CA Service Management

Hi friends,

I'm trying to set up SSL for CA Service Catalog Tomcat, but I'm getting some weird errors - does anyone have any idea what should be wrong?

Some notes:

- CA SC and CA USS Portal are on the same server

- CA SC works fine on HTTP

- I have a Java keystore with the private key

- I followed the documentation and changed server.xml, viewService.conf and filled appropriate fields in Server Information page (https, hostname, port). I guess everything is OK.

There are following error messages in the ServiceCatalog.log

SEVERE: Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-8443"]

java.lang.IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

...

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]

...

Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed

Caused by: java.lang.IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

and also some warning messages

WARNING: Failed to scan [file:/D:/CA%20SC/view/webapps/usm/WEB-INF/lib/external/cryptojFIPS.jar] from classloader hierarchy

java.io.FileNotFoundException: D:\CA SC\view\webapps\usm\WEB-INF\lib\external\cryptojFIPS.jar (The system cannot find the path specified)

Any ideas?

Thank you,
Jakub

Good Afternoon Jakub.

Preliminary research shows me the below. Please check on that accordingly.

We moved the existing keystore from .keystore to old.keystore and created a new one.
As well as ensuring the server configuration in server.xml correctly matches the values set in that file.

Fundamentally, we've followed the instructions on this documentation page:
https://docops.ca.com/ca-service-management/14-1/en/administering/configuring-ca-service-catalog/configure-ca-service-catalog-to-use-secure-socket-layer#ConfigureCAServiceCatalogtoUseSecureSocketLayer-Step3-ConfigureCAServiceCatalogtoUseSecureSocketLayer
https://comm.support.ca.com/kb/sample-generation-and-registration-of-a-signed-cert-to-catalog-jks/kb000096537

However, there are a few items that you have to be very careful with.
The keystore needs to consist of two certificates:
1: the certificate for this server - this is the self-signed cert we generated with the keystore.
2: the root certfile of a Certificate Authority (on a production server, this would be the same root CA that you purchased the root-signed server cert from).

We then update server.xml with the correct filename for that keystore, the password and the alias of the first of those two certificates within - it was set to the second one.

Without a certificate in a keystore to refer to, Tomcat defaults to opening the port without SSL protection.
Which is why you could only access it with the http:// protocol, not https.
====================================================================================
Follow these steps:
1 Create a keystore file.
2 Use a single keystore for all integrated products. This approach is recommended.
If you have multiple keystores for different products and cannot use a single keystore for all of them, you can merge keystore files.
3 Configure CA Service Catalog.
4 If you are integrating CA Service Catalog with CA Process Automation, perform the following steps:
a Configure CA Process Automation to use Secure Socket Layer. For more information, see your CA Process Automation documentation.
b Configure CA Process Automation to communicate with CA Service Catalog using Secure Socket Layer
5 If you are integrating CA Service Catalog with CA Business Intelligence, perform the following steps:
a Configure CA Business Intelligence to use Secure Socket Layer. For more information, see your CA Business Intelligence documentation.
b Configure CA Business Intelligence to communicate with CA Service Catalog using Secure Socket Layer.
6 (Optional) Add self-signed certificates to the keystore
----------------------------------------------------------
Step 1 - Create a Keystore File
A keystore file is required to enable SSL. Create a keystore file if you do not have one already for another CA product that integrates with CA Service Catalog. You can use a keystore file for a single product or for multiple products. If you must create individual keystores for each product, you can optionally merge your keystore files.
Follow these steps:
1 Open a command window on the Catalog Component server.
2a cd %JAVA_HOME%\bin
2b Enter the following command:
keytool -genkey -alias aliasforssl -keyalg RSA -keystore "C:\Program Files\CA\Service Catalog\.keystore" -keysize 1024
- alias_name
keytool -list -keystore "C:\Program Files\CA\Service Catalog\.keystore"
Specifies the logical name for the certificate that you are using for CA Service Catalog and possibly for other products. Record this alias name for reference.
3 Enter the password at the "Enter keystore password" prompt.
- To make configuring Tomcat easier, you can use "changeit" as the password.
4 Record your password for reference.
5 Enter your password at the prompt.
You have created the keystore file.
-----------------------------------
Step 2 - (Optional) Merge Keystore Files
Not done now
-----------------------------------
Step 3 - Configure CA Service Catalog to Use Secure Socket Layer
Configure CA Service Catalog to use Secure Socket Layer (SSL).
Follow these steps:
1 Edit the server.xml file to support SSL.
The file is updated to help support SSL for CA Service Catalog.
- Remove the https-comment lines
- Set the correct .keystore path
- Set the correct allias
2 Open the USM_HOME\view\conf\viewService.conf file, using a text editor.
3 Update the following line with the path name and file name of the keystore file:
wrapper.java.additional.number=-Djavax.net.ssl.trustStore="USM_HOME/.keystore"
4 Update the following line with the password of the keystore file:
wrapper.java.additional.number=-Djavax.net.ssl.trustPass=changeit
5 Save and close the viewService.conf file.
6 Select Administration, Configuration, Server Information on the CA Service Catalog GUI.
7 Complete the fields in this section as follows:
For Host Name, specify the name of the host where CA Service Catalog is installed.
For Port Number, specify the port where HTTPS is configured.
For Enable HTTPS, specify Yes. Restart CA Service Catalog.
8 Log in to CA Service Catalog using the following URL:
https://hostname:port/usm/wpf
9 You see a trusted certificate prompt, which indicates that you are using HTTPS.
10 Optionally, disable HTTP access by commenting the section for the HTTP connector, as shown in the following example:
<!--
<Connector port="8080" enableLookups="false" redirectPort="8443" tomcatAuthentication="false"
maxThreads="400" minSpareThreads="25" maxSpareThreads="100" debug="0" connectionTimeout="15000"
disableUploadTimeout="true" compression="on" compressionMinSize="2048"
compressableMimeType="text/html,text/plain,text/xml,text/css,text/javascript,image/png,image/gif,image/jpeg,application/json"
useBodyEncodingForURI="false" URIEncoding="UTF-8" />
-->
You have configured CA Service Catalog to use SSL.
----------------------------------------------------
Kind regards, Louis van Amelsfort.

Jakub,

You need to add any vendor SSL cert (example: www.google.com) to the keystore that Catalog is using and the error "java.lang.IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty"   should go away

Its documented in this section:

Configure CA Service Catalog to Use Secure Socket Layer - CA Service Management - 17.1 - CA Technologies Documentation 

Hope this helps

_R

Hi Radgu - the trick with the Google certificate worked like a charm - I should learn more about certificates, because this is something I don't fully understand

Thank you - great help as usual..

Jakub