1. Security Guide
  2. ISR Security Overview
  3. ISR Certificates

ISR Certificates

Many ISR services are configured for more secure requests via HTTPS, including:

  • ISR Dashboard
  • ISR FACE
  • Recorder REST Webservice
  • Converter REST Webservice
  • RSS Java API

To access these services, the clients you use must have either public keys or certificates, which are generated at installation time, or negotiated through a public key exchange. Public keys and certificates can be found in the locations described below.

The following table lists and describes the RSS public key locations.
Public Key Location Description Key Technology
/opt/isr/security/keys/rss_cert.pem Certificate for ISR components to connect to RSS REST services OpenSSL SHA256 RSA Key/ X509 Self-signed certificate
/opt/isr/security/keys/isr.key Private key for ISR component communications N/A
/opt/isr/security/keys/israpi-public.key Public certificate for ISR API Java keytool created RSA Key/Certificate
/opt/isr/security/keys/tomcat.keystore Keystore for ISR Java applications on the RSS N/A
The following table lists and describes the Dashboard public key locations.
Public Key Location Description Key Technology
/opt/isr/security/keys/puma.crt Certificate file OpenSSL DES3 RSA Key/ X509 Self-signed certificate
/opt/isr/security/keys/isr.key Private key for ISR component communications N/A
The following table lists and describes the FACE public key locations.
Public Key Location Description Key Technology
/opt/isr/security/keys/face-public.key Public key for FACE HTTPS clients Java keytool created RSA Key/Certificate
/opt/isr/security/keys/tomcat.keystore Keystore for ISR Java applications on FACE N/A
/opt/isr/security/keys/isr.key Private key for ISR component communications N/A

Imported Certificates for Secure Communications

Some ISRISRapplications (for example, the Dashboard) may send client requests to other ISR applications. For these requests and responses to be secure and authenticated, the application hosts must initially import the public keys of the services receiving the requests. The following table describes the keys imported to ISR component hosts for secure ISR application communication.
Component Public Key Location Description
Dashboard /opt/isr/security/keys/israpi-public.key.<RSS host IP>

/opt/isr/security/keys/rss_cert.pem. <RSS host IP>

Imported RSS API public key for Dashboard RSS API requests

Imported RSS Converter and Recorder process public keys

FACE opt/isr/security/keys/israpi-public.key.<RSS host IP>

/opt/isr/security/keys/rss_cert.pem.<RSS host IP>

Imported RSS API public key for FACE RSS API requests

Imported RSS Converter and Recorder process public keys

Signing Keys

Many ISR services utilize self-signed keys which are generated during installation. For better security, Oracle recommends that keys are signed by a Certificate Authority (CA). You must generate a certificate signing request (CSR) and use it to request a signed certificate from a CA. The certificates described in "Imported Certificates for Secure Communications" are self-signed when you install them. You must replace these with certificates signed by a certified Certificate Signing Authority (CSA).To obtain these properly signed certificates, you must generate a Certificate Signing Request (CSR).

To generate a CSR for your host:
  1. Run /opt/isr/configIsr.sh from the Linux command line.
  2. Choose the 'k' Manage ISR Keys option.
  3. Choose the 'c' Create Certificate Signing Request(s) option.
  4. Follow the instructions for creating a CSR.

CSRs are created in the /opt/isr/security/keys/ directory.

Once you have generated a CSR, you must send it to a CSA for signing and install and replace the temporary self-signed certificate created during installation.

To import a signed certificate to your host:
  1. Run /opt/isr/configIsr.sh from the Linux command line.
  2. Choose the 'k' Manage ISR Keys option.
  3. Choose the 'i' Import a signed certificate option.
  4. Follow the instructions for importing your CA signed certificate.

Note:

If a CA-signed ISR API Face certificate has not been received, in bundled form, by the CA authority, then each signed certificate issued by the CA (for example, root certificates, intermediate certificates, and issued API Face signed certificates) must be manually imported using the below commands.
The following command imports received root certificates to the tomcat keystore: 
keytool -import -file root.cert -alias root -keystore /opt/isr/security/keys/tomcat.keystore
The following command imports received intermediate certificates to the tomcat keystore: 
keytool -import -file intermediate1.cert -alias intermed1 -keystore /opt/isr/security/keys/tomcat.keystore
The following command imports received ISRAPI/Face certificates to the tomcat keystore: 
keytool -import -file CASigned_ISRAPI.cert -alias israpi-key -keystore /opt/isr/security/keys/tomcat.keystore
Or: 
keytool -import -file CASigned_Face.cert -alias face-key -keystore /opt/isr/security/keys/tomcat.keystore

Additional CSR Details

You may need to attach additional information to your CSR. The following shows the general format for using keytool to create a CSR: 
keytool -certreq -alias <alias> -keyalg RSA -file <alias>.csr -keystore /opt/isr/security/keys/tomcat.keystore
The following shows the general format for using openssl to create a CSR: 
openssl req -out <alias>.csr -key /opt/isr/security/keys/<keyfile> -new

Examples of Generating ISR Component CSRs

This section provides examples of generating ISR component CSRs.

RSS Certificate Signing
  • RSS Services Certificate 
    openssl req -out rss.csr -key /opt/isr/security/keys/rss_key.pem -new
  • ISR API Certificate 
    keytool -certreq -alias israpi-key -keyalg RSA -file israpi.csr -keystore /opt/isr/security/keys/tomcat.keystore
Dashboard Certificate Signing
  • Dashboard Certificate 
    openssl req -out dash.csr -key /opt/isr/security/keys/server.key -new
FACE Certificate Signing
  • FACE API Certificate 
    keytool -certreq -alias face-key -keyalg RSA -file face.csr -keystore /opt/isr/security/keys/tomcat.keystore