Using SSL With Pulse

Create your own keystore and SSL certificate
 

  1. Open a Command Line Window using Run As Administrator
  2. Use the cd command to change the directory to the conf directory where Pulse is installed:

    cd C:\Program Files\Pulse for TM1\conf
     
  3. Create your own keystore and generate a Certificate Signing Request:

    ..\jre\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore pulse.keystore -keysize 2048
     
  4. Enter a password and write it down so you can use it later:

    Enter keystore password: 
     
  5. Enter the details for the certificate: 
     
    • First and last name (Common Name (CN)): Enter the domain of you are going to use for Pulse (i.e. pulse.mycompany.org) in the "first- and lastname" field.. It looks like "www.company.com" or "company.com". NOTE: The Common Name above must match the URL people are going to use to access Pulse
    • Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization, i.e. the name of the department making the request.
    • Organization (O): If your company or department, exclude any special characters such as & or @ from the name.
    • Locality or City (L): The locality field is the city or town name, for example: New York. 
    • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: Florida
    • Country Name (C): Use the two-letter code for the country, for example: US, AU, UK, etc.
       
  6. Confirm the detail are correct, type y and press enter:

    Is CN=demo.pulsefortm1.com, OU=Unknown, O=Cubewise, L=St Leonards, ST=New South Wales, C=AU correct? 
    [no]: y
     
  7. Press return and use the same password as entered in Step 4

    Enter key password for <pulse>
    (RETURN if same as keystore password): [Enter]
     
  8. Generate a Certificate Signing Request (CSR) to be used by a certificate Authority (Symantec, Thawte, DigiCert, GeoTrust, Go Daddy, etc)

    ..\jre\bin\keytool -certreq -alias tomcat -file pulse.csr -keystore pulse.keystore
     
  9. Enter the password your created in step 4:

    Enter keystore password: 
     
  10. Follow the steps of your Certificate Authority to purchase a new certificate using the pulse.csr file that was created in the previous step.

    NOTE: The pulse.csr file will be in the conf directory where Pulse is installed
     
  11. At this point you should make a copy of the pulse.keystore file so you have a backup if you encounter problems when importing certificates



Import Your X.509 Certificate into the Key Store

  1. Open a Command Line Window using Run As Administrator
  2. Use the cd command to change the directory to the conf directory where Pulse is installed

    cd C:\Program Files\Pulse for TM1\conf

  3. First import any root/intermediate certificate(s) as instructed by your Certificate Authority, these need to be imported BEFORE your certificate is imported:

    1. 1. Save any root/intermediate certificates to the conf directory, i.e. root.cer
    2. Execute, replacing -alias and -file options for each certificate:

      ..\jre\bin\keytool -import -trustcacerts -alias root -keystore pulse.keystore -file root.cer

    3. Enter the password from above and press enter

  4. Import your actual certificate into the key store:

    1. Save the certificate to the conf directory, i.e. pulse.cer.
    2. Execute, the alias needs to be pulse: 

      ..\jre\bin\keytool -import -trustcacerts -alias tomcat -keystore pulse.keystore -file pulse.cer

    3. Enter the password from above and press enter

  5. If you get: Certificate reply was installed in keystore. The certificate has been successfully installed in the keystore

    If you receive this error, keytool error: java.lang.Exception: Failed to establish chain from reply, you need to install the appropriate intermediate certificates.



Update the Connector Settings for the New Key Store

  1. Open conf/server.xml (in the Pulse install directory)
  2. Find the SSL Connector (search for port 8093)
  3. Change the keystoreFile to the name of the keystore from above, i.e. conf/pulse.keystore
  4. Update the keystorePass to the password you used above if it is different the default one.
  5. Change the port number if you would like to use a different port to 8093. 443 s the default for SSL and will mean you do not that to enter the port number in the URL.
  6. Save the file, you may have to save it to your Desktop first and copy it to the directory to get around the Windows UAC security settings.
  7. Restart the "Pulse for TM1 Application Server" Windows service.