Administration Guide › SSL and the Secure Proxy Server › Configure SSL for CA SiteMinder SPS

Configure SSL for CA SiteMinder SPS

Configure CA SiteMinder SPS to support SSL.

Follow these steps:

1. Generate a server key with a minimum key size of 1024 KB and a FIPS-compliant algorithm.

   Example:

   openssl genrsa -des3 -out server.key 1024
   

2. Generate a Certificate Signing Request (CSR).

   Example:

   openssl req -config openssl.cnf -new -key server.key -out server.csr
   

3. Sign the certificate by a Certificate Authority (CA).
4. Install the signed certificate.
5. Open the httpd-ssl conf file.

   Default Path: sps_home\httpd\conf\extra\httpd-ssl.conf

6. Verify that the directives of the server key and certs are correct.
7. Verify that the value of the SSLPassPhraseDialog variable is custom. If not, set the value to custom.
8. Verify that the value of the SSLCustomPropertiesFile variable is <sps_home>\httpd\conf\spsapachessl.properties. If not, set the value.
9. Perform one of the following steps:
   • If you are configuring SSL on Windows, perform the following steps:
     1. Execute the following command from the command prompt:

            sps_home\httpd\bin\configssl.bat -enable passphrase  
        

     Note: The passphrase value must match the passphrase value of the server key.

     The passphrase is encrypted and is stored in the spsapachessl.properties file.

     1. Restart the Secure Proxy Service.
   • If you are configuring SSL on UNIX, perform the following steps:
     1. Execute the following command:

            sps_home/secure-proxy/proxy-engine/configssl.sh passphrase 
        

     Note: The passphrase value must match the passphrase value of the server key.

     The passphrase is encrypted and is stored in the spsapachessl.properties file.

     1. Execute the following command:

           sps_home/secure-proxy/proxy-engine/sps-ctl startssl
        

   SSL is enabled and configured.

Note: If you want to run SPS without SSL, execute the sps_home\httpd\bin\configssl.bat -disable command to disable SSL on Windows or execute the sps_home/secure-proxy/proxy-engine/sps-ctl start command to disable SSL on UNIX.