Configuring and Administering CA XCOM Gateway › Configure CA XCOM Gateway › Configure SSL Communication › Internet Connections to CA XCOM Gateway

Internet Connections to CA XCOM Gateway

CA XCOM Gateway users can request secure communication with CA XCOM Gateway by using a modified internet address to access the CA XCOM Gateway web site. This address must commence with https, in place of http, and specify the appropriate https port number, as outlined in the chapter "Using CA XCOM Gateway through the Internet." In addition, components within the CA XCOM Gateway server that use web services to communicate with each other can also be configured to use secure https communication.

To enable the use of the https protocol for communication with the CA XCOM Gateway server

1. Configure JBoss to support SSL.

   Internally, JBoss uses Apache Tomcat Server, which handles SSL communication through the https protocol. Enabling support for SSL by the Tomcat server requires the following:

   • Installation of an X509 certificate within a keystore
   • Revision of the Tomcat configuration to turn on SSL, referencing the related keystore and certificate

   Detailed information can be found on the http://tomcat.apache.org website and by searching the internet using the keywords “tomcat SSL configuration.”

2. Configure the CA XCOM Gateway Server to use SSL.

   After installation of CA XCOM Gateway, the https protocol can be configured by updating the Global Parameters offline, to change the GATEWAYURL attribute within the WEBSERVICES xml element, so that it specifies the https protocol with the appropriate port number.

3. Next, the certificate created and stored in the JBoss SSL keystore needs to be imported into the CA XCOM Gateway keystore. To find and import the necessary certificate, execute the following commands against the JBoss keystore (keystore passwords will be needed):

   Note: Replace the “<…>” in these examples with the actual values.

   1. To list the certificates in the JBoss keystore, execute the following command:

      "%JAVA_HOME%\\bin\\keytool.exe" -list -keystore <jboss keystore file>
      

      Example output:

      Your keystore contains 1 entries
      

      authoritycertificate, May 19, 2010, trustedCertEntry,
      

      Certificate fingerprint (MD5):
      5B:68:BE:49:4B:56:F5:74:84:EB:C2:C4:BD:D7:05:61
      

   2. To export the trustedcertentry from the JBoss keystore, execute the following command:

      "%JAVA_HOME%\\bin\\keytool.exe" -export -alias authoritycertificate  -file cert.cer -keystore <jboss keystore file>
      

   3. To import the cert into the Gateway keystore, execute the following command (and reply yes to trusting certificates):

      "%JAVA_HOME%\\bin\\keytool.exe" -import -alias authoritycertificate -file cert.cer -keystore <gateway keystore file>
      

4. To configure the FTP server to use SSL, do the following:
   1. Add the last four lines of this example to the xcom-gateway.properties file in the FTP common\classes folder:

      gatewayurl=http://localhost:8080/xcomgateway/services/XcomGatewayService
      

      # Following are only used for https
      

      keystorekey=
      

      keystorepassword=
      

      keystorepath=
      

      Notes:

      • The three keystore values should be set to the same values as the CA XCOM Gateway xcom-globals.xml keystore parameters. Change every back slash (\) to a forward slash (/).
      • To the update the encrypted password, the user can use the xcomconfiguration.jar utility to change it in the xcom-globals.xml file and then copy it to this properties file.
   2. Change the protocol to https and specify the JBoss SSL port number.