DX NetOps

Hi all,

I tried to setup https in CAPC using the documentation provided. I used the following commands:

cd /opt/CA/PerformanceCenter/jetty/etc

mv  keystore keystore.bak

openssl pkcs12 -export -in cert.pem -inkey private.key -name capcb -out keystore.pkcs12

/opt/CA/jre/bin/keytool -importkeystore -destkeystore /opt/CA/jre/lib/security/cacerts -deststorepass changeit -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -srcalias capcb -destalias capcb -destkeypass ***

sso jetty-ssl.xml:

<Set name="Keystore"><Property name="jetty.home" default="." />/etc/keystore.pkcs12</Set>

<Set name="truststore"><Property name="jetty.home" default="." />/etc/keystore.pkcs12</Set>

But I can't start the caperfcenter_sso:

In the SSOService.log I've found the following:

Java.io.IOException: Invalid Keystore Format

Any Idea?

rgds Steve

CA Performance Center and SSL is a royal pain in the posterior..... that being established, do you have all three of the passwords set as well within the SSL certificate?

You need to have defined in the jetty-ssl.xml config:

KeyStorePassword (Password for the Keystore itself)

KeyManagerPassword (Password for the SSL key - cannot be a blank string)

TrustStorePassword (Should be the same as the KeyStorePassword)

You'll also need the obfuscated password strings which you can use the following to get:

java -cp /opt/CA/PerformanceManagement/PerformanceCenter/jetty/lib/jetty-util-******.jar org.eclipse.jetty.util.security.Password <PASSWORD>

This will output the obfuscated password (OBF) which can be placed within the jetty-ssl.xml configuration file.

I should point out that a few people have asked me to write up clearer steps for deploying HTTPS with CAPC since you need to configure the SSO part of the application in addition to the PC part. I just haven't gotten around to parsing through my pages of notes on everything.

So far I have SSL working/enabled for LDAP authentication and for the SSO/PC website.

Hi Matt,

okay so far a have the three passwords in cleartext within jetty-ssl.xml

So you mentioned the OBF Passwords... do I need to use them or is this just an option?

Thanks!

rgds Steve

I *think* you can get away with the cleartext passwords. Pretty sure Jetty wants the passwords in some form though. The one that caused me a lot of grief before figuring it all out was the KeyManager password since historically I've used null passwords for the SSL key and Jetty wouldn't start unless there was a SSL Key password.

You've already stumbled onto the other headache which was the PKCS12 keystore replacement (rather then trying to import the keys into the existing keystore).

I'm guessing you've already made all the other changes to the wrapper.conf files, and other files that have to be edited for the SSL connector to come up?

Hi Matt,

yes I did all the changes in the files and already setup this stuff several times. But now for the first time with a precreated Key.

So what do you mean with KeyManager Password must not be null?

When calling "openssl pkcs12 -export -in cert.pem -inkey private.key -name capcb -out keystore.pkcs12" I needed to set a password which I did. I took this password and used it in the jetty-ssl.xml as KeyPassword. Is that the right way or do you mean that the precreated key also need to have a password?

slightly confused greetings

Steve

Hi Matt,

omg... I've put in a password for the key but the key didn't have a password... I mixed the passwords for keystore and key... So now there's no Error in SSOService.log...

Thanks for giving that hint!

But it seems that it's still not really working because i can't call ./SsoConfig...

rgds Steve

Exactly... I can't tell you how much time I spent trying to figure that out... basically the keystore has a password but the KEY itself needs a password as well. As I said earlier, I always used a null password for the key because otherwise the password would have to be entered whenever Apache/Tomcat was starting up.

As far as ./SsoConfig goes.... You're two for two in stumbling upon Jetty SSL annoyances. ;-)

Basically what has to happen is you have to configure everything in SsoConfig *BEFORE* you start messing around with the Jetty configurations. What I did when setting this up was to completely copy the PerformanceCenter directory before making any changes so I had something to fall back to... then I adjusted the settings for sso and pc in SsoConfig... then I adjusted the Jetty configs.

The other gotcha is that you have to import your SSL certificate (not the key! just the SSL certificate) into the Java keystore for the client ($CAPC_HOME/jre/lib/security/cacerts) otherwise a few things won't work within CAPC.

Hi Matt,

when starting sso service I get the following:

org.eclipse.ssl.keypassword : WARNING - System.in has been disabled by the wrapper.disable_console_input property. Calls will block indefinetely

Is that the result of the null password in the SSL Key?

thanks for your help!

rgds Steve

I can't remember if I've stumbled on that error or not. I would try to use a PKCS12 keystore that has a password along with a SSL key/cert within the keystore that also has a password to see if the error goes away.