Some third-party Certificate Authorities provide a trusted SSL certificate that is exclusive to the CA Process Automation JBoss Web Server but does not allow for jar signing. This restriction on jar signing produces an error in the customer environment.
Configuring the JBoss Web Server through the following procedure allows you to:
Important! Repeat this procedure after a major upgrade, such as applying service packs or a version upgrade. This server configuration is preserved through a patch or a Hotfix installation.
Note: Skip steps 1-4 to generate a PKCS keystore if you already have the keystore. Ensure that your PKCS keystore has a private key and corresponding certificate that can be imported into a JKS keystore for use with CA Process Automation.
Follow these steps:
openssl genrsa -out automation.key 2048
The information that you enter through the command line is incorporated into your certificate request. Collectively, the identification fields you populate are referred to as Distinguished Name (DN) fields. Some fields contain a default value and others are left blank. To leave a field blank, enter '.'.
openssl req -new -key automation.key -out automation.csr
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Note: Do not enter a challenge password or an optional company name. Press Enter to keep them empty. The Common Name is the fully qualified domain name of the ITPAM server. If a load balancer is used, the Common Name is the fully qualified domain name of the load balancer.
openssl pkcs12 -export -in automation.cer -inkey automation.key -out automation.p12 -name automation
Note: The -name switch is used in step 5 for importing into jks keystore using the -srcalias switch. The password is required to create JKS keystore to be used with CA Process Automation as well.
Keytool -importkeystore -srckeystore automation.p12 -destkeystore automation.jks -srcstoretype pkcs12 -srcalias automation -destalias automation
Note: Optionally, enter the following command to list the contents to view the alias of your pkcs12 certificate. This parameter is required for -srcalias.
keytool -v -list -storetype pkcs12 -keystore automation.p12
To list the contents of JKS keystore:
keytool -v -list -keystore automation.jks
Important! Ensure that the source and destination passwords are the same. Use the same password for the new JKS keystore as was used to create PKCS keystore from step 4.
Important! Do not make a backup copy in the same folder. Instead, copy and paste server.xml in a temporary backup directory.
<Connector protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
port="${tomcat.secure.port}" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${itpam.custom.web.keystorepath}"
keyAlias="${itpam.custom.web.keystorealias}"
keystorePass="${itpam.custom.web.keystore.password}"
sslProtocol = "${SSL_PROTOCOL}" algorithm = "${X509_ALGORITHM}" ciphers="${jboss.ssl.ciphers}"
useBodyEncodingForURI="true" maxPostSize="12582912"/>
PasswordEncryption.bat passwordUsedForJKSKeystore > automation-pass.txt
Note: If necessary, return the utility to the command prompt by pressing Enter.
itpam.web.keystorepath=<pam_dir>/server/c2o/.config/c2okeystore
itpam.custom.web.keystorepath=<pam_dir>/server/c2o/.config/automation.jks
itpam.web.keystore.password=<leave_default>
itpam.custom.keystore.password=<encrypted_password_from_step_9>
itpam.web.keystorealias=ITPAM
itpam.custom.web.keystorealias=automation
Copyright © 2014 CA.
All rights reserved.
|
|