Tech Tip : CA Single Sign-On :: SecureProxyServer::Enable SSL on ProxyUI

Document created by Ujwol Shrestha Employee on Jan 5, 2016Last modified by kristen.palazzolo on Dec 17, 2016
Version 3Show Document
  • View in full screen mode

TITLE:  How to setup of SSL for access to Secure Proxy Server : Administrative User Interface (proxyui)

INSTRUCTIONS :

The first steps for proxy-engine/tomcat to listen on an SSL port is to obtain a certificate & private key pair.

In fact if the host name used to access the proxyui is identical to the one used to access the sps server itself  (eg:  http://sps.example.com/, and http://sps.example.com:8080/proxyui), which is usually the case, then proxyui can use the cert+private key generated for the apache front end (self signed or otherwise).  Otherwise a new cert+private key is required via steps 1-3 in the doco on this page.

 

  1. Convert the certificate & private key into a .p12 object

    The first step is to convert the certificate (we will say: server.crt) and private key (server.key) into a .p12 object. In the following example, we have ca.cer as the issuing certificate, but you may not require that option (if it is a self-signed certificate) or you may need a .pem file with all the certs in the trust chain as that parameter:

    ..\bin\openssl pkcs12 -export -in server_x509.cer -inkey server.key -out mycert.p12 -name tomcat -CAfile ca.cer -caname root -chain

    You will be asked for passwords to server.key, if there is one, and a password for the new mycert.p12 file.
  2. Create the tomcat java keystore from the  .p12 object.

    "c:\Program Files (x86)\Java\jdk1.6.0_31"\bin\keytool -importkeystore -srckeystore mycert.p12 -srcstoretype PKCS12 -destkeystore tomcat.keystore

    You will be prompted for password to access mycert.p12, and new password for the created tomcat.keystore

    Note: The tomcat.keystore file needs to be installed in the secure-proxy/SSL/keys directory. 
  3. Update the server.conf file
    Edit the following parameters in server.conf :
     
    #To enable SSL for localapp uncomment next three parameters
    local.https.port=543
    local.https.keyStoreFileName="tomcat.keystore"
  4. Storing the tomcat.keystore decrypt password
    To decrypt the tomcat.keystore proxy-engine needs the decrypt password, we do not want to store it in the clear, so the following method adds the (encrypted) password to the sslconfig.properties file, and code in proxy-engine will decrypt it and use it to access the URL :
    We change the the bin directory & run the GenerateSSLConfig.bat command with keystorepass option:
    cd \CA\proxy-engine\secure-proxy\bin
    GenerateSSLConfig.Bat -keystorepass password
     
    That generates output as follows:
    INFO: Successfully written SSL configuration properties file in: C:\CA\secure-proxy\Tomcat\properties\sslconfig.properties

  5. Restart the proxy-engine.
    Restart the proxy-engine via the system services.  
    Check SSL comes up
    netstat -an | find "543"
     
    Should show a process listening on port 543 :
    Otherwise will need to look into server.log & nohup log for clues as to what has occurred.
     
  6. Access Proxy ui on SSL port :
    https://www.example.com:543/proxyui/

    And you should be prompted to login.

 

     Credit : The full credit for this article goes to it's original author , our SPS guru Mark.ODonohue

2 people found this helpful

Attachments

    Outcomes