CloudCenter 4.8 has reached End of Life (EOL) as of November 14, 2018. See End of Support Notices for additional context.

Certificate Authentication and Management


CloudCenter uses two kinds of certificates:

  • Client Certificate: To authenticate requests to the CCM UI for client communication through a browser or for REST communication with the CCM server.

  • Component Certificate: To authenticate communication between CloudCenter components (CCO to CCM and GUA to CCM) for component deployments.  

Be aware that you may need to update either certificate.

Client Certificate

Client certificates refer to the certificates used for the browser-based HTTPS connection. A trusted authentication indicates that you have set up a trusted relationship between the browser and the CCM application.

All CloudCenter installer and appliance packages contain a default self-signed certificate that is built to work out-of-the-box. These certificates include the following files out-of-the box:

  • public.crt

  • public.key

If you use the out-of-box certificates, follow the process provided by your favorite browser to add the CCM as a trusted application.

While the default certificates are acceptable for use in dev, test, and staging environments, you must generate unique certificates for your production environment(s). Contact the CloudCenter Support team for additional details.

Using Your Own Client Certificates

If using your own certs, replace the certs in the CCM Nginx certs folder in /etc/ssl/certs/ with your certificates after the upgrade to 4.8.2. See the CloudCenter 4.8.2 Release Notes for additional context.

If you use your own certificates, you will additionally need the cacertificate.crt file along with the certificate.crt, certificate.key files.

To use your own Client certificates, follow this procedure:

  1. Procure the following files:

    1. certificate.crt  (for example,

    2. certificate.key (for example,

    3. cacertificate.crt (typically, you can get this certificate from your IT department)

  2. Perform the following steps as a root user.

    1. Save the certificate file to the /etc/ssl/certs folder.

    2. Override the existing public.crt and the public.key with the new certificates.
      For example:
      mv public.crt

    3. Restart the Nginx service:
      - systemctl restart nginx

Custom Component Certificates

CloudCenter components, by default, contains the required certificates to deploy applications and ensures secure communication between components. In some cases, you may want to use your own custom certificates for each component. This section provides details on the requirements and process to use custom certificates.

The installation package include the .jar files required to generate these custom certificates. The wizards for each component provide the required triggers to generate or update the certificates when required. By default, the certificate (ZIP) file is generated in the /tmp folder. This ZIP file must be extracted for each component by running the wizard. The wizard extracts the file for each component's .crt file to the /usr/local/osmosix/ssl folder.

These certificates include the following files out-of-the box:

CloudCenter ComponentCertificate Files
  • ca_root.crt

  • ca_truststore.jks

  • ccm.crt

  • ccm.key

  • ccm_keystore.jks

  • ca_root.crt

  • ca_truststore.jks

  • cco.crt

  • cco.key

  • cco_keystore.jks

  • ca_root.crt

  • ca_truststore.jks

  • gua.crt

  • gua.key

  • gua_keystore.jks

  • ca_root.crt

  • ca_truststore.jks

  • esb.crt

  • esb.key

  • esb_keystore.jks

  • ca_root.crt

  • ca_truststore.jks

  • arcus.crt

  • arcus.key

  • arcus_keystore.jks


To update certificates, you must meet the following requirements:

  • Use the CloudCenter platform to generate new certificates for each component.

  • Provide a unique deployment identifier, CloudCenter ID (CCID), when you generate the certificate files. You can use the same ID for all components

    You can continue to use existing CCIDs and still generate new certificate files each time.

    Alternately, you can provide an ID of your choice containing alpha or numeric characters and that is descriptive for your environment.

    If you enter the same unique identifier and CCID each time, be aware that new certificates will be generated for each time that you enter this information.

  • Copy the generated file from the CCM server to the /tmp folder on the component servers identified above.

  • Launch and run the wizard for each component and update the certificates.

  • High Availability: Custom certificates, if used, must only be generated from the PRIMARY_CCM and copied to ALL other components (for example, other CCMs, all CCOs, AMQPs, and so forth).

Generate and Update the File on the CCM

To generate and update the certificate on the CCM server, follow this process:

  1. Invoke the CCM wizard as specified in Configure CCM Wizard Properties.

  2. Access the Custom Certs  Menu group to configure certificates.

  3. Select Generate_Certs.

  4. Assign the CloudCenter ID and Company name to generate the CCM certificate. Once the CloudCenter platform generates the certificates, they are saved as to the /tmp folder.

  5. Return to the Custom Certs  Menu and select Update_Certs to update the certificate.

  6. In the Certs Zip Path field, enter the path where the generated file resides. The default path is /tmp/ The certificates are automatically updated for the CCM server.

  7. Exit the wizard.

  8. Restart the CCM server for the changes to be effective.

  9. Verify that the certificate is updated by issuing the following command:

    cat ca_root.crt

    The updated certificate is displayed in response to this command.

  10. Copy the file from the CCM server to your local machine and then execute the following command to copy the file from the /tmp folder of the CCM to the other component servers.

    scp - r -i <yourPemFile>.pem <localMachinePath>/ /tmp
    #For Example:
    scp - r -i cliqrdev.pem /home/CCMCert/ /tmp

Update the File on the CCO, GUA, and ESB

Follow this process to update certificates for these components:

  1. Invoke the wizard (links provided in the Requirements section above) for each component to extract the file that you copied (from the CCM server). The component wizard automatically extracts the corresponding .crt file to the /usr/local/osmosix/ssl folder for that component.

  2. Exit the wizard.

  3. cd /etc/rabbitmq/certs
    jar xf <cert-zip-filename> esb_rabbit
    mv ./esb_rabbit/* .
    rm -rf esb_rabbit
    chown -R rabbitmq:rabbitmq /etc/rabbitmq/certs
    chmod 700 /etc/rabbitmq/certs
    chmod 600 /etc/rabbitmq/certs/*
  4. Restart the server for the changes to be effective.

Update the File on the Arcus Server

Effective CloudCenter 4.9.0, you can also update the file for an Arcus Server. Follow this process to update certificates for the Arcus server:

  1. Copy the file from the CCM server to the Arcus server's /tmp folder.

    scp - r -i <yourPemFile>.pem <localMachinePath>/ /tmp
    #For Example:
    scp - r -i cliqrdev.pem /home/CCMCert/ /tmp
  2. Unzip the file.

  3. Copy the arcus.crt and arcus.key files and place them in the location that you specified for the following environment variables:




  4. Restart the server for the changes to be effective.

  5. Start the Docker Service.

    systemctl start docker

Dedicated Components

The following procedure is applicable to both co-located and dedicated environments.

To use custom certificates for dedicated Docker installations, follow this process to update certificates:

  1. If your deployment scenario contains an External Script Executor that is in a separate server (and not in the same server as the CCO), invoke the CCO - Configure Wizard and navigate to the Docker CACert URL property.

  2. Enter the Docker External IP address in the Docker CACert URL field.

For any component or scenario not mentioned in this section, contact the CloudCenter Support team.

Verification Process

To verify if your custom certificates were applied successfully, deploy a sample application. If the certificates were accurately applied the application deploys without errors.

  • No labels
Terms & Conditions Privacy Statement Cookies Trademarks