Release Automation

 View Only
Expand all | Collapse all

Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

  • 1.  Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 01:43 AM

    Hi everyone,

     

    We followed these steps: Secure Communications - CA Release Automation - 5.5.2 - CA Technologies Documentation

    to secure our UI Communication, so that we're able to use https without a problem. But we had one thing differ from the description, it does say to use the same version of the jdk as it was installed for CA-RA. Well CA-RA comes with the jre 1.7.0_07 and we didn't find the jdk for that, so I used the 1.7.0_79, as the jdk is needed to create the jar file and sign it. I was hoping that the major version counts, but as we're getting java errors, this might not be the case

     

     

    The Release Operation Center does work fine, but when I try to start the Automation Studio, I'm getting into two situations here:

     

    Starting Automation Studio with the http address, gives me the error, that the certificate could not be validated.

     

    More information gives the following error:

    sun.security.validator.ValidatorException: Extended key usage does not permit use for code signing
      at sun.security.validator.EndEntityChecker.checkCodeSigning(Unknown Source)
      at sun.security.validator.EndEntityChecker.check(Unknown Source)
      at sun.security.validator.Validator.validate(Unknown Source)
      at sun.security.validator.Validator.validate(Unknown Source)
      at sun.security.validator.Validator.validate(Unknown Source)
      at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
      at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
      at com.sun.deploy.security.TrustDecider.isAllPermissionGrantedInt(Unknown Source)
      at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
      at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
      at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
      at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.launch(Unknown Source)
      at com.sun.javaws.Main.launchApp(Unknown Source)
      at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
      at com.sun.javaws.Main.access$000(Unknown Source)
      at com.sun.javaws.Main$1.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
    

     

    When I then check the certificate details, everything looks fine for me.

     

    Starting Automation Studio with the https address gives me the error, that the application could not be startet and it points to an error that the resource nolio-app/truststore.jsp could not be loaded, details give:

    Startfile:

