Connector GuidesConnectors GuideBulk Load ClientAuthenticating to the Identity Manager Server › SSL Support

Previous Topic: Authenticating to the Identity Manager Server

Next Topic: Configuring the Bulk Load Client
SSL Support

If you want to use SSL to protect data submitted to CA Identity Manager, the Identity Manager Server must be configured to accept HTTPS requests. The following procedure is a sample configuration when using JBoss, on a Windows platform, as the application server for Identity Manager Server. The sample uses the Java utility “keytool.exe” to create and manage key stores for the server. You can refer to CA Identity Manager documentation for information on how to set up SSL when CA Identity Manager is running on another application server.

From the "$JBOSS_HOME/server/default/conf directory

  1. Create a keystore by issuing the following command to create a self-signed certificate for the Server. When prompted for the first name and last name, use the domain name of the host machine. 
    keytool -genkey -alias server -keyalg RSA -keystore server.keystore -validity 3650
  2. From the Tomcat SAR subdirectory of your server configuration's deployment directory $JBOSS_HOME/server/default/deploy/jboss-web.deployer, edit the server.xml file and uncomment the <Connector> element for SSL that listens on port 8443. Make sure the values to “keystoreFile” and “keystorePass” matches what you have created. 
    <!-- SSL/TLS Connector configuration using the admin devl guide keystore -->

          <Connector port="8443" address="${jboss.bind.address}"
           maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
           emptySessionPath="true"
           scheme="https" secure="true" clientAuth="false" 
           keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
           keystorePass="password" sslProtocol = "TLS" />
  3. Restart the server.
  4. Test out the SSL connection by starting a browser on your local machine and go to https://localhost:8443/jmx-console/index.jsp. Your browser should send an error about an un-trusted certificate signer. To avoid this, either import the server certificate into your browser or obtain a certificate from a well known certificate authority.
  5. Specify the server URL using HTTPS URL. For example: https://test1:8443/iam/im/TEWS6/feedtst
  6. From the machine where you are running the Bulk Load Client, use the Java keytool utility to create a keystore and import the server certificate as trusted certificate. Enter your keystore password when prompted. Answer yes when asked whether to trust the certificate being imported. 
    keytool -import -alias imserver -file <your_server_cert_file> -keystore "%HOMEDRIVE%%HOMEPATH%\.imbulkloaderkeystore"
  7. Edit the impbulkloader.bat or the impbulkloader.sh file to set TRUSTSTORE_PASSWORD to the value you entered in the previous step.