Change Groundplex certificate

Groundplexes have self-signed CA certificates. This certificate works for client validation if the client is configured to accept all certificates or if the load balancer distributing requests to Groundplex nodes:

  • Has a CA certificate
  • Is configured to terminate connections

If your clients or load balancer can't be configured in this way, you need to use your own CA certificate on your Groundplexes. Use either a wildcard certificate or a unique certificate per node, update the keystore on each Snaplex node, and restart it.

To change the certificate on a node:

  1. Create a backup copy of the /etc/snaplogic/jcc-serverkeys.jks file.
  2. Concatenate your certificate's PEM-encoded files into a single file:

    $ cat <CA-SIGNED-PEM> <CA-INTERMEDIATE-PEM> <CA-ROOT-PEM> sl-ca-chain.pem


    <CA-SIGNED-PEM> is the CA-signed TLS (SSL) certificate (PEM encoded).

    <CA-INTERMEDIATE-PEM> is the CA intermediate certificate (PEM encoded).

    <CA-ROOT-PEM> is the CA root certificate (PEM encoded).

  3. Ensure that no password is associated with the private key file with the following openssl command:
    $ openssl rsa -in <PRIVATE_KEY> -out key_no_pass.pem


    <PRIVATE_KEY> is the private key used to create the CSR (PEM encoded).

    If there is a password associated with the private key, you must provide it to generate key_no_pass.pem.
  4. Use the following openssl command to generate the PFX file:
    $ openssl pkcs12 -inkey key_no_pass.pem -in sl-ca-chain.pem -export -out sl-ca-chain.p12 -name jetty -password $(cat /etc/snaplogic/jcc-serverkeys.pass)
  5. Use the keytool command to import the PFX file into jcc-serverkeys.jks:
    $ keytool -importkeystore -srckeystore <PATH-TO-SL-CA-CHAIN-P12> -srcstoretype PKCS12 -srcstorepass $(cat /etc/snaplogic/jcc-serverkeys.pass) -destkeystore /etc/snaplogic/jcc-serverkeys.jks -deststoretype JCEKS -deststorepass $(cat /etc/snaplogic/jcc-serverkeys.pass)


    <PATH-TO-SL-CA-CHAIN-P12> is the absolute path to the sl-ca-chain.p12 file created earlier.

  6. Use the SnapLogic Dashboard to restart the Groundplex node. Check to make sure that the node enters a steady state and allow time for running Pipelines to complete.

  7. (Optional) Use the openssl command to verify that the TLS (SSL) certificate served by the node matches the CA-signed TLS (SSL) certificate.

    $ openssl s_client -connect localhost:<SECURE-PORT>


    <SECURE-PORT> is 8081 (default) for a Groundplex or 8084 (default) for a FeedMaster node.

  8. Repeat Steps 1 through 7 for all applicable nodes.