CA Service Management

I'm finding different information about how to setup an SSL within EEM.

EEM is currently signed with the out of the package certificates. Trying to replace that with a third party certificate. That we are using on the particular domain. To get rid of the trusted SSL errors. 

I've found different information. But nothing exact. Anyone have steps on how to properly make this transition?

Thanks!

Hi Jordan - I found this doc in the communities:  How to setup EEM UI to use a custom signed certificate (R8.4 SP4+ and R12.x) 

See if that helps,

Jon

Hey John,

It may... but unfortunately this is what I'm getting when clicking on the link provided above.

Jordan........

I have attached a PDF version of the document for you

Thanks Paul. I'm getting a general idea.

So my original certificate was a .P7B which does not show as being supported by this documentation. So I did a conversion of the .P7B to a .PEM file. Which create a cert.perm this conversion required that I input a PFX password during the conversion process.

Based upon the instructions I was to alter the following information for a PEM file...

But all I got from the conversion was the PEM file. The certURI I'm guessing would be cert.pem in this case. But I have no idea what would go in the keyURI as I don't have a .key file to put there. 

I assume I'm missing something somewhere in this process. Also if we can use a P7B I'm fine with that as well.

Hi Jordan,

P7B file does not contain the key. If you can get the .pfx file you can follow this:

openssl pkcs12 -in file.pfx -out file.pem -nodes

I believe it would create a pem file with the key in it and you have to split it into separate files.

Was able to take the PFX and convert into a PEM and pull out both the certificate and private key statements. Saved into a CRT and KEY and uploaded into :

C:\Program Files\CA\SC\iTechnology

Once uploaded edits were made to the iGateway file:

  <Connector name="defaultport">
   <port>5250</port>
   <mustlisten>true</mustlisten>
       <conntype/>
   <conntimeout>120</conntimeout>
   <peektimeout>30</peektimeout>
   <maxconnections>1000</maxconnections>
   <maxrequestbytes>10000000</maxrequestbytes>
   <maxpiperequests>10</maxpiperequests>
   <maxAcceptRate/>
   <certType>pem<certType/>
   <certURI>primary.crt<certURI/>
   <certPW/>
   <keyURI>private.key<keyURI/>
   <keyPW/>
   <secureProtocol/>
   <cipherlist/>
  </Connector>

These alterations resulted in the CA iTechnology iGateway service from being able to start.

Error: 0xffffffff: 0xffffffff

The CA Directory still started.

The website failed to load.

Restored original values to iGateway.conf file and everything started up like normal. Original values look as follows:

<Connector name="defaultport">
   <port>5250</port>
   <mustlisten>true</mustlisten>
       <conntype/>
   <conntimeout>120</conntimeout>
   <peektimeout>30</peektimeout>
   <maxconnections>1000</maxconnections>
   <maxrequestbytes>10000000</maxrequestbytes>
   <maxpiperequests>10</maxpiperequests>
   <maxAcceptRate/>
   <certType/>
   <certURI/>
   <certPW/>
   <keyURI/>
   <keyPW/>
   <secureProtocol/>
   <cipherlist/>
  </Connector>

Try using the full file path

Also if you have the pfx file just follow the p12 steps in the documentation:

1. Copy the p12 certificate to iTechnology folder.
2. Stop iTechnology service.
3. Edit igateway.conf and update the <Connector name="defaultport"> section
4. Set certType to p12
5. Set certURI to your .p12 certificate filename
6. Set certPW to munged p12 certificate file password using the ConfigTool.
7. Save and exit the file
8. Start the iTechnology service

Run this C:\Program Files (x86)\CA\SC\iTechnology>ConfigTool -munge -version 4.6.0.0 -comp igateway -tag
"TransportReceiver=HTTP;Connector=defaultport;certPW;" -passwd testpassword

replace testpassword with your password. And put that in <certPW>

<Connector name="defaultport">
   <port>5250</port>
   <mustlisten>true</mustlisten>
       <conntype/>
   <conntimeout>120</conntimeout>
   <peektimeout>30</peektimeout>
   <maxconnections>1000</maxconnections>
   <maxrequestbytes>10000000</maxrequestbytes>
   <maxpiperequests>10</maxpiperequests>
   <maxAcceptRate/>
   <certType>p12</certType>
   <certURI>cert.pfx</certURI>
   <certPW>[munged password]</certPw>
   <keyURI/>
   <keyPW/>
   <secureProtocol/>
   <cipherlist/>
  </Connector>

Give the above a try.

Hi Anthony,

Attempted PFX with the following entry:

Password removed.

Attempted this will full path as shown (and without).

I attempted the command given for ConfigTool using exactly the same language (changing the testpassword) to the actual password of the PFX but got the following error.

I also attempted your original instructions about using the full path as follows:

Results in the following error:

Hi Jordan,

I just tried the command and it seems to put the certPW in for you so you yourself don't have to do it. I think your command failed because you have

<certPW>******<certPW/>

It should be <certPW>*****</certPW>

Was able to get it working. With the PEM using primary.crt and private.key.

Issue was the placement of the slash. 

Thanks!