Tech Tip : CA Single Sign-On :: SecureProxyServer::Enable SSL on ProxyUI

Document created by Ujwol Shrestha Employee on Jan 5, 2016Last modified by kristen.palazzolo on Dec 17, 2016
Version 3Show Document
  • View in full screen mode

TITLE:  How to setup of SSL for access to Secure Proxy Server : Administrative User Interface (proxyui)


The first steps for proxy-engine/tomcat to listen on an SSL port is to obtain a certificate & private key pair.

In fact if the host name used to access the proxyui is identical to the one used to access the sps server itself  (eg:, and, which is usually the case, then proxyui can use the cert+private key generated for the apache front end (self signed or otherwise).  Otherwise a new cert+private key is required via steps 1-3 in the doco on this page.


  1. Convert the certificate & private key into a .p12 object

    The first step is to convert the certificate (we will say: server.crt) and private key (server.key) into a .p12 object. In the following example, we have ca.cer as the issuing certificate, but you may not require that option (if it is a self-signed certificate) or you may need a .pem file with all the certs in the trust chain as that parameter:

    ..\bin\openssl pkcs12 -export -in server_x509.cer -inkey server.key -out mycert.p12 -name tomcat -CAfile ca.cer -caname root -chain

    You will be asked for passwords to server.key, if there is one, and a password for the new mycert.p12 file.
  2. Create the tomcat java keystore from the  .p12 object.

    "c:\Program Files (x86)\Java\jdk1.6.0_31"\bin\keytool -importkeystore -srckeystore mycert.p12 -srcstoretype PKCS12 -destkeystore tomcat.keystore

    You will be prompted for password to access mycert.p12, and new password for the created tomcat.keystore

    Note: The tomcat.keystore file needs to be installed in the secure-proxy/SSL/keys directory. 
  3. Update the server.conf file
    Edit the following parameters in server.conf :
    #To enable SSL for localapp uncomment next three parameters
  4. Storing the tomcat.keystore decrypt password
    To decrypt the tomcat.keystore proxy-engine needs the decrypt password, we do not want to store it in the clear, so the following method adds the (encrypted) password to the file, and code in proxy-engine will decrypt it and use it to access the URL :
    We change the the bin directory & run the GenerateSSLConfig.bat command with keystorepass option:
    cd \CA\proxy-engine\secure-proxy\bin
    GenerateSSLConfig.Bat -keystorepass password
    That generates output as follows:
    INFO: Successfully written SSL configuration properties file in: C:\CA\secure-proxy\Tomcat\properties\

  5. Restart the proxy-engine.
    Restart the proxy-engine via the system services.  
    Check SSL comes up
    netstat -an | find "543"
    Should show a process listening on port 543 :
    Otherwise will need to look into server.log & nohup log for clues as to what has occurred.
  6. Access Proxy ui on SSL port :

    And you should be prompted to login.


     Credit : The full credit for this article goes to it's original author , our SPS guru Mark.ODonohue

3 people found this helpful