Clarity Service Management

SSL on SDM - IIS and Tomcat

By ThomasConnery posted 09-15-2014 12:18 PM

  

Hello Service Desk Manager Community!

 

Over the past couple of months I have seen some interest popping up on how to setup SSL encryption with CA Service Desk Manager. In addition to Jon Israel's excellent post here: https://communities.ca.com/message/100317861#100317861, I wanted to share with the community some information I documented on configuring SSL with SDM 12.7 on IIS 7 and Tomcat based on Go Daddy certificates.

 

Note the Go Daddy repository here if needed: Go Daddy Repository, SSL Certificate Information

 

SDM IIS / SSL / HTTP / Tomcat Configuration Tasks

 

Step one assumes that you already have a .crt file ready for use and a .key file.

 

Create a p7b file using openssl:  (filename.*** below is often named after the domain - ex. sdm.customer.com.p7b)

openssl crl2pkcs7 -nocrl -certfile filename.crt -certfile gd_bundle.crt -certfile gd_iis_intermediates.p7b -out filename.p7b
(gd_iis_intermediates.p7b and gd_bundle.crt can be obtained from the Go Daddy repository)

Create a pfx file for IIS import – Execute this from the cert location

Example: openssl pkcs12 -export -out <cert.pfx> -inkey <privatekey.key> -in <cert.crt> -certfile <gd_bundle.crt> -certfile <iisintermediate.crt>

Sample:  openssl pkcs12 -export -out sdm.customer.com.pfx -inkey sdm.customer.com.key -in sdm.customer.com.crt -certfile gd_bundle.cer -certfile gd_iis_intermediates.p7b

 

(.crt or .cer ??? --> http://www.networksolutions.com/support/what-is-the-difference-between-a-crt-and-a-cer-file/)

 

Open Server Certificates in IIS – Click Hostname Connection First on left hand side

image1-ssl.png

Double click to Open Server Certificates

image2-ssl.png


Click the Import… link on the right

image3-ssl.png

Browse for the .pfx file from your local server and then enter the cert password
(the password was specified during creation)

 

image4-ssl.png

Sample successful pfx import


Next, open up the “Sites” parent level in IIS on the left side.

Then click the “Default Web Site”

Left click on “Bindings” located on the far right side.

image5-ssl.png

image6-ssl.png
Click the ‘Add’ button to add a binding.

 

image7-ssl.png

Select type: https,   IP Address:  All Assigned,  Port 443 (default - but can be changed),   SSL Certificate – Select yours from drop down

Click: OK

 

Once the binding is complete, if you are using a loadbalancer, ensure it has already been setup for port 443 access, then restart the website IIS service.

image8-ssl.png

 

 

SET DEFAULT DOMAIN TO OPEN /CAisd/pdmweb.exe       (OPTIONAL)

Open My computer or file explorer goto the wwwroot directory (Default: C:\inetpub\wwwroot)

Create a backup of iisstart.htm

Next, open iisstart.htm in Notepad or a text editor

Select All – Delete – Then Past in the following:

<html><head>
<script>location.replace("/CAisd/pdmweb.exe");</script>
</head></html>

Save the updated iisstart.htm file

Test the url:  sample  https://environment.url

 

 

TOMCAT SSL CREATION – tomcat.keystore

As a final step, create a tomcat.keystore for use with Business Objects SSL or any tomcat based service.

Below is an example of the manual commands you could utilize:

 

cat sdm.customer.com.crt gd_intermediate.crt gd_cross_intermediate.crt valicert_class2_root.crt gd_bundle.cer gd_iis_intermediates.p7b > environment-certificate-chain.txt

openssl pkcs12 -export -inkey sdm.customer.com.key -in environment-certificate-chain.txt -out sdm.customer.com.pkcs12

../Java/jdk1.6.xx/bin/keytool -importkeystore -srckeystore sdm.customer.com.pkcs12 -srcstoretype PKCS12 -destkeystore tomcat.keystore

 

Copy the tomcat.keystore to the BO app server or wherever tomcat SSL encryption is needed.

 

 

CONFIGURE Tomcat for Repository use with SSL - tomcat.keystore

Configuring Tomcat for ssl involves updating the server.xml file for the Tomcat instance.

<Install Path>\Service Desk Manager\bopcfg\www\CATALINA_BASE\conf\server.xml

*Note, you can also do this same process for REST under: ..\CATALINA_BASE_REST\conf\server.xml (Use an alternate port number to avoid a conflict!)
***Backup the default server.xml prior to making changes!

A sample server.xml section would look like the following: (Port can be customized per your environment - but don't use 443 if IIS is configured for that port)

    <Connector SSLEnabled="true" clientAuth="false" keystoreFile="C:\filename.keystore" keystorePass="password_goes_here" maxThreads="150" port="4430" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>

Restart the tomcat service from a command prompt to apply the changes. (*Note, restart all services if you think the manual tomcat restart may not have executed successfully)

pdm_tomcat_nxd -c stop
pdm_tomcat_nxd -c start

 

 

CONFIGURE Tomcat for Business Objects use with SSL - tomcat.keystore

Configuring Tomcat for BO or CABI involves updating the server.xml file for the Tomcat instance, similar to what is above.

<Connector port="8443" minSpareThreads="25" maxThreads="150" maxSpareThreads="75" maxHttpHeaderSize="8192" enableLookups="false" disableUploadTimeout="true" acceptCount="100" sslProtocol="TLS" clientAuth="false" secure="true" scheme="https" keystorePass="password_goes_here" keystoreFile="C:\filename.keystore"/>

 

One item I did not mention about server.xml is that there will be two sections for connector ports. A non-SSL config and an SSL config. If you do want SSL to be functioning, you will need a segment similar to what I have shared in this post for each server.xml file. You will also need a section similar to what is shown below that specifies a redirect port for non-SSL incoming requests:

<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8085" redirectPort="8443"/>

*A redirectPort specification should exist in each server.xml file - along with a separate config line for the SSL connector port information.

 

 

ALTER THE REPOSITORY SETTING IN SDM

Login to the SDM environment as an Administrator

Click the Administration tab and navigate the left side menu.
Click Attachments Library – Repositories
Right click on the Service Desk repository and left click Edit.

Change the Servlet Path to reflect the full SSL address.
Ex. https://<environment custom url>:4430/CAisd/UploadServlet

 

Do the same for the Images and Knowledge repositories!!

 

image91-ssl.png

 

IF LOGOFF SESSION ISSUE SHOWS SPECIFIC ERROR

“Logging Out Of The Web Report Server…”is displayed as a pop-up and doesn't go away.

To resolve this logoff issue, do the following:

From inside ServiceDesk – Administration tab – Options Manager – Web  Report

Ensure that all 3 report options are disabled!

 

 

Thank you for checking out my first community blog post! Maybe these notes from a past SDM configuration I have performed will come in handy to someone else in the community.

If you found this information valuable, please leave a comment below. Also, if you found any errors - I'd like to know as well - Special thanks to Scott Weeks!

2 comments
9 views

Comments

10-13-2014 10:36 AM

Hello Thomas,

 

On this article, you have described:

  • How to add certificate on IIS (iis.msc)
  • How to add certificate on Tomcat (server.xml)
  • How to sign a certificate using an Certificate Authority (using openssl)


Even if you make this modifications, some URLs will not run under secure protocol. You assure that you have also changed options all existent URL and configurations files.
Meantime, good job!

 

Thanks and regards,

RMC

09-19-2014 03:32 AM

Nice article on implementing SSL on IIS Thanks Thomas. .