Appendix A - Integrate CA Service Catalog with Amazon Web Services

Appendix A - Integrate CA Service Catalog with Amazon Web Services

This section discusses procedure to integrate CA Service Catalog with Amazon Web Services.

Set up Keystore File in CA Service Catalog

To ensure interoperability between CA Service Catalog and Amazon Web Services SDK, a keystore file containing all of the current to public end-point certificates is included in the deployment package. This keystore file must be placed in a location that is recognized by CA Service Catalog.

Follow these steps:

1. Log in to CA Service Catalog server.
2. Open Windows Explorer.
3. Copy the keystore file (.keystore) from C:\Program Files (x86)\CA\Service Catalog\filestore\contentpacks\CA ASC Amazon Web Services\prescripts to the Service Catalog home directory C:\Program Files (x86)\CA\Service Catalog
4. Restart CA Service Catalog service.

   CA Service Catalog will use the new keystore file to trust AWS certificates and allow https calls.

Create Trusted End Points

For the installation of this product this step can be ignored. The instructions provided in the following section are provided in the case where Amazon Web Services deploys new end points and you wish to make them available to your end users. The administrator has to create trusted end point certificates and add them to the .keystore file.

Note: If your end point uses http protocol, proceed to step 2.

Follow these steps:

1. If you use https, Create a keystore that trusts the end point public certificate (required for JAVA JDK version 1.6.0.24 or lower).
   1. Open a command prompt, in the CA Service Catalog server.
   2. Type the following command, to create the end point certificate using open SSL.

      C:\OpenSSL-Win32\bin\openssl.exe s_client -connect cloudformation.us-east-1.amazonaws.com:443 > amazon.txt
      

   3. Press Enter to execute the command.

      Note: If the command hangs or throws errors, Type CTRL-C to end the process.

2. Navigate to the user folder for the profile that you are logged in as, in this case, C:\Users\Administrator, locate the amazon.txt file
3. Open the text file and remove the all the text before the ----BEGIN CERTIFICATE----
4. Remove all of the text after the ---END CERTIFICATE---

   The file must look as follows:

   -----BEGIN CERTIFICATE------
   MIIFDjCCA/agAwIBAgIQQkloF+txk03bl9vDcfc4JjANBgkqhkiG9w0BAQUFADCBtTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlc
   mlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQ
   gaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU
   2VydmVyIENBIC0gRzMwHhcNMTEwMTA3MDAwMDAwWhcNMTMwMTA2MjM1OTU5WjB/MQswCQYDVQQGEwJVUzETMBEG
   A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEYMBYGA1UEChQPQW1hem9uLmNvbSBJbmMuMS8wLQYDV
   QQDFCZjbG91ZGZvcm1hdGlvbi51cy1lYXN0LTEuYW1hem9uYXdzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo
   gLEQDm6SY9CGDo+p+3n641zsqiFk014QxA/gjXNNw1OmHU1wWwfgs6nnpdhDpmM46Vno9rh5aa8i86oe0yfM/3J0AybttSLa2PTp
   0Cgdue2VW37HfgN+t+VXM032dBbkWtm46SW1HqRg8Lq8ywpsehGQFrf2FhztrPuQ05ydRsCAwEAAaOCAdEwggHNMAkGA1UdE
   wQCMAAwCwYDVR0PBAQDAgWgMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlzaWdu
   LmNvbS9TVlJTZWN1cmVHMy5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3
   d3dy52ZXJpc2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQNRFwWU0
   TBgn4dIKsl9Afj2L55pTB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTBABg
   grBgEFBQcwAoY0aHR0cDovL1NWUlNlY3VyZS1Hmy1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZUczLmNlcjBuBggrBgEFBQcB
   DARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi
   8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADggEBAGHoOPBbyWsWiyzCh65/yXKA6OyOQRfE
   +sFyuhtvyQmJvWSatNrFjXnXiTyyUVGlyU5t4OHO1rHdC1FkpsAp/h/R+hw9fz8R4ZplON+vhaUOkAiiB2wvXngVpyRBIpM9Xg/V2uD
   vKqRUcCjzM1oRCELQ+y3Y0qVJR6qS8Q3ynTw4lJhhQGDBM82bd4rxzhyW/zUefhtAQ6wbNA1tlO7jcAuy3/LhCF2bXWpachGvEY
   mb/00S6ZwUcsQ07Pe5LjmwY9dOPtLv9GtPShZuolP7jz9Pz1Z1y7Pj4C/LVg0x085SRCuUss419dknWwLNE4iVXaswo6ospWD7kTF
   SowYHMP8=

   -----END CERTIFICATE-----

5. Save the file as amazon_temp.cer.
6. Double-click amazon_temp.cer file to open its properties,
7. Click the Details tab,
8. Click "Copy to file…", to open the export certificate wizard,
9. Click Next,
10. Select "Base-64 Encoded X.509 (.CER)", under the format options.
11. Click Next,
12. Type amazon, in the File Name text box.
13. Click Next,

    Note down the location where the file is saved, in this case "C:\Users\amazon.cer".

14. Click Finish.

Import Certificate into Keystore File

Import the certificate into a keystore file, to use the new keystore file to trust the AWS certificates and allow https calls.

Note: If you use multiple endpoint certificates, you have to import all the certificates into the same keystore file with different aliases.

Follow these steps:

1. Open the command prompt,
2. Type the following command:

   keytool -importcert -trustcacerts -alias amazon -file amazon.cer -storepass changeit -keystore .keystore -storetype JKS
   

3. Copy the keystore file (.keystore) to the Service Catalog home directory (For example: C:\Program Files (x86)\CA\Service Catalog\.keystore)
4. Restart the CA Service Catalog service.

   CA Service Catalog uses the new keystore file to trust the AWS's certificates and allow https calls.