Previous Topic: About Using a Certificate Issued by a Third-Party Certificate AuthorityNext Topic: Implement Your Third-Party Trusted SSL Certificate

Maintaining the DomainManage CertificatesAbout Using a Certificate Issued by a Third-Party Certificate AuthorityConfigure JBoss Web Server for custom SSL certificates prohibiting jar signing

Configure JBoss Web Server for custom SSL certificates prohibiting jar signing

Some third-party Certificate Authorities provide a trusted SSL certificate that is exclusive to the CA Process Automation JBoss Web Server but does not allow for jar signing. This restriction on jar signing produces an error in the customer environment.

Configuring the JBoss Web Server through the following procedure allows you to:

Important! Repeat this procedure after a major upgrade, such as applying service packs or a version upgrade. This server configuration is preserved through a patch or a Hotfix installation.

Note: Skip steps 1-4 to generate a PKCS keystore if you already have the keystore. Ensure that your PKCS keystore has a private key and corresponding certificate that can be imported into a JKS keystore for use with CA Process Automation.

Follow these steps:

  1. Use openssl to create a private key.

    openssl genrsa -out automation.key 2048

  2. Create a CSR.

    The information that you enter through the command line is incorporated into your certificate request. Collectively, the identification fields you populate are referred to as Distinguished Name (DN) fields. Some fields contain a default value and others are left blank. To leave a field blank, enter '.'.

    openssl req -new -key automation.key -out automation.csr

    Country Name (2 letter code) [GB]:

    State or Province Name (full name) [Berkshire]:

    Locality Name (eg, city) [Newbury]:

    Organization Name (eg, company) [My Company Ltd]:

    Organizational Unit Name (eg, section) []:

    Common Name (eg, your name or your server's hostname) []:

    Email Address []:

    Please enter the following 'extra' attributes

    to be sent with your certificate request

    A challenge password []:

    An optional company name []:

    Note: Do not enter a challenge password or an optional company name. Press Enter to keep them empty. The Common Name is the fully qualified domain name of the ITPAM server. If a load balancer is used, the Common Name is the fully qualified domain name of the load balancer.

  3. Send automation.csr to your Certificate Authority and save the resulting server certificate, such as automation.cer.
  4. To create a PKCS keystore, use the server private key and the public certificate.

    openssl pkcs12 -export -in automation.cer -inkey automation.key -out automation.p12 -name automation

    Note: The -name switch is used in step 5 for importing into jks keystore using the -srcalias switch. The password is required to create JKS keystore to be used with CA Process Automation as well.

  5. Use keytool from the JDK bin directory to import the PKCS keystore to the JKS keystore.

    Keytool -importkeystore -srckeystore automation.p12 -destkeystore automation.jks -srcstoretype pkcs12 -srcalias automation -destalias automation

    Note: Optionally, enter the following command to list the contents to view the alias of your pkcs12 certificate. This parameter is required for -srcalias.

    keytool -v -list -storetype pkcs12 -keystore automation.p12

    To list the contents of JKS keystore:

    keytool -v -list -keystore automation.jks

    Important! Ensure that the source and destination passwords are the same. Use the same password for the new JKS keystore as was used to create PKCS keystore from step 4.

  6. Stop the CA Process Automation Orchestrator. Stop all nodes if in a clustered environment.
  7. Backup current server\c2o\deploy\jbossweb.sar\server.xml file outside of the CA Process Automation installation directory.

    Important! Do not make a backup copy in the same folder. Instead, copy and paste server.xml in a temporary backup directory.

  8. Edit the Connector element to use non-default properties. The following example has the word custom added to out-of-the-box properties. 
       <Connector protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"

         port="${tomcat.secure.port}" address="${jboss.bind.address}"

         maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"

         emptySessionPath="true"

         scheme="https" secure="true" clientAuth="false"

         keystoreFile="${itpam.custom.web.keystorepath}"

         keyAlias="${itpam.custom.web.keystorealias}"

         keystorePass="${itpam.custom.web.keystore.password}"

         sslProtocol = "${SSL_PROTOCOL}" algorithm = "${X509_ALGORITHM}" ciphers="${jboss.ssl.ciphers}" 

         useBodyEncodingForURI="true" maxPostSize="12582912"/>
  9. Encrypt the password that is used for automation.jks using PasswordEncryption utility in server\c2o folder. For example, in Windows create a new file with encrypted password by running the following command:

    PasswordEncryption.bat passwordUsedForJKSKeystore > automation-pass.txt

    Note: If necessary, return the utility to the command prompt by pressing Enter.

  10. Copy automation.jks to the <pam_dir>/server/c2o/.config/ folder.
  11. Back up current server\c2o\.config\OasisConfig.properties file and add the following parameters. These parameters are based on server.xml parameters from step 8. 
          itpam.web.keystorepath=<pam_dir>/server/c2o/.config/c2okeystore

          itpam.custom.web.keystorepath=<pam_dir>/server/c2o/.config/automation.jks

          itpam.web.keystore.password=<leave_default>

          itpam.custom.keystore.password=<encrypted_password_from_step_9>

          itpam.web.keystorealias=ITPAM

          itpam.custom.web.keystorealias=automation
  12. Start the PAM Orchestrator.
  13. Repeat this procedure for any other nodes of the cluster.