Previous Topic: Configure CA CSM to Use HTTPSNext Topic: Enable HTTPS with Certificates Stored in an External Security Manager

Configuring CA CSMConfigure CA CSM to Use HTTPSEnable HTTPS with Certificates Stored in USS Files

Enable HTTPS with Certificates Stored in USS Files

You can configure CA CSM to use HTTPS instead of HTTP for user access manually, using a USS file to store certificates.

Follow these steps:

  1. Generate a keystore:
    1. Start an OMVS session and enter the following command: 
      keytool -genkey -alias tomcat -keyalg RSA

      A prompt appears.

      Note: keytool is a Java command that resides in the Java libraries. These libraries have a name similar to /Customer-Java-Prefix/ java/J6.0.1/bin/, where Customer-Java-Prefix is the Java USS directory name at your site. You can add this directory name in your USS profile path variable for successful command execution.

    2. Follow the prompt, remember your keystore password, and press Enter when you are prompted if you want to keep the default password.

      A default keystore is created in your home directory with one self-signed certificate inside.

    3. (Optional) If you want a different location, enter the following command, replacing the /path/to/my/keystore portion with your site-specific information: 
      keytool -genkey -alias tomcat -keyalg RSA \ -keystore /path/to/my/keystore
  2. Configure Apache Tomcat:
    1. Go to tomcat/conf and open the server.xml file.
    2. Uncomment or replace the part with the SSL connector, as follows: 
      <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
   <Connector port="30308" maxHttpHeaderSize="8192"
              maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
              enableLookups="false" disableUploadTimeout="true"
              SSLEnabled="true"
              keystorePass="tomcat"
              keystoreFile="/a/path/to/my/keystore/.keystoreFile"
              algorithm="IbmX509"
              acceptCount="100" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS"
              sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" />
    3. Change the port and keystoreFile parameters to fit your needs.
    4. Ensure that keystorePass matches the password that you specified in the previous step.
    5. In the standard HTTP connector, provide the redirectPort to match the one you specified in the SSL connector, as follows: 
      <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <Connector port="30305" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="30308" 
               acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />
    <!-- Note : To disable connection timeouts, set connectionTimeout 
     value to 0 -->
  3. Start (or restart) Apache Tomcat.
  4. Enable your browser to use TLS encryption, and restart the browser.
  5. Access the HTTPS URL.

    Note: When you access the HTTPS URL from your browser for the first time, you may be prompted to confirm that you trust the certificate.

  6. Click Yes to add this certificate to your trusted certificates.

Note: For more information, see documentation for the Apache Tomcat 7.0 Servlet/JSP Container.