IT Process Automation

  • 1.  SSL Certification with PAM

    Posted Nov 13, 2017 01:40 PM

    Hi all,

     

    The SSL process continues. 

     

    Attempting to complete this process:

    How to replace a self signed SSL certificate with a 3rd party signed cert 

     

    I have no luck using a .p7b in the keystore. So I have been using the .CRT that was created along with a .KEY file.

     

    I created the keystore file doing the following command:

     

    This resulted in a keystore.jks file. This file was moved to the C2O/.CONFIG location. 

     

    Edited the OasisConfig file to adjust the following three lines...

    #Defines the path of the keystore that is used for signing jars.
    itpam.web.keystorepath=C:/Program Files/CA/PAM/server/c2o/.config/keystore
    #Defines the password of the keystore that is used for signing jars.
    itpam.web.keystore.password=**********
    #Defines the alias name of the certificate in the keystore that is used for signing jars.
    itpam.web.keystorealias=CA

     

    Password has been removed. But the password being used was the direct password as a test. Not one that was encrypted for use in the file by the system. 

     

    I attempted to use C:/Program Files/CA/PAM/server/c2o/.config/keystore and 
    C:/Program Files/CA/PAM/server/c2o/.config/keystore.jks

     

    When starting up PAM it was launch the first JAVA process and begin the boot-up process. It will never boot fully. It will eventually switch the service back to STOPPED.



  • 2.  Re: SSL Certification with PAM

    Posted Nov 13, 2017 06:21 PM

    Hi Jordan,

    Please check if your log has this message, and if the solution in this kb help you

     

    "Secure Connection Failed. PAMhost:8443 uses an invalid security certificate. The certificate is not trusted because it … 



  • 3.  Re: SSL Certification with PAM

    Posted Nov 13, 2017 06:42 PM

    Does not appear to resolve (also could not locate specific reference in log files). I did adjust how I was setting up the certificate slightly. Which I think is a better methodology. But not sure.

     

    1. Exported .PFX file (including private key), and intermediate certs and dumped into smcert.pfx

    2. I obtained the ALIAS from the smcert.pfx:

    3. Created KEYSTORE file:

     

    4. Moved smkeystore.jks to the c2o/.config directory. And edited the OasisConfig with the following details:

    #Defines the path of the keystore that is used for signing jars.
    itpam.web.keystorepath=C:/Program Files/CA/PAM/server/c2o/.config/smkeystore
    #Defines the password of the keystore that is used for signing jars.
    itpam.web.keystore.password=**Password-Removed**
    #Defines the alias name of the certificate in the keystore that is used for signing jars.
    itpam.web.keystorealias=73db311d59c54b54adfb8a1044173839

    5. Ran SignC2OJars, appears to have completed successfully. 

     

    Service still FAILS to start.



  • 4.  Re: SSL Certification with PAM

    Posted Nov 13, 2017 07:08 PM

    what does c2o log says?



  • 5.  Re: SSL Certification with PAM

    Posted Nov 16, 2017 06:22 PM

    Sorry for the delay in my response to this. There has been some corrections made since this was last updated.

     

    A new KEYSTORE has been created. Within there are three entries. Accounting for the entire chain of the certificate. It has been verified that this chain is working correctly within Catalog. 

     

    I have edited the OasisConfig with the keystore. Which includes the PATH, PASSWORD, and ALIAS.

     

    The service starts and immediately fails still. I'm thinking this might have to do with having multiple aliases in keystore. I'm not sure how to point to multiple aliases in the configuration file (or if it is necessary?)



  • 6.  Re: SSL Certification with PAM

    Posted Nov 16, 2017 06:29 PM
      |   view attached

    I have also attached a fresh c2o log.

    Attachment(s)

    zip
    c2o.txt.zip   63 KB 1 version


  • 7.  Re: SSL Certification with PAM
    Best Answer

    Broadcom Employee
    Posted Nov 17, 2017 08:47 AM

    Jordon, to use a keystore with multiple alias:

    https://docops.ca.com/ca-process-automation/04-3-02/en/administrating/overview-for-administrators/maintain-the-domain/manage-certificates/use-a-certificate-from-a-third-party-certificate-authority

    • If the keystore contains more than one alias, modify the connector entry in server.xml. The server.xm. is located in <install_dir>\server\c2o\deploy\jbossweb-tomcat55.sar\server.xml. Add the line in bold:

      <Connector port="${tomcat.secure.port}" address="${jboss.bind.address}"

          maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"

          emptySessionPath="true"

          scheme="https" secure="true" clientAuth="false" 

          keystoreFile="${itpam.web.keystorepath}"

          keyAlias="${itpam.web.keystorealias}"

          keystorePass="${itpam.web.keystore.password}" sslProtocol = "${SSL_PROTOCOL}" algorithm = "${X509_ALGORITHM}" useBodyEncodingForURI="true"/>

    • Start the Orchestrator.


  • 8.  Re: SSL Certification with PAM

    Posted Nov 20, 2017 07:17 PM

    Just for reference. The keyAlias addition is already within the SERVER.XML within the new CA Process Automation installations. So that bit of information is outdated.

     

    The solution to this problem was that the KEYSTORE being used on the environment was made in a 1.80u112 java environment. PAM was installed onto a 1.70u80. Caused the keystore to be invalid due to differing versions.

     

    Uninstalled 1.70u80 from PAM and loaded 1.80u112 into the environment. Reset PAM to work with the new JAVA version. Referenced the keystore and created the encrypted password. 

     

    Used the keytool to pull the certificates from within the keystore and list all the aliases. Instructions on how to do that can be found here: The Most Common Java Keytool Keystore Commands 

     

    My keystore was assembled into three aliases. I tried each one until the system took it. The cert in the chain referencing the actual FQDN was the correct choice. PAM booted in SSL.

     

    Tested steps in additional clustered environments. Worked.

     

    Thanks all for your help.