Configuring SSL for CA SiteMinder® SPS

Administration Guide › Configuring CA SiteMinder® SPS › Configuring SSL for CA SiteMinder® SPS

Configuring SSL for CA SiteMinder® SPS

CA SiteMinder® SPS supports SSL to provide a secure communication between client and server. CA SiteMinder® SPS uses the OpenSSL cryptography toolkit that implements the SSL v2/v3 and Transport Layer Security (TLS v1) network protocols and related cryptography standards that are required by the protocols. The OpenSSL toolkit includes the openssl command line tool for generating keys and certificates. The openssl executable image and supporting libraries are located in the installation_home\SSL\bin folder or the corresponding UNIX directory.

The following flowchart describes how to configure SSL for CA SiteMinder® SPS:

Configure SSL for CA SiteMinder SPS

Follow these steps:

Review the considerations.
Generate a private key using one of the following steps:
- Generate a private encrypted RSA server key.
- Generate a private unencrypted RSA server key.
Generate and submit a certification signing request using one of the following steps:
- Generate and submit a certification signing request to a Certification Authority.
- Generate and self-sign a certification signing request.
Download and install the certificates from the Certification Authority.
Enable SSL using one of the following steps:
SSL is configured.

Review the Considerations

Before you configure SSL, review the following information about private keys and server certificates:

As the server certificate and private key work together, use the server certificate with the corresponding private key.
The server certificate must be digitally signed by a Certificate Authority (CA). If you want to enable SSL for an internal demo, the server certificate may be self-signed with your own private key.
The SSLCertificateFile and SSLCertificateKeyFile directives in the SSL.conf file must point to the corresponding certificate and key files.
If you are using Apache virtual host feature, each virtual host you want to secure must have its own private key and server certificate.

Generate a Private Key

SSL uses keys to encrypt and decrypt messages. Keys come in pairs: one public key, and one private key.

Keys use various cryptographic algorithms and key exchange methods. For generating private keys for use with certificates, the RSA key exchange method with the Date Encryption Standard (DES) cryptographic algorithm is commonly used. The key output file is in an encrypted ASCII PEM format.

Generate a Private Encrypted RSA Server Key

If you want to protect your server key, generate a private encrypted RSA server key.

Follow these steps:

Open a command-line window.
Navigate to the following directory
```
installation_home\SSL\bin
```
installation_home

Defines the directory where CA SiteMinder® SPS is installed.

Default: (Windows) [32-bit] C:\Program Files\CA\secure-proxy

Default: (Windows) [64-bit] C:\CA\secure-proxy

Default: (UNIX/Linux) /opt/CA/secure-proxy
Execute the following command:
```
.\openssl genrsa -des3 -out ..\keys\server.key [numbits]
```
server

Specifies the fully qualified domain name of the server.

(Optional) numbits

Specifies the size in bits of the private key that must be generated.

Default: 1024

Range: 1024 - 2048

The private encrypted server keys are created and written to the specified key output file. The key output file is in the encrypted ASCII PEM format. As the file is encrypted, you will be prompted for a pass-phrase to protect it and decrypt it later if you want.

Generate a Private Unencrypted RSA Server Key

If you do not want to protect your server key, generate a private unencrypted RSA server key.

Follow these steps:

Open a command-line window.
Navigate to the following directory
```
installation_home\SSL\bin
```
installation_home

Defines the directory where CA SiteMinder® SPS is installed.

Default: (Windows) [32-bit] C:\Program Files\CA\secure-proxy

Default: (Windows) [64-bit] C:\CA\secure-proxy

Default: (UNIX/Linux) /opt/CA/secure-proxy
Execute the following command:
```
.\openssl genrsa -out ..\keys\server.key [numbits]
```
server

Specifies the fully qualified domain name of the server.

(Optional) numbits

Specifies the size in bits of the private key that must be generated.

Default: 1024

Range: 1024 - 2048

The private unencrypted server key is generated.

Generate and Submit a Certificate Signing Request

Generate a certificate request or Certificate Signing Request using the private key. You can send the Certificate Signing Request to a Certificate Authority for signing into a certificate, or you can create a self-signed certificate for an internal demo.

Generate and Submit a Certificate Signing Request to a Certificate Authority

Generate a Certificate Signing Request and submit it to a Certificate Authority that your organization uses.

Follow these steps:

Open a command-line window.

