Preparing for Installation › Security Setup › Security Setup on the CA CSM Application Server › Configure CA CSM to Use HTTPS

Configure CA CSM to Use HTTPS

Use this procedure to configure CA CSM to use HTTPS instead of HTTP for user access manually.

Follow these steps:

1. Perform the following steps to generate keystore:
   1. Start an OMVS session and enter the following command:

      keytool -genkey -alias tomcat -keyalg RSA 
      

      A prompt appears.

      Note: keytool is a Java command that resides in the Java libraries. These libraries have a name similar to /Customer-Java-Prefix/ java/J6.0.1/bin/, where Customer-Java-Prefix is the Java USS directory name at your site. You can add this directory name in your USS profile path variable for successful command execution.

   2. Follow the prompt, remember your keystore password, and press Enter when you are prompted if you want to keep the default password.

      A default keystore is created in your home directory with one self-signed certificate inside.

   3. (Optional) If you want a different location, enter the following command, replacing the /path/to/my/keystore portion with your site-specific information:

      keytool -genkey -alias tomcat -keyalg RSA \ -keystore /path/to/my/keystore
      

2. Perform the following steps to configure Apache Tomcat:
   1. Go to tomcat/conf and open the server.xml file.
   2. Uncomment or replace the part with the SSL connector, as follows:

      <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
         <Connector port="30308" maxHttpHeaderSize="8192"
                    maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                    enableLookups="false" disableUploadTimeout="true"
                    SSLEnabled="true"
                    keystorePass="tomcat"
                    keystoreFile="/a/path/to/my/keystore/.keystoreFile"
                    algorithm="IbmX509"
                    acceptCount="100" scheme="https" secure="true"
                    clientAuth="false" sslProtocol="TLS"
      	       sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" />
      

   3. Change the port and keystoreFile parameters to fit your needs.
   4. Ensure that keystorePass matches the password that you specified in the previous step.
   5. In the standard HTTP connector, provide the redirectPort to match the one you specified in the SSL connector, as follows:

      <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
          <Connector port="30305" maxHttpHeaderSize="8192"
                     maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                     enableLookups="false" redirectPort="30308" 
                     acceptCount="100"
                     connectionTimeout="20000" disableUploadTimeout="true" />
          <!-- Note : To disable connection timeouts, set connectionTimeout 
           value to 0 -->
      

3. Start (or restart) Apache Tomcat.
4. Enable your browser to use TLS encryption:
   • If you use Microsoft Internet Explorer, click Tools, Internet Options, Advanced, and select the Use TLS 1.0 check box under Security.
   • If you use Mozilla Firefox, click Tools, Options, Advanced, and select the Use TLS 1.0 check box on the Encryption tab.
5. Restart your browser.
6. Access the HTTPS URL.

   Note: When you access the HTTPS URL from your browser for the first time, you may be prompted to confirm that you trust the certificate.

7. Click Yes to add this certificate to your trusted certificates.

Note: For more information, see documentation for the Apache Tomcat 7.0 Servlet/JSP Container.