    <?xml version="1.0" encoding="utf-8"?>
    <jnlp spec="6.0+" codebase="https://ara.munich.munichre.com:8443/nolio-app">
    <application-desc main-class="com.nolio.platform.shared.app.NolioApp"/>
    <information>
    <title>Automation Studio</title>
    <vendor>CA Technologies</vendor>
    <homepage href="http://www.ca.com"/>
    <description>Automation Studio</description>
    <description kind="short">Automation Studio</description>
    <icon href="images/favicon.ico"/>
    <icon kind="splash" href="apps/nolio_splash.png"/>
    <offline-allowed/>
    </information>
    <security>      <all-permissions/>  </security>
    <resources>
    <java version="1.6+" initial-heap-size="64m" max-heap-size="512m" java-vm-args="-XX:MaxPermSize=130m -XX:+HeapDumpOnOutOfMemoryError"/>
    <jar href="apps/v2.0.0/lib/nolio-shared-app-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/activation-1.1.jar"/>
    <jar href="apps/v2.0.0/lib/ant-1.8.1.jar"/>
    <jar href="apps/v2.0.0/lib/ant-launcher-1.8.1.jar"/>
    <jar href="apps/v2.0.0/lib/antlr-2.7.7.jar"/>
    <jar href="apps/v2.0.0/lib/aopalliance-1.0.jar"/>
    <jar href="apps/v2.0.0/lib/asm-5.0.3.jar"/>
    <jar href="apps/v2.0.0/lib/aspectjrt-1.7.2.jar"/>
    <jar href="apps/v2.0.0/lib/aspectjweaver-1.6.8.jar"/>
    <jar href="apps/v2.0.0/lib/c3p0-0.9.1.1.jar"/>
    <jar href="apps/v2.0.0/lib/commons-beanutils-1.7.0.jar"/>
    <jar href="apps/v2.0.0/lib/commons-beanutils-core-1.8.0.jar"/>
    <jar href="apps/v2.0.0/lib/commons-cli-1.1.jar"/>
    <jar href="apps/v2.0.0/lib/commons-codec-1.6.jar"/>
    <jar href="apps/v2.0.0/lib/commons-collections-3.2.1.jar"/>
    <jar href="apps/v2.0.0/lib/commons-compress-1.0.jar"/>
    <jar href="apps/v2.0.0/lib/commons-configuration-1.6.jar"/>
    <jar href="apps/v2.0.0/lib/commons-digester-1.8.jar"/>
    <jar href="apps/v2.0.0/lib/commons-exec-1.1.jar"/>
    <jar href="apps/v2.0.0/lib/commons-httpclient-3.0-rc2.jar"/>
    <jar href="apps/v2.0.0/lib/commons-io-2.0.1.jar"/>
    <jar href="apps/v2.0.0/lib/commons-lang-2.4.jar"/>
    <jar href="apps/v2.0.0/lib/commons-lang3-3.1.jar"/>
    <jar href="apps/v2.0.0/lib/commons-logging-1.1.1.jar"/>
    <jar href="apps/v2.0.0/lib/commons-validator-1.4.0.jar"/>
    <jar href="apps/v2.0.0/lib/conf-utils-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/dbo-entities-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/dom4j-1.6.1.jar"/>
    <jar href="apps/v2.0.0/lib/eventbus-1.4.jar"/>
    <jar href="apps/v2.0.0/lib/expectj-2.0.7.jar"/>
    <jar href="apps/v2.0.0/lib/forms-1.0.7.jar"/>
    <jar href="apps/v2.0.0/lib/guava-13.0.1.jar"/>
    <jar href="apps/v2.0.0/lib/guava-gwt-13.0.1.jar"/>
    <jar href="apps/v2.0.0/lib/healthmonitor-api-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/hibernate-commons-annotations-4.0.1.Final.jar"/>
    <jar href="apps/v2.0.0/lib/hibernate-core-4.1.4.Final.jar"/>
    <jar href="apps/v2.0.0/lib/hibernate-entitymanager-4.1.4.Final.jar"/>
    <jar href="apps/v2.0.0/lib/hibernate-envers-4.1.4.Final.jar"/>
    <jar href="apps/v2.0.0/lib/hibernate-jpa-2.0-api-1.0.1.Final.jar"/>
    <jar href="apps/v2.0.0/lib/httpclient-4.3.2.jar"/>
    <jar href="apps/v2.0.0/lib/httpcore-4.3.1.jar"/>
    <jar href="apps/v2.0.0/lib/jackson-annotations-2.4.2.jar"/>
    <jar href="apps/v2.0.0/lib/jackson-core-2.4.2.jar"/>
    <jar href="apps/v2.0.0/lib/jackson-databind-2.4.2.jar"/>
    <jar href="apps/v2.0.0/lib/jackson-module-mrbean-2.4.2.jar"/>
    <jar href="apps/v2.0.0/lib/jatl-0.2.2.jar"/>
    <jar href="apps/v2.0.0/lib/javassist-3.12.1.GA.jar"/>
    <jar href="apps/v2.0.0/lib/javassist-3.15.0-GA.jar"/>
    <jar href="apps/v2.0.0/lib/javax.inject-1.jar"/>
    <jar href="apps/v2.0.0/lib/jaxen-1.1.1.jar"/>
    <jar href="apps/v2.0.0/lib/jboss-logging-3.1.0.GA.jar"/>
    <jar href="apps/v2.0.0/lib/jboss-transaction-api_1.1_spec-1.0.0.Final.jar"/>
    <jar href="apps/v2.0.0/lib/jcip-annotations-1.0.jar"/>
    <jar href="apps/v2.0.0/lib/jcl-over-slf4j-1.7.1.jar"/>
    <jar href="apps/v2.0.0/lib/jdom-1.0.jar"/>
    <jar href="apps/v2.0.0/lib/jide-action-2.2.4.jar"/>
    <jar href="apps/v2.0.0/lib/jide-common-2.2.4.jar"/>
    <jar href="apps/v2.0.0/lib/jide-components-2.2.4.jar"/>
    <jar href="apps/v2.0.0/lib/jide-dialogs-2.2.4.jar"/>
    <jar href="apps/v2.0.0/lib/jide-dock-2.2.4.jar"/>
    <jar href="apps/v2.0.0/lib/jide-grids-2.2.4.jar"/>
    <jar href="apps/v2.0.0/lib/jsch-0.1.51.jar"/>
    <jar href="apps/v2.0.0/lib/jsr305-2.0.1.jar"/>
    <jar href="apps/v2.0.0/lib/junit-3.8.1.jar"/>
    <jar href="apps/v2.0.0/lib/log4j-1.2.16.jar"/>
    <jar href="apps/v2.0.0/lib/looks-2.2.1.jar"/>
    <jar href="apps/v2.0.0/lib/nolio-actions-shared-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/nolio-bin-shared-app-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/nolio-branding-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/nolio-conf-shared-app-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/nolio-entities-shared-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/nolio-hibernate-shared-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/nolio-liquor-shared-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/nolio-service-now-client-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/nolio-shared-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/nolio-shared-app-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/nolio-shared-gui-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/opencsv-2.2.jar"/>
    <jar href="apps/v2.0.0/lib/oro-2.0.8.jar"/>
    <jar href="apps/v2.0.0/lib/PDFjet.jar"/>
    <jar href="apps/v2.0.0/lib/quartz-2.2.1.jar"/>
    <jar href="apps/v2.0.0/lib/ra-auth-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/ra-model-wrappers-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/ra-services-api-5.5.2.jar"/>
    <jar href="apps/v2.0.0/lib/reflections-0.9.8.jar"/>
    <jar href="apps/v2.0.0/lib/servlet-api-2.5.jar"/>
    <jar href="apps/v2.0.0/lib/sigar.jar"/>
    <jar href="apps/v2.0.0/lib/slf4j-api-1.7.5.jar"/>
    <jar href="apps/v2.0.0/lib/slf4j-log4j12-1.7.5.jar"/>
    <jar href="apps/v2.0.0/lib/spring-aop-4.0.6.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-beans-4.0.6.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-context-4.0.6.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-core-4.0.6.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-data-commons-1.5.1.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-data-jpa-1.3.2.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-expression-4.0.6.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-jdbc-3.2.8.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-ldap-core-1.3.2.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-orm-4.0.6.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-security-acl-3.2.4.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-security-config-3.2.4.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-security-core-3.2.4.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-security-ldap-3.2.4.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-security-remoting-3.2.4.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-security-web-3.2.4.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-tx-4.0.6.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/spring-web-4.0.6.RELEASE.jar"/>
    <jar href="apps/v2.0.0/lib/validation-api-1.0.0.GA.jar"/>
    <jar href="apps/v2.0.0/lib/xml-apis-1.4.01.jar"/>
    <jar href="apps/v2.0.0/lib/xmlpull-1.1.3.1.jar"/>
    <jar href="apps/v2.0.0/lib/xpp3_min-1.1.4c.jar"/>
    <jar href="apps/v2.0.0/lib/xstream-1.4.3.jar"/>
    <jar href="apps/v2.0.0/lib/y.jar"/>
    <jar href="apps/v2.0.0/lib/zip4j-1.3.2.jar"/>
    <property name="jnlp.nolio.app.strings.path" value="lang/strings_en.properties"/> 
    <property name="jnlp.nolio.app.code.base" value="https://ara.munich.munichre.com:8443"/> 
    <extension name="truststore-jar" href="truststore.jsp"/>
    </resources>
    </jnlp>
    