Execute the following command:

.\openssl req -config .\openssl.cnf -new -key ..\keys\server.key -out ..\keys\server.csr

Enter the values as prompted.
The system generates a certificate request with the certificate file name and a request number.
(Optional) Record the file name and Certificate Signing Request for the future reference.
Submit the Certificate Signing Request to the Certificate Authority.

Generate a Self-signed Certificate

If you want to enable SSL for an internal demo, generate a self-signed certificate.

Follow these steps:

Open a command-line window.

Execute the following command:

.\openssl req -config .\openssl.cnf -new -x509 -key ..\keys\server.key -out ..\certs\cert_name.crt

Place the output in the following location:
```
sps_home\SSL\certs
```
A self-signed certificate is generated.

Download and Install the Certificates from the Certificate Authority

Download the signed certificates from the Certificate Authority.

Follow these steps:

Log in to the CA SiteMinder® SPS host from which you issued the certificate requests.
Open the httpd-ssl conf file.
Default Path: installation_home\httpd\conf\extra\httpd-ssl.conf
Verify that the directives of the server key and certs are correct.
Set the value of the SSLPassPhraseDialog variable to custom.
Set the value of the SSLCustomPropertiesFile variable to installation_home>\httpd\conf\spsapachessl.properties.
Verify that the reference to RootCA is set.
Perform the following steps to add RootCA or the self-signed certificate into ca-bundle.cert:
1. Open the certificate in a notepad and copy the lines from BEGIN to END.
2. Open ca-bundle.cert in a notepad and paste the lines of the certificate at the end.
3. Save the changes.

Enable SSL

You can enable SSL for an encrypted or unencrypted private key.

Enable SSL for an Unencrypted Private Key on Windows

To enable SSL for an unencrypted private key on Windows, generate the spsapachessl.properties file.

Follow these steps:

Open a command-line window with administrative privileges.
Navigate to the following directory:
```
installation_home\httpd\bin
```
Run the following script file:
```
configssl.bat -enable
```
Note: If an overwrite warning appears, confirm that you want to overwrite the existing spsapachessl.properties file.

SSL is configured.

Enable SSL for an Unencrypted Private Key on UNIX

To enable SSL for an unencrypted private key on UNIX, edit the spsapachessl.properties located in the following location:

installation_home/httpd/conf/spsapachessl.properties

Follow these steps:

Open the spsapachessl.properties file in a text editor.
Add or edit the following line:
Perform one of the following tasks:
- If apache.ssl.enabled= exists in the file, set the line to the following value:
```
apache.ssl.enabled=Y
```
- If apache.ssl.enabled= does not exist in the file, add the line in the following format:
```
apache.ssl.enabled=Y
```
Save the changes.
SSL is configured.

Enable SSL for an Encrypted Private Key

To enable SSL for an encrypted private key, generate the spsapachessl.properties file.

Follow these steps:

Open a command-line window with administrative privileges.

Navigate to the following directory:

Windows

installation_home\httpd\bin

UNIX

installation_home/httpd/bin

Run the following script:
Windows
```
configssl.bat -enable passphrase 
```
UNIX
```
configssl.sh passphrase 
```
Note: The passphrase value must match the passphrase value of the server key. If an overwrite warning appears, confirm that you want to overwrite the existing spsapachessl.properties file.
The passphrase is encrypted and is stored in the spsapachessl.properties file.
Restart the Secure Proxy Service.
SSL is configured.

Enable SSL for Virtual Hosts

The Apache server supports virtual hosts, which are multiple Web hosts that are run from a single Apache binary. Apache virtual hosts can be name-based or IP-based. Name-based virtual hosts can share a single IP address, while IP-based virtual hosts require a different IP address for each virtual host.

Apache virtual hosts using the SSL protocol:

Must be IP-based due to limitations in the protocol.
Must have virtual host containers in the Apache configuration file for both secure (HTTPS) and not secure (HTTP) requests.

The following is an example of a secure (HTTPS) virtual host:

<VirtualHost 10.0.0.1:443>
DocumentRoot ".../htdocs/site1"
ServerName www.site1.net
ServerAdmin webmaster@site1.net
ErrorLog logs/covalent_error_log_site1
TransferLog logs/...
SSLEngine on
SSLCertificateFile /www.site1.net.cert
SSLCertificateKeyFile /www.site1.net.key
CustomLog logs/cipher_log_site1 \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>