DX NetOps

 View Only
Expand all | Collapse all

CAPC and SSL problems

  • 1.  CAPC and SSL problems

    Posted Apr 30, 2015 03:03 PM

    I am following to the letter the documentation covering SSO SIngle Sign-On Guide and after going through all the steps and even backing up various xml and conf files but there still is a problem.  I am generating and importing a certificate. Going by the steps in item 3:

     

    Generate a private key and a public, self-signed certificate using the following command:

    keytool -genkeypair -keystore keystore_file.ks -storepass storepasswd -keyalg RSA -keysize 2048 -keypass keypasswd -alias alias_name 

    In this step, I can make the storepass password and keypasspass password the same.

     

    In the steps to Configure CA Performance Center to use HTTPS

     

    1. Create a file named 'jetty-ssl.xml' in that directory with the following contents: <?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd"> <Configure id="Server" class="org.eclipse.jetty.server.Server"> <Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> <Set name="Port">8182</Set> <Set name="maxIdleTime">30000</Set> <Set name="Keystore"><Property name="jetty.home" default="." />/etc/keystore</Set> <Set name="Password">***PASSWORD***</Set> <Set name="KeyPassword">***PASSWORD***</Set> <Set name="truststore"><Property name="jetty.home" default="." />/etc/keystore</Set> <Set name="trustPassword">***PASSWORD***</Set> <Set name="allowRenegotiate">true</Set> </New> </Arg> </Call> </Configure>

    There are references to change ***PASSWORD***  Replace all instances of the “***PASSWORD***” value with the passwords in use in your system. Am I supposed to understand that I am A: change the PASSWORD to what I used to create the storepass and keypass earlier in the steps??

     

    What is the keystore and what is the truststore?   From what I am reading from other posts, configuring SSO on CAPC has got to be the biggest piece of **** anyone has seen

     

     

     

    [root@d1-capc-01 etc]# service caperfcenter_sso start

    Starting Performance Center SSO...

    wrapper  | Spawning intermediate process...

    Waiting for Performance Center SSO......

    running: PID:5371

    [root@d1-capc-01 etc]# service caperfcenter_devicemanager start

    Starting Performance Center DM...

    Waiting for Performance Center DM......

    running: PID:5516

    [root@d1-capc-01 etc]# service caperfcenter_console start

    Starting Performance Center DM...

    Performance Center DM is already running.

    Starting Performance Center Console...

    Waiting for Performance Center Console......

    WARNING: Performance Center Console may have failed to start.

    [root@d1-capc-01 etc]#



  • 2.  Re: CAPC and SSL problems

    Posted Apr 30, 2015 05:32 PM

    So basically there are three passwords (really only two, but more on that in a second) in play here:

     

    KeyStore Password

    TrustStore Password

    Key Password

     

    The KeyStore password and the TrustStore password are the same - so just make those passwords the same in the config file. The Key password is the password for the SSL key and CANNOT be blank. You're also better off doing a PKCS12 SSL certificate using OpenSSL and using that as the "keystore" instead of using keytool.



  • 3.  RE: Re: CAPC and SSL problems

    Posted Jul 26, 2019 10:47 AM
    Did you build a mop for this?


  • 4.  Re: CAPC and SSL problems

    Posted May 01, 2015 09:45 AM

    This is insane when a CA engineer is having problems implementing SSO on CAPC  following their own documentation.



  • 5.  Re: CAPC and SSL problems

    Posted May 07, 2015 11:00 AM

    I've alluded to it in the past, but I'm guessing I'm going to have to carve out some time to do a step-by-step for the community on configuring SSL for CAPC.... It's a pain, but once the steps are laid out it's not that bad.



  • 6.  Re: CAPC and SSL problems

    Posted May 07, 2015 11:17 AM

    Now that I have finally got SSL on CAPC working it's not that bad.  The trick is to keep all three passwords the same



  • 7.  Re: CAPC and SSL problems

    Broadcom Employee
    Posted Jul 08, 2015 12:03 PM

    The most common cause of SSL config problems in all these products, when the errors are tied to the certificates, is confusion around the three values that require a password, and the alias value.

     

    Once you have your head wrapped around what Matt posted earlier, it gets much easier and less frustrating.

     

    Some other Tips and Tricks that might help that I've learned over time working with configuring SSL for Spectrum and eHealth hosts that are integrated together.

     

    - Setting the storepass password. The default storepass password for SSL configuration is 'changeit'. This can, and often should, be changed but it is best to use the same value when generating all certificates for SSL. This allows for consistency during the configuration process and leads to fewer problems and fewer errors being encountered.

     

    - Setting Alias values when creating certs. Default Alias value is normaly 'tomcatssl'. This is fine when securing a single web server for SSL communication. It's always good to change the defaults set when security is involved but it works. When securing multiple servers that must communicate, using a single alias can cause issues and confusion. In that case it is best to use a unique alias for each servers certificate file when creating them. To keep things simple, a good value to set the alias to is the hostname of the server. Short host name or FQDN can be used here and provides consistency.

     

    - Exporting/creating certificate files on one server for import into another. Consistency is again key here when creating the *.cer files for import to other systems. Creating the file name as HostName.cer provides consistency with the alias and the host the file was created on. This way fewer disparate values need to be remembered when moving the files around and importing them.

     

    - Certificate expiration values.

      The default time period a given certificate is valid for when created is one year.

      If a longer time frame is not specified, after one year this process will have to be performed again with new certificates to update the SSL configuration with.

      Using the '-validity' value when creating certificate files will yield custom time frames when generating certificates in Spectrum.

      The value of the flag is a given number of days. The greatest permissable value is 36500 which equates to 100 years.

      In eHealth there is no method at this time of setting the certificates to be valid for longer than one year. Thus once a year the certificates from eHealth will need to be regenarated and imported to the necessary systems to maintain SSL communications.



  • 8.  RE: Re: CAPC and SSL problems

    Posted Jul 15, 2019 03:14 AM
    Hi Experts,

    any advise on this. I am facing error: 

    This webpage is not available

    ERR_SSL_VERSION_OR_CIPHER_MISMATCH
    A secure connection cannot be established because this site uses an unsupported protocol or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.


    https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=2c0eb165-1bf1-4da9-babb-cffd519e2d5e&CommunityKey=671164c3-e575-4b08-96ab-edc2e1ceed13&tab=digestviewer#bm2c0eb165-1bf1-4da9-babb-cffd519e2d5e



  • 9.  Re: CAPC and SSL problems

    Posted Aug 07, 2015 02:33 AM

    Hi Opnet,

     

    well that is one way. The other might be that the documentation describes a bit more precise where which password is expected. Not all of us are SSL or Jetty experts...

     

    rgds Steve



  • 10.  Re: CAPC and SSL problems

    Posted Aug 05, 2015 04:54 PM

    Here is the wiki link to the steps to configure:

    Single Sign-On - CA Performance Management - 2.5.0 - CA Wiki

     

    opnet:

     

    It looks like you worked your way through the steps succesfully, can this post be marked as Aswered?



  • 11.  Re: CAPC and SSL problems

    Posted Aug 06, 2015 09:34 PM

    Just a word to the wise, be sure to put a reminder in your calendar for when the cert expires and make the cert expiration for five years in the future Otherwise one day you'll come to work and every user will be calling you!



  • 12.  Re: CAPC and SSL problems

    Posted Aug 07, 2015 02:37 AM

    Hi niamh,

     

    that's also important for all to CAPC attached Data Sources. If not you'll be searching forever why the sync won't work...

     

    It took me two hours to find out that my spectrum ssl certificate was expired and that was the cause for sync problems!

     

    rgds Steve