     

    Esception:

    com.sun.deploy.net.FailedDownloadException: Ressource konnte nicht geladen werden: https://ara.munich.munichre.com:8443/nolio-app/truststore.jsp
      at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
      at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.getJreResource(Unknown Source)
      at com.sun.javaws.LaunchDownload._downloadExtensionsHelper(Unknown Source)
      at com.sun.javaws.LaunchDownload.downloadExtensionsHelper(Unknown Source)
      at com.sun.javaws.LaunchDownload.downloadExtensions(Unknown Source)
      at com.sun.javaws.Launcher.prepareLaunchFile(Unknown Source)
      at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.launch(Unknown Source)
      at com.sun.javaws.Main.launchApp(Unknown Source)
      at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
      at com.sun.javaws.Main.access$000(Unknown Source)
      at com.sun.javaws.Main$1.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
    

     

    third tab (sorry, can't translate it, it is called "Umbrochene Ausnahme" in german)

    :

    javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
      at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.security.AccessController.doPrivilegedWithCombiner(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
      at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
      at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
      at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
      at com.sun.deploy.net.BasicHttpRequest.doGetRequest(Unknown Source)
      at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
      at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
      at com.sun.deploy.cache.ResourceProviderImpl.getJreResource(Unknown Source)
      at com.sun.javaws.LaunchDownload._downloadExtensionsHelper(Unknown Source)
      at com.sun.javaws.LaunchDownload.downloadExtensionsHelper(Unknown Source)
      at com.sun.javaws.LaunchDownload.downloadExtensions(Unknown Source)
      at com.sun.javaws.Launcher.prepareLaunchFile(Unknown Source)
      at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.launch(Unknown Source)
      at com.sun.javaws.Main.launchApp(Unknown Source)
      at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
      at com.sun.javaws.Main.access$000(Unknown Source)
      at com.sun.javaws.Main$1.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
    Caused by: java.io.EOFException: SSL peer shut down incorrectly
      at sun.security.ssl.InputRecord.read(Unknown Source)
      ... 35 more
    

     

    Could the different jdk / jre version might cause this behavior?

