Posted on 09-25-2015 11:59 AM
Client with multiple JDSes around the world.
Their JSS is configured with a new Tomcat keystore, and a certificate issued by their Active Directory Certificate Authority. This is being used for client-to-JSS and web console connections.
However, the JSS-to-JDS traffic uses the Built-in CA from when the JSS was installed. And now the client wants to use WebSeal network appliances to shape and/or control the JDS replication traffic.
To inspect this traffic, the WebSeal needs the JSS Built-in CA, which we can download from the Management Settings->Global Management->PKI.
To actually shape this traffic, the WebSeal also needs the private key for this certificate. However, I have apparently stumped JAMF Support in figuring out where this private key may be stored (perhaps in the MySQL database somewhere? It's not in the Tomcat keystore, which was deleted/replaced with a new one when the AD CA was installed)?
Alternatively, is it possible to have JSS-to-JDS replication use the AD cert and private key? We have the certificate and know everything about the Tomcat keystore and could use Portecle to dump out the private key...
Posted on 09-25-2015 12:03 PM
Posted on 09-25-2015 12:09 PM
Nope - the JSS to JDS traffic is using the JSS Built-In CA, which was set up automagically when the JSS was installed. But where is the private key stored? Not in the Tomcat keystore, since that was nuked when the AD CA-issued cert was added. Don't think it's in the Java keystore. Wondering if it's somewhere in the Tomcat directory or the MySQL database.
Or, if we could get JSS to JDS traffic to use the AD CA-issued certificate and private key in the Tomcat keystore, we'd be good.
Posted on 09-25-2015 03:43 PM
I'm not sure if we're referring to the same certificate, but you can create a backup of the CA in the JSS at the PKI panel. This backup is a p12 file which includes the private key. Best