CA Service Management

Hi

Thank you for this post but seemingly my issue is with the servlet address.

My company ONLY allows port 443 communication to the internet, I removed port 443 from IIS and configured tomcat on that port which works fine, when I add FQDN it still continues to work fine (example ---> 'https://<server_name>.<FQDN>/CAisd/pdmweb.exe) and servlet address is (example ---> 'https://<server_name>.<FQDN>:443/CAisd/UploadServlet) within repository can I still attach ... everything fine up to this point.

The problem I have is when I add DNS (FQDN included in DNS entry) it stops working (example ---> 'https://<DNS>.<FQDN>/CAisd/pdmweb.exe)

I also updated servlet in repository to reflect the same but still fails (example ---> 'https://<DNS>.<FQDN>/CAisd/UploadServlet)

Entering URL 'https://support.company.com' works fine and takes me to full URL 'https://support.company.com/CAisd/pdmweb.exe', however attachments fail, i changed the servlet address within the repository to reflect DNS (https://support.company.com:443/CAisd/UploadServlet) but attachments still fails.

Any advice please

Thank you

Jacques

Hello Jacques,

I branched this Conversation off from the original thread, as we are now talking about port setup and not just Tomcat SSL.

CA Tuesday Tip - Tomcat SSL - What,Who,Where?

Can you give us some more detail about your setup? Version of SDM, primary/secondary or AA configuration? How many boxes? Which box houses the Attachments? Authentication system, firewalls, number of contacts, number of years in operation, why you would want to do this etc.

I think we need those details to advise.  Are you only talking about "the servlet" functionality? Everything else is going through normal ports?

Here is a list of the recommended ports to start with.

Default and Recommended Communication Ports for CA Service Desk Manager | CA Service Management Cookbook

Check the Status of the Required Ports - CA Service Management - 14.1 - CA Technologies Documentation

Thanks, Kyle_R.
Mod.

Hi ... and thank you

My setup, SDM 14.1 with latest patch level, advanced availability with 2 x App servers, 1 x Standby & 1 x Background server.

Authentication is via EEM to AD, appropriate firewall ports is open. Attachments is setup to reside on background server, background services is set to 'servlet and daemon' and servlet server is set to 'background server' within the Admin Tab --> Attachments Library --> Repositories --> Service Desk (Repository)

The 2 x app servers will be exposed to the internet and the Business will only allow SSL on port 443 for the internet, due to this constraint I removed port 443 from IIS setup and configured port 443 in tomcat server.xml because of attachments.

The requirement is also that my external URL on the internet does not display my server name but DNS entry ... end result would need to look something like this ...

https://support.company.com/CAisd/pdmweb.exe

Attachments works fine when servlet upload url specifies SERVER (https://<server>.company.com:443/CAisd/UploadServlet)

Attachments fails when servlet upload url is changed to DNS (https://<DNS>.company.com:443/CAisd/UploadServlet)

stdlog show nothing even when logstat is increased, browser F12 console show no script errors.

The rest of the setup is via normal ports

Thank you

It would seem the reason is my cert only has DNS name and when  attachments want to attach to background server (which is not in the cert) it fails.

So, how to configure servlet to accommodate cert?

Resolution ...

In this configuration (advanced Availability), F5 is being used as load balancer for 2 x Application Servers, configuring Tomcat, DNS entries and what DNS entries to put in the SSL certs to make this configuration work

F5 is configured with its own IP address which is published to the internet and is also used for internal LAN linked to DNS entry.

The SSL certs must comply to Governance, Risk & Security which only allows SSL certs to show DNS naming for servers (example: https:/support.company.com)

You need to create an additional SSL cert for configuring on all your servers, this cert needs 2 additional entries for upload servlets (background & standby servers) and these additional entries needs to be created in DNS as well.

You don't have to create an additional cert, if you want to add the upload servlet entries in your F5 cert you can and then configure that cert on your servers as well, bearing in mind that the upload servlet DNS names will be visible when the cert is being viewed on the internet.

In this example we created an additional cert as follows:

             • support.company.com

             • backgroundattach.company.com

             • standbyattach.company.com

Make sure all of these are DNS entries pointing the correct servers / IP addresses. (Etc. backgroundattach.company.com - DNS points to BackGround Server IP)

Configuring tomcat is per normal as per documentation

When configuring the attachments servlets for background and standby servers you use these DNS entries as follows

Background Server

https:/backgroundattach.company.com:443/CAisd/UploadServlet

Standby Server

https:/standbyattach.company.com:443/CAisd/UploadServlet

Tested with failover and is working