CA Service Management

 View Only
  • 1.  CASM 17.4.2 - Catalog-Integration dose not work

    Posted 24 days ago
    Edited by Peter Schmidt 24 days ago

    Hi all,

    after upgrading SLCM and SDM from 17.4.1 to 17.4.2 integration of SLCM and SDM/PAM does not work when using 'test' in SLCM.

    Each component is up and running and can be used.

    What I tried:

    Recreating and copying CASM_POLICY.p12 does not help.

    Reintegration from 17.4-iso does not help.

    How to reproduce:

    Go to SLCM --> Administration --> configuration

    Select Service Desk from the left pane.

    Click on Test-Button on the right pane.

    Without waiting-time error-window pops up: error when trying connection.

    F12:

    no error in console;

    Url: https://m***10:8443/usm/wpf?Node=icguinode.toolsconfigtest&Args=Go***ut&Args=servicedesk&Args=USV (nothing else)

    This url returns (called manually) XML-Data.

    STDLOG:

    Nothing when button is clicked

    VIEW.LOG:

    Nothing when button is clicked

    Any idea what I could look for?

    Regards,

    Peter



  • 2.  RE: CASM 17.4.2 - Catalog-Integration dose not work

    Broadcom Employee
    Posted 23 days ago

    Hi Peter,

    Can you please help me if this environment is enabled with SSL? If yes, please follow the below steps.

    https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-4/troubleshooting1/troubleshooting-ca-service-catalog/integration-issues/integration-between-sdm-and-service-catalog-stops-working-after-the-upgrade-to-17-4-ru2.html

    Thanks,

    Seetharam




  • 3.  RE: CASM 17.4.2 - Catalog-Integration dose not work

    Posted 21 days ago

    Hi Seetharam,

    I answered 3 times here and non of my answers where saved.

    I'll comment it in CASE 35157644




  • 4.  RE: CASM 17.4.2 - Catalog-Integration dose not work

    Posted 20 days ago

    Good morning Seetharam,

    at first .. thanks for our reply.

    What I don't understand is:

    • Why does RU02 kill working SSL-integration (worked fine till 17.4 RU01)
    • After reading the linked document:
      • We have customer-specific certificates and want to use them .. what to do?
      • Is it a must to create own certificates as described?
      • We have an integration from outside using them .. what will happen?

    Thanks,

    Peter

    PS.: I also opened a CASE for it .. 35157644




  • 5.  RE: CASM 17.4.2 - Catalog-Integration dose not work

    Broadcom Employee
    Posted 20 days ago

    Hi Peter,

    As per my understanding, this issue occurs only when using a self-signed certificate for SSL.

    Starting from version 17.4.Ru2, we have implemented CXF for both the Service Catalog and SDM. CXF now enforces the inclusion of SAN details in the certificate.

    Possible solution: We need to regenerate the certificate with SAN and add it to the trust store.

    Thanks,

    Seetharam




  • 6.  RE: CASM 17.4.2 - Catalog-Integration dose not work

    Posted 20 days ago

    Hi Seetharam,

    we already have a SAN-certicate with alternative names listed in use with RU01.

    Under RU02 with this certificate SDM and Catalog each are working correct.

    What else I have to do that also Catalog's communication with SDM and PAM work in RU02?

    Regards,

    Peter




  • 7.  RE: CASM 17.4.2 - Catalog-Integration dose not work

    Broadcom Employee
    Posted 20 days ago

    Hi Peter,

    According to the above comment, SDM + Catalog is working fine by updating the SAN to the certificate. 

    Please follow the below steps to integrate with ITPAM.

    In ITPAM:
    1. Regenerate a new custom key-store file for ITPAM using the SAN details.
      1. keytool -genkey -alias "itpam" -keyalg RSA -keystore "<keystore path>" -ext san=dns:<ITPAM Server hostname>

        By default, the validity of the certificate is 90 days. You can extend the certificate duration this using the -validity <number of days> parameter when creating the certificate.

