Scott_Owens

How to replace a self signed SSL certificate with a 3rd party signed cert

Discussion created by Scott_Owens Employee on Dec 14, 2012
Latest reply on Dec 17, 2012 by MaryGreening
During the 4.0 installation you can check the box for "Support Secure Communication". This generates a PAM self signed SSL certificate. You also have the option to generate your own self-signed certificate for PAM (Page 326 of the Admin guide for 4.0). All of these certificates use 3 values in the Oasisconfig.properties. To use your new 3rd party trusted certificate instead of your self signed certificate you will need to replace these values with that of your signed certificate.

"itpam.web.keystorepath"
"itpam.web.keystore.password"
"itpam.web.keystorealias"

The steps for implementing a 3rd party trusted SSL certificate for CA Process Automation are detailed starting on page 329 of the CA Process Automation Content Administrator guide.

CA Process Automation supports third-party security certificates for HTTPS web access and signing of jars. Use your own resources to obtain a trusted SSL certificate from the Certificate Authority of your choice. This procedure is beyond to scope of this guide.

The use of third-party security certificates requires the use of third-party tools. The set-up process also requires manual changes to the OasisConfig properties file (<install_dir>\server\c2o\.config\OasisConfig.properties). Before you begin, become familiar with the basic concepts of security certificates and keystores and the keytool utility provided with the Java JDK.

Implementing third-party security certificates requires updating values for three parameters in the OasisConfig properties file:

"itpam.web.keystorepath"
The default value is the keystore path for the self-signed certificate:
<install_dir>/server/c2o/.config/c2okeystore

"itpam.web.keystore.password"
The default value is the encrypted "DOMAINID".

"itpam.web.keystorealias"

The default value is ITPAM for fresh installations of CA Process Automation r2.2 SP1 or later, or "c2o-j" for CA Process Automation r2.2 or earlier.
Note: A keystore can have more than one alias. To use a keystore alias that duplicates an existing alias, remove the existing alias before adding a new instance.
To use a certificate issued by a third-party Certification Authority

1. Decide on a certificate password and obtain a security certificate from a Certification Authority.

2. Using the instructions provided by the Certification Authority, import the certificate into a keystore.
Generally you use a command similar to keytool –import –alias myalias –file certfile –keystore "path_and_file_specification_for_keystore".

3. For the keystore password, enter the certificate password provided by the Certificate Authority.

4. Obtain an encrypted version of the keystore password.
a. Navigate to <install_dir>\server\c2o.
b. Locate the PasswordEncryption script (PasswordEncryption.bat for Windows, PasswordEncryption.sh for UNIX or Linux).
c. Run PasswordEncryption passwordtoencrypt.
d. Save the long encrypted value returned for entry in the properties file.

5. Shut down the CA Process Automation Orchestrator.

6. Back up and edit the Oasis Configuration properties file to add or update the following:
a. itpam.web.keystorepath to the location of the keystore using the fully qualified path and file name for the keystore file.
b. itpam.web.keystore.password with the encrypted keystore password (do not surround encrypted password value with quotes)
c. itpam.web.keystorealias to the alias used to reference the certificate in the keystore (myalias in the examples).

7. Sign the jars by running SignC2OJars (SignC2OJars.bat for Windows, SignC2OJars.sh for UNIX or Linux) included with CA Process Automation in <install_dir>\server\c2o. Run SignC2oJars without parameters to sign the jars. If the keystore password you entered does not match the certificate password, enter the certificate password as each jar is signed.
Note: On AIX, there is a known problem when re-signing a jar file using SignC2OJars. To work around this problem, manually "unsign" the jars by removing the *.SF and *.RSA files in the META-INF folder for each Java Archive before running SignC2OJars.

8. If the keystore contains more than one alias, modify the connector entry in server.xml. The server.xm. is located in <install_dir>\server\c2o\deploy\jbossweb-tomcat55.sar\server.xml. Add the line in bold:
<Connector port="${tomcat.secure.port}" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${itpam.web.keystorepath}"
keyAlias="${itpam.web.keystorealias}"
keystorePass="${itpam.web.keystore.password}" sslProtocol = "${SSL_PROTOCOL}" algorithm = "${X509_ALGORITHM}" useBodyEncodingForURI="true"/>

9. Restart the CA Process Automation Orchestrator.

10. Repeat this procedure for each Orchestrator that is to use the new certificate.

Outcomes