Using CA Access Gateway ProxyUI to enable and Configure SSL for Tomcat and Apache

Document created by dcollings on Apr 11, 2018
Version 1Show Document
  • View in full screen mode

This Document attempts to clarify and correct existing documentation found at SSL Settings Configuration - CA Single Sign-On - 12.7 - CA Technologies Documentation for those starting configuration without a existing signed key-certifcate pair.

Configuring SSL on Tomcat Application Server Using the CA Access Gateway ProxyUI

Manage Certificates

Import the certificates and CA that are required to configure SSL.

Perform following steps in the Embedded app server SSL configuration section If you do not have a valid signed certificate pair:

  1. Navigate to Proxy Configuration, SSL Config.
  2. Click Request.
    1. Enter the following organizational details of the certificate requester:
      Requester Name: The fully qualified domain name of the server hosting the ProxyUI
      Organization Unit: The name of your organizational unit (department or group)
      Organization: The name of your organization.
      City or Locality: The locality of your organization
      State or Province: The two-letter state code for your organization
      Country: Select your country in the drop down box
    2. Select the Key Algorithm and Signature Algorithm for the SSL communication.
    3. Select the Key Size.
  3. Click Generate.
    1. A keystore named tomcat.keystore is generated and placed in installation_home/SSL/keys
    2. The system also generates a certificate request file in PKCS#10 format, using the keystore file just generated, and prompts you to save the generated certificate request on your machine.
    3. Save the generated certificate on your machine
      1. The SSL Configuration Status: Server cert requested, not signed will be displayed
    4. Sign the generated certificate using a CMS.
      1. If the Root Certficate that will be part of the certficate chain has not yet been imported, Ask the CMS Signer to send you the Root Certficate file and a intermediate Certficate file if it is part of the certficate chain.
      2. Save the received signed certficate file and the file(s) for the associated root certficate to your machine to be browsed for later after the root certificate file of the CA that signed the certficate request has been imported.
  4. Perform the following steps to import the root file of the CA that signed the certificate request file:
    1. Click the Import CA button in the Embedded app server SSL configuration section
    2. Click Browse and select the Root certificate.
    3. Click Next
    4. Confirm the details and click Finish.
      The imported signing CA is appended to the list of certificates that is displayed in the CA Certificate drop-down list
    5. repeat the above steps if you also have a cert file for the intermediate certficate
  5. Click Browse of the Signed Certificate Response option to locate and select the signed certificate that you saved previously to your machine
  6. Select the imported signing CA from the CA Certificate drop-down list.
  7. Click Apply
    1. The contents of the of signed certficate are imported and appended to the tomcat.keystore file
  8. The certificate is displayed in Signed Certificate Response and shows activated

 Configuring SSL on Apache Web Server Using the CA Access Gateway ProxyUI.

Manage Certificates

Import the certificates and CA that are required to configure SSL.

Perform following steps in the Embedded web server SSL configuration section to request a signed certificate for the fqdn of virtual host that will be listening on https:// 

  1. Navigate to Proxy Configuration, SSL Config.
  2. Click Request.
    1. Enter the following organizational details of the certificate requester:
      Requester Name: The fully qualified domain name of the server hosting the ProxyUI
      Organization Unit: The name of your organizational unit (department or group)
      Organization: The name of your organization.
      City or Locality: The locality of your organization
      State or Province: The two-letter state code for your organization
      Country: Select your country in the drop down box
    2. Select the Key Algorithm and Signature Algorithm for the SSL communication.
    3. Select the Key Size
  3. Click Generate.
    1. The private unencrypted server key named server.key is generated and placed in installation_home/SSL/keys
    2. The system also generates a certificate request file using the, just created, private key store file, server.key. The certficate request file, apachesslcertrequest.pem, is also placed in the  installation_home/SSL/keys folder on the server.
    3.  You are also prompted to save the generated certificate on your machine. The file will be in File Format PKCS#10 and the file will have a .p10 extension.
    4. Save the generated certificate on your machine
      1. TheSSL Configuration Status: Server cert requested, not signed will be displayed
    5.  Sign the generated certificate using a CMS.
      1. If the Root Certficate that will be part of the certficate chain has not yet been imported, Ask the CMS Signer to send you the Root Certficate file and a intermediate Certficate file if it is part of the certficate chain..
      2. Save the received signed certficate file and the file(s) for the associated root certficate to your machine to be browsed for later after the root certificate file of the CA that signed the certficate request has been imported.
  4. Perform the following steps to import the root file of the CA that signed the certificate request file;
    1. Click Import CA.
    2. Click Browse and select the root certificate file.
    3. Click Next.
    4. Confirm the details and click Finish.
      The imported signing CA is appended to the list of certificates that is displayed in the CA Certificate drop-down list.
    5. repeat the above steps if you also have a cert file for the intermediate certficate
  5. Click Browse of the Signed Certificate Response option to locate and select the signed certificate that you saved previously to your machine.
  6. Select the imported signing CA from the CA Certificate drop-down list.
  7. Click Apply
    1. A copy of the signed certificate file will be renamed to server.crt and placed in the installation_path/secure-proxy/SSL/certs/ folder
  8. The certificate is displayed in Signed Certificate Response and shows activated

Configure the Apache Settings

Follow these steps:

  1. Navigate to Proxy Configuration, SSL Config.
  2. Configure the following parameters in the Apache SSL Settings section:  Verify that SSL Key File Path Contains the shows the correct path of the server.key private key that was generated and the SSL Certificate File path contains the correct path and filename of the signed certfificate that was generated, copied, and renamed to server.crt
    • SSL Engine
      Specifies the status of the SSLEngine.
    • SSL Verify Client
      Specifies the certification verification level for the SSL client authentication.
    • Listen Port
      Defines the port number that Apache uses for the SSL communication.
    • SSL Certificate File Path
      Defines the location of the SSL certificates.
      Defaultinstallation_path/secure-proxy/SSL/certs/server.crt
    • SSL Key File Path
      Defines the location of the key to the SSL certificates.
      Defaultinstallation_path/secure-proxy/SSL/keys/server.key
    • SSL Certificate Chain File Path
      Defines the location of the CA certificates which form the certificate chain.
    • SSL CA Certificate File Path
      Defines the location of the CA certificates that are used for client authentication.
      Defaultinstallation_path/secure-proxy/SSL/certs/ca-bundle.cert
    • SSL CA Revocation File Path
      Defines the location of the CA certificate revocation lists that are used for client authentication.
    • SSL Verify Depth
      Defines the number the levels in the certificate chain that must be searched for the certificate.
  3. Click Save.
  4. Edit /app/CA/secure-proxy/httpd/conf/extra/httpd-ssl.conf file using a text editor
    1. Change the <VirtualHost _default_:8443> to the <ip address of the server:8443>
    2. Edit Servername to be the FQDN of the SSL listening Virtual Host
    3. Enable SSL logging
      1. Uncomment ErrorLog and use the path /app/CA/secure-proxy/httpd/logs/sslerror_log
      2. Uncomment TransferLog and use the path /app/CA/secure-proxy/httpd/logs/sslaccess_log
    4. Verify that SSLSpsFipsMode is set to  COMPAT
  5. Start 
    1 person found this helpful

    Attachments

      Outcomes