.
Contact support for information about Gateway versions older than 1.16.
Note: An imported SSL certificate signed by a trusted certificate authority or a CA certificate imported to the keystore will not persist through an EcoStruxure IT Gateway update.
You must import the certificate again after you update your Gateway software.
These command examples are formatted for use in the Windows command prompt.
Using PowerShell requires using single quotes instead of the double quotes displayed below.
EcoStruxure IT Gateway stores the user interface SSL certificates in two Java keystore files in the C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore\ directory:
dcos.keystore (PrivateKeyEntry)
dcos.truststore (trustedCertEntry)
Verify the contents of the Java keystores
Open C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\application-installer.yaml
In the server: > ssl: section, find the line key-store-password and remember the password for the keystores.
Open a command prompt window and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore
Type the command
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe” -list -v -keystore dcos.keystore
Enter the password you remembered in step 2.
Verify the keystore contents are displayed without error.
Type the command
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -list -v -keystore dcos.truststore
Enter the password you remember from step 2 when prompted.
Verify the keystore contents are displayed without error.
Create a new keystore for the trusted SSL certificate
Stop the EcoStruxureITGateway-x.x.x.x service.
Delete the existing keystore file, C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore\dcos.keystore.
Open a command prompt and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore
Type the command
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048
The other values might need to match the values present on the CA. Some values are required by the CA, and others might be optional. This depends on the CA configuration.
Use the .csr file to create a new certificate signed by the Trusted CA. This could be a CA run by your company, or it might need to be sent to a third-party Certificate Authority.
Use the same password you remembered in step 2 of the ‘Verify the contents of the Java keystores” section.
Verify that the file dcos.keystore now exists in the keystore folder.
Start the EcoStruxureITGateway-x.x.x.x service.
Create a certificate signing request and a new SSL certificate signed by a trusted CA
Type the command:
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -certreq -alias dcos -keystore dcos.keystore -file newSxOnGW.csr
Enter the required values when prompted. The first value must match the hostname or FQDN (Fully Qualified Domain Name) of the server where EcoStruxure IT Gateway is installed.
Import the Root CA and Web Server SSL certificates to the EcoStruxure IT Gateway keystore
Copy rootca.crt and newSxOnGW.crt to the machine where EcoStruxure IT Gateway is installed.
Stop the EcoStruxureITGateway-x.x.x.x service.
Open a command prompt and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore
Import the root CA certificate. Type the command
“C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -importCert -trustcacerts -alias root -file rootca.crt -keystore root.truststore
Import the Web Server SSL certificate. Type the command
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -importCert -trustcacerts -alias dcos -file newSxOnGW.crt -keystore dcos.keystore
Make sure the root CA certificate is imported to the internet browser on all the computers that will be used to access the Gateway user interface.
Start the EcoStruxureITGateway-x.x.x.x service.
EcoStruxure IT Gateway will now use the new signed certificate, and no SSL Certificate security warning will be displayed by the browser when the Gateway user interface is launched.
C:\Program Files\EcoStruxureITGateway\<version>\gateway\conf\keystore\dcos.keystore (PrivateKeyEntry)
C:\Program Files\EcoStruxureITGateway\<version>\gateway\conf\keystore\dcos.truststore (trustedCertEntry)
EcoStruxure IT Gateway stores the user interface SSL certificates in two Java keystore files in the /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore directory:
dcos.keystore (PrivateKeyEntry)
dcos.truststore (trustedCertEntry)
Verify the contents of the Java keystores
Open /opt/EcoStruxureITGateway</current Gateway install version>/gateway/conf/application-installer.yaml
In the server: > ssl: section, find the line key-store-password and remember the password for the keystores.
Open a command prompt window and change the directory to /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore
Type the command
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool.exe' -list -v -keystore dcos.keystore
Enter the password you remembered in step 2.
Verify the keystore contents are displayed without error.
Type the command
'opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -list -v -keystore dcos.truststore
Enter the password you remember from step 2 when prompted.
Verify the keystore contents are displayed without error.
Create a new keystore for the trusted SSL certificate
Stop the EcoStruxureITGateway-x.x.x.x service.
Delete the existing keystore file, /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore/dcos.keystore.
Open a command prompt and change the directory to /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore
Type the command
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048
The other values might need to match the values present on the CA. Some values are required by the CA, and others might be optional. This depends on the CA configuration.
Use the .csr file to create a new certificate signed by the Trusted CA. This could be a CA run by your company, or it might need to be sent to a third-party Certificate Authority.
Use the same password you remembered in step 2 of the ‘Verify the contents of the Java keystores” section.
Verify that the file dcos.keystore now exists in the keystore folder.
Start the EcoStruxureITGateway-x.x.x.x service.
Create a certificate signing request and a new SSL certificate signed by a trusted CA
Type the command:
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -certreq -alias dcos -keystore dcos.keystore -file newSxOnGW.csr
Enter the required values when prompted. The first value must match the hostname or FQDN (Fully Qualified Domain Name) of the server where EcoStruxure IT Gateway is installed.
Import the Root CA and Web Server SSL certificates to the EcoStruxure IT Gateway keystore
Copy rootca.crt and newSxOnGW.crt to the machine where EcoStruxure IT Gateway is installed.
Stop the EcoStruxureITGateway-x.x.x.x service.
Open a command prompt and change the directory to /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore
Import the root CA certificate. Type the command
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -importCert -trustcacerts -alias root -file rootca.crt -keystore root.truststore
Import the Web Server SSL certificate. Type the command
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -importCert -trustcacerts -alias dcos -file newSxOnGW.crt -keystore dcos.keystore
Make sure the root CA certificate is imported to the internet browser on all the computers that will be used to access the Gateway user interface.
Start the EcoStruxureITGateway-x.x.x.x service.
EcoStruxure IT Gateway will now use the new signed certificate, and no SSL Certificate security warning will be displayed by the browser when the Gateway user interface is launched.
/opt/EcoStruxureITGateway/<version>/gateway/conf/keystore/dcos.keystore (PrivateKeyEntry)
/opt/EcoStruxureITGateway/<version>\gateway/conf/keystore/dcos.truststore (trustedCertEntry)
Link copied. Please paste this link to share this article on your social media post.
Hello,
I would recommend under the Create a new keystore for the trusted SSL certificate for Step 4 to add argument '-validity 365' or any number, to set the number of days the certificate will be valid for, otherwise the default will be 3 months' time.
ex:
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048 -validity 365
Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.