    2. Update the above generated certificate in ITPAM server.

      1. For 04.3.05 release,
        1. Navigate to <install_loc>\server\c2o\.config\OasisConfig.properties
          • We need to add three entries to point to the custom certificate. 
          • itpam.custom.web.keystorepath, itpam.custom.web.password and itpam.custom.web.keystorealias
          • Note: itpam.custom.web.password value can be encrypted using PasswordEncryption.bat file available in the <install_loc>\server\c2o location.
        2. Navigate to <install_loc>\server\c2o\deploy\jbossweb.sar\server.xml
          • We need to modify this file to use the custom entries mentioned in oasis config file.
            • example :
            • <Connector protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
                   port="${tomcat.secure.port}" address="${jboss.bind.address}"
                   maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
                   emptySessionPath="true"
                   scheme="https" secure="true" clientAuth="false"
                   keystoreFile="${itpam.custom.web.keystorepath}"
                   keyAlias="${itpam.custom.web.keystorealias}"
                   keystorePass="${itpam.custom.web.keystore.password}"
                   sslProtocol = "${SSL_PROTOCOL}" algorithm = "${X509_ALGORITHM}" ciphers="${jboss.ssl.ciphers}" 
                   useBodyEncodingForURI="true" maxPostSize="12582912"/>
        3. Restart ITPAM server.
        4. Validate the SAN details in the certificate using the browser.  (If this test is good, then only start modifying the SDM side.) 
      2. For 04.4 release,
        1. Folllow the techdocs for replacing above generated custom certificate in ITPAM 04.4 release , https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/automic-process-automation/04-4-00/administrating/overview-for-administrators/maintain-the-domain/manage-certificates/configure-custom-certificates-and-password-vault--wildfly-.html
        2. Restart ITPAM server.
        3. Validate the SAN details in the certificate using the browser.  (If this test is good, then only start modifying the SDM /SLCM side.) 
    In SDM:
    1. ?wsdl should be appended to the PAM url for the integration (if SDM is on 17.4 GA)
    2. Export the PAM customer certificate from browser and import it into SDM key-store file
      1.      keytool -importcert -file c:\itpamcert.crt -keystore "C:\Program Files (x86)\CA\SC\JRE\11.0.18\lib\security\cacerts"

             It will ask the password: changeit

             keytool -importcert -file c:\itpamcert.crt -keystore "C:\Program Files\CA\SC\JRE\11.0.18\lib\security\cacerts"

             It will ask the password: changeit

    3. Restart the SDM windows service (complete service restart is needed to force to load the key-store file for SDM)
    4. Validate  ITPAM + SDM integration.
    In SLCM :
    1. Export the PAM customer certificate from browser and import it into SLCM key-store file.
      1. keytool -importcert -file c:\itpamcert.crt -keystore "C:\Program Files\CA\SC\JRE\11.0.3\lib\security\cacerts"

             It will ask the password: changeit

    2. Restart SLCM services.
    3. Validagte ITPAM + SLCM integration.

    Thanks,

    Seetharam




  • 8.  RE: CASM 17.4.2 - Catalog-Integration dose not work

    Posted 19 days ago

    Hi Seetharam,

    many thanks for your answer above but there is a little missunderstanding.

    CATALOG still cannot test SDM

    What we have is a san-certificate which was working with 17.4.1.

    Since 17.4.2 it does not work any longer when testing SDM-connection starting from Catalog.

    What is working:  each application (SDM, Catalog, PAM) can be called via https (tomcat)

    What is not working: Catalog test SDM, Catalog test PAM

    I'll again step in deeper and will try to adapt described way shown above:

    • customers certificate has to be used
    • no new certificates should be generated (Step 1)
    • What to to to reuse customer's certificate?

    Many thanks,

    Peter




  • 9.  RE: CASM 17.4.2 - Catalog-Integration dose not work

    Posted 18 days ago

    Hi Seetharam,

    I have good news.

    I only had to do the following on SLCM-machine:

    keytool -importcert -file D:\Zertifikat\sdm_xxxxxx_san.cer -alias testxxxhe.de -keystore "D:\Program Files\CA\Service Catalog\embedded\jdk\lib\security\cacerts"

    Password as documented ...

    After restarting SLCM integration-Test is working.

    Many thanks for your support.

    Regards,

    Peter




  • 10.  RE: CASM 17.4.2 - Catalog-Integration dose not work

    Broadcom Employee
    Posted 18 days ago

    Hi Peter,

    Good to hear and glad that the issue got resolved and it works fine now.

    Thanks,

    Seetharam