Hello Service Desk Manager Community!
Over the past couple of months I have seen some interest popping up on how to setup SSL encryption with CA Service Desk Manager. In addition to Jon Israel's excellent post here: https://communities.ca.com/message/100317861#100317861, I wanted to share with the community some information I documented on configuring SSL with SDM 12.7 on IIS 7 and Tomcat based on Go Daddy certificates.
Note the Go Daddy repository here if needed: Go Daddy Repository, SSL Certificate Information
SDM IIS / SSL / HTTP / Tomcat Configuration Tasks
Step one assumes that you already have a .crt file ready for use and a .key file.
Create a p7b file using openssl: (filename.*** below is often named after the domain - ex. sdm.customer.com.p7b)
openssl crl2pkcs7 -nocrl -certfile filename.crt -certfile gd_bundle.crt -certfile gd_iis_intermediates.p7b -out filename.p7b
(gd_iis_intermediates.p7b and gd_bundle.crt can be obtained from the Go Daddy repository)
Create a pfx file for IIS import – Execute this from the cert location
Example: openssl pkcs12 -export -out <cert.pfx> -inkey <privatekey.key> -in <cert.crt> -certfile <gd_bundle.crt> -certfile <iisintermediate.crt>
Sample: openssl pkcs12 -export -out sdm.customer.com.pfx -inkey sdm.customer.com.key -in sdm.customer.com.crt -certfile gd_bundle.cer -certfile gd_iis_intermediates.p7b
(.crt or .cer ??? --> http://www.networksolutions.com/support/what-is-the-difference-between-a-crt-and-a-cer-file/)
Open Server Certificates in IIS – Click Hostname Connection First on left hand side
Double click to Open Server Certificates
Click the Import… link on the right
Browse for the .pfx file from your local server and then enter the cert password
(the password was specified during creation)
Sample successful pfx import
Next, open up the “Sites” parent level in IIS on the left side.
Then click the “Default Web Site”
Left click on “Bindings” located on the far right side.
Click the ‘Add’ button to add a binding.
Select type: https, IP Address: All Assigned, Port 443 (default - but can be changed), SSL Certificate – Select yours from drop down
Once the binding is complete, if you are using a loadbalancer, ensure it has already been setup for port 443 access, then restart the website IIS service.
SET DEFAULT DOMAIN TO OPEN /CAisd/pdmweb.exe (OPTIONAL)
Open My computer or file explorer goto the wwwroot directory (Default: C:\inetpub\wwwroot)
Create a backup of iisstart.htm
Next, open iisstart.htm in Notepad or a text editor
Select All – Delete – Then Past in the following:
Save the updated iisstart.htm file
Test the url: sample https://environment.url
TOMCAT SSL CREATION – tomcat.keystore
As a final step, create a tomcat.keystore for use with Business Objects SSL or any tomcat based service.
Below is an example of the manual commands you could utilize:
cat sdm.customer.com.crt gd_intermediate.crt gd_cross_intermediate.crt valicert_class2_root.crt gd_bundle.cer gd_iis_intermediates.p7b > environment-certificate-chain.txt
openssl pkcs12 -export -inkey sdm.customer.com.key -in environment-certificate-chain.txt -out sdm.customer.com.pkcs12
../Java/jdk1.6.xx/bin/keytool -importkeystore -srckeystore sdm.customer.com.pkcs12 -srcstoretype PKCS12 -destkeystore tomcat.keystore
Copy the tomcat.keystore to the BO app server or wherever tomcat SSL encryption is needed.
CONFIGURE Tomcat for Repository use with SSL - tomcat.keystore
Configuring Tomcat for ssl involves updating the server.xml file for the Tomcat instance.
<Install Path>\Service Desk Manager\bopcfg\www\CATALINA_BASE\conf\server.xml
*Note, you can also do this same process for REST under: ..\CATALINA_BASE_REST\conf\server.xml (Use an alternate port number to avoid a conflict!)
***Backup the default server.xml prior to making changes!
A sample server.xml section would look like the following: (Port can be customized per your environment - but don't use 443 if IIS is configured for that port)
<Connector SSLEnabled="true" clientAuth="false" keystoreFile="C:\filename.keystore" keystorePass="password_goes_here" maxThreads="150" port="4430" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
Restart the tomcat service from a command prompt to apply the changes. (*Note, restart all services if you think the manual tomcat restart may not have executed successfully)
pdm_tomcat_nxd -c stop
pdm_tomcat_nxd -c start
CONFIGURE Tomcat for Business Objects use with SSL - tomcat.keystore
Configuring Tomcat for BO or CABI involves updating the server.xml file for the Tomcat instance, similar to what is above.
<Connector port="8443" minSpareThreads="25" maxThreads="150" maxSpareThreads="75" maxHttpHeaderSize="8192" enableLookups="false" disableUploadTimeout="true" acceptCount="100" sslProtocol="TLS" clientAuth="false" secure="true" scheme="https" keystorePass="password_goes_here" keystoreFile="C:\filename.keystore"/>
One item I did not mention about server.xml is that there will be two sections for connector ports. A non-SSL config and an SSL config. If you do want SSL to be functioning, you will need a segment similar to what I have shared in this post for each server.xml file. You will also need a section similar to what is shown below that specifies a redirect port for non-SSL incoming requests:
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8085" redirectPort="8443"/>
*A redirectPort specification should exist in each server.xml file - along with a separate config line for the SSL connector port information.
ALTER THE REPOSITORY SETTING IN SDM
Login to the SDM environment as an Administrator
Click the Administration tab and navigate the left side menu.
Click Attachments Library – Repositories
Right click on the Service Desk repository and left click Edit.
Change the Servlet Path to reflect the full SSL address.
Ex. https://<environment custom url>:4430/CAisd/UploadServlet
Do the same for the Images and Knowledge repositories!!
IF LOGOFF SESSION ISSUE SHOWS SPECIFIC ERROR
“Logging Out Of The Web Report Server…”is displayed as a pop-up and doesn't go away.
To resolve this logoff issue, do the following:
From inside ServiceDesk – Administration tab – Options Manager – Web Report
Ensure that all 3 report options are disabled!
Thank you for checking out my first community blog post! Maybe these notes from a past SDM configuration I have performed will come in handy to someone else in the community.
If you found this information valuable, please leave a comment below. Also, if you found any errors - I'd like to know as well - Special thanks to Scott Weeks!