Installation Guide › SSL-Encrypted Communication › Configure for SSL Communication

Configure for SSL Communication

As a system administrator, you ensure that CA GovernanceMinder Portal users communicate securely with the CA GovernanceMinder server. Secure Sockets Layer (SSL) is a protocol that uses a digital certificate and a private key stored in that certificate to provide confidential and authenticated communication between client and server.

Use this scenario to guide you through the process.

Note: When you install the CA GovernanceMinder server and Client Tools application on separate servers, install the root and server certificates where you install the Client Tools application.

1. Verify Prerequisites.
2. Add Your Digital Certificate to the Keystore.
3. Activate SSL Communication in JBoss.
4. Set Secure Server Properties.
5. (Optional) Activate SSL on Cluster Nodes.

Verify Prerequisites

Verify that your system meets the following prerequisites:

• CA GovernanceMinder is installed.
• Your organization has a digital certificate that was generated by a Certificate Authority. For the purposes of this scenario, we use a certificate file named example.cer.
• The JDK version corresponds with your CA GovernanceMinder installation.
• The JAVA_HOME environmental variable is set in your environment.

Add Your Digital Certificate to the Keystore

To enable CA GovernanceMinder to use SSL communication, export the digital certificate from the CA GovernanceMinder server and import this certificate into the keystore.

For information about how to create a self-signed certificate, see Create a Self-Signed Certificate in the CA GovernanceMinder Installation Guide.

Important: In a production environment, use a certificate that was issued by a trusted Certificate Authority, and not a self-signed certificate.

Follow these steps:

1. Stop JBoss if it is running.
2. Open a Command Prompt window on a system where the Portal is installed and navigate to the following directory:

   C:\Program Files\Java\jdk1.6_23\bin
   

3. Export the digital certificate from the server to JBoss with the following command:

   "%JAVA_HOME%\bin\keytool" -v -export -alias serverkeys -keystore "C:\Program Files\CA\RCM\Server\eurekify-jboss\server\eurekify\conf\server.keystore" -storepass password -file example.cer
   

   You have exported the digital certificate.

4. Import the digital certificate to the keystore with the following command:

   "%JAVA_HOME%\bin\keytool" -v -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts"-storepass password -file example.cer
   

   You have imported the digital certificate to the keystore.

5. Copy the example.cer file to the following JDK security folder:

   C:\Program Files\Java\jdk1.6_23\jre\lib\security
   

6. Add the certificate to the local certificate store.
   1. Locate and double-click the example.cer file.

      A Certificate window opens.

   2. On the General tab, click Install Certificate.

      The Certificate Import Wizard opens.

   3. Complete the prompts as required, click Finish, and click OK when the confirmation dialog opens.

You have added the digital certificate to the keystore.

Activate SSL Communication in JBoss

To activate SSL communication in JBoss, first block the default port and then edit the server.xml file to include the certificate path and password.

Follow these steps:

1. Stop JBoss if it is running.
2. Locate the server.xml file in the following .sar folder and open it for editing:

   gm_install\Server\eurekify-jboss\server\eurekify\deploy\jboss-web.sar
   

   Note: gm_install is the directory where the product is installed, for example, C:\Program Files\CA\RCM.

3. Block default port 8080. Locate and comment out the following code section:

   <Connector protocol="HTTP/1.1" URIEncoding="UTF-8" port="8080" address=${jboss.bind.address}"
   connectionTimeout="20000" redirectPort="8443" />
   

   You have blocked default port 8080.

4. Edit the JBoss server.xml file to enable SSL and to include the certificate path and password.
   1. Locate the following section:

      <Connector protocol="AJP/1.3" port="8009" address="${jboss.bind.address}"redirectPort="8443" />
      

   2. Add a line directly below and paste the following code:

      <Connector protocol="HTTP/1.1" port="8443" SSLEnabled="true"
      maxThreads="150" scheme="https" secure="true"
      clientAuth="false" sslProtocol="TLS"
      keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
      keystorePass="password"
      />
      

   3. Replace password with the keystore password.
5. Save and close the server.xml file.
6. Start JBoss.

   You have activated SSL communication in JBoss.