Previous Topic: Configure JBoss Web Server for custom SSL certificates prohibiting jar signingNext Topic: Maintain the DNS Host Name

Maintaining the DomainManage CertificatesImplement Your Third-Party Trusted SSL Certificate

Implement Your Third-Party Trusted SSL Certificate

CA Process Automation supports third-party security certificates for HTTPS web access and signing of jars. You can obtain such certificates from a third-party Certificate Authority.

Follow these steps:

  1. Decide on a certificate password and obtain a security certificate from a Certification Authority.
  2. Using the instructions provided by the Certification Authority, import the certificate into a keystore. 

    Generally you use a command similar to keytool –import –alias myalias –file certfile –keystore  "path_and_file_specification_for_keystore".

  3. For the keystore password, enter the certificate password provided by the Certificate Authority.
  4. Obtain an encrypted version of the keystore password.
    1. Navigate to install_dir/server/c2o.
    2. Locate the PasswordEncryption script (PasswordEncryption.bat for Windows, PasswordEncryption.sh for UNIX or Linux).
    3. Run PasswordEncryption passwordtoencrypt.
    4. Save the long encrypted value returned for entry in the properties file.
  5. Stop the Orchestrator.
  6. Back up and edit the Oasis Configuration properties file to add or update the following:
    1. itpam.web.keystorepath to the location of the keystore using the fully qualified path and file name for the keystore file.
    2. itpam.web.keystore.password with the encrypted keystore password (do not surround encrypted password value with quotes)
    3. itpam.web.keystorealias to the alias used to reference the certificate in the keystore (myalias in the examples).
  7. Sign the jars by running SignC2OJars (SignC2OJars.bat for Windows, SignC2OJars.sh for UNIX or Linux) included with CA Process Automation in install_dir/server/c2o. Run SignC2oJars without parameters to sign the jars. If the keystore password you entered does not match the certificate password, enter the certificate password as each jar is signed.

    Note: On AIX, there is a known problem when re-signing a jar file using SignC2OJars. To work around this problem, manually "unsign" the jars by removing the *.SF and *.RSA files in the META-INF folder for each Java Archive before running SignC2OJars.

  8. If the keystore contains more than one alias, modify the connector entry in server.xml. The server.xm. is located in <install_dir>\server\c2o\deploy\jbossweb-tomcat55.sar\server.xml. Add the line in bold: 
    <Connector port="${tomcat.secure.port}" address="${jboss.bind.address}"

    maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false" 
keystoreFile="${itpam.web.keystorepath}"
keyAlias="${itpam.web.keystorealias}"
keystorePass="${itpam.web.keystore.password}" sslProtocol = "${SSL_PROTOCOL}" algorithm = "${X509_ALGORITHM}" useBodyEncodingForURI="true"/>
  9. Start the Orchestrator.
  10. Repeat this procedure for each Orchestrator that is to use the new certificate.

More information:

Oasis Configuration Properties File