     

    As always, any help is much appreciated.

    Thanks

    Michael



  • 2.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 01:51 AM

    also, shouldn't the custom-truststore.jar that we created and copied to "..\webapps\nolio-app\apps\v2.0.0\lib" be loaded as well? hm...more of a reason, that the different jdk/jre versions might be the problem. **** it



  • 3.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 02:00 AM

    Ok, I removed the custom-truststore.jar from the lib folder and Automation Studio does start up again, so the error is nailed down to the jdk/jre version difference.

     

    So, the question now is, how to get the correct JDK? As I said, our version of CA-RA came with the JRE 1.7.0_07 included, I can't find the JDK for that anymore.



  • 4.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 02:37 AM

    Hi, I don't believe that the different versions can be the root cause. I have different experience. My jarsigner is

    JARSIGNER=/usr/java/jdk1.8.0_05/bin/jarsigner

    and using this I was able to create a E2E trusted connection on both 5.0.2 and 5.5.2. My problem back then

    was to have a valid code signing certificate. Looking at the very first line of your original post (the error message)

    hints at that problem.

    HTH.

    Bernard



  • 5.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 02:41 AM

    yeah, I just got information that for the jar file the name of the jks MUST be nolio.jks, we kept it to custom-truststore.jks as we were confused with the documentation.

     

    I'm going to test this now and will post the result here



  • 6.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 02:49 AM

    nope, this didn't work, still getting the same error. too bad



  • 7.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 03:03 AM

    when calling the jarsigner I'm getting the following warning:

     

    Warning:

    The signer certificate's ExtendedKeyUsage extension doesn't allow code signing.

    The signer's certificate chain is not validated.

    No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to

    validate this jar after the signer certificate's expiration date (2018-03-02) or after any future revocation

    date.

     

    Ignored it, as it were only warnings, but as you're right, the first error indicates that the warning of the code signing apperently should not be ignored. so is this a problem with our certifacte? this is one our company did create after we ordered it, maybe I need to talk to the guys responsible, if there is something wrong with it



  • 8.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 03:21 AM

    This is certainly the problem. Check your code signing keystore. It must have this SSL extention:

     

    #6: ObjectId: 2.5.29.37 Criticality=false

    ExtendedKeyUsages [

      codeSigning

    ]

     

    You cannot use a standard keystore.



  • 9.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 03:46 AM

    Hi, so I checked the jks and can't find the codeSigning entry, do you know where I need to change the described workflow in the Wiki, to have this in it?

     

    Our process was as follows:

    - create the jks

    - from the jks we create a certificate request

    - this request is used for a change to another service in our company, that sends us back the certificate itself as a p7b file, which we then import into the jks

     

    so, is the codesigning part of our creation of the keystore and certificate request or is this something that the other service must do when they create the real request from our certificate request.

     

    hope it is clear what I mean.

     

    thanks!

     

    p.s. voted for the ideas, the first one I already did a while ago



  • 10.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 04:00 AM

    Hi, I can't answer to this. At our company, we have our own official certificat self service, where I can generate officially signed keys and keystores. One of the options is a 'code signing' keystore, which I used to sign the jar file. All my other keystores are of the type 'SSL client and server' and they have those SSL extensions. And these client and server extensions are currently a problem on the NiMi connection, which apparently cannot handle SSL extensions at all (I tried with several SSL extension types). Hence my second idea :-) From my understanding of the keystores (and I am no expert, before RA I didn't even know such beasts existed!), you cannot add or remove extension, you must generate your keystore with the propoer extensions already in place.



  • 11.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 04:09 AM

    Ok, I just checked google a bit and it seems like this is something that our certificate service would need to provide, as I did found something with the same stuff we did. So first create the keystore with genkeypair and then export it to a certificate request, in the next step they then point out that you need to order a codesigning certificate. Which would mean for me, that I need to talk to the guys and ask if this is even possible in our compaony :-D

     

    thanks for your help!



  • 12.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 04:16 AM

    you welcome. once you've got all pieces together it does not seem that complicated, but believe me it took me a LOOOOONG time and never ending support cases to get it working. In my opinion SSL hardening in CA is currently not entreprise software capable. The customer should not have to do all this cryptic configuration. Upload the certificates with the GUI, and all the behind the scene stuff should be fully transparent to the customer.



  • 13.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 04:19 AM

    agreed



  • 14.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 04, 2016 03:35 AM

    You might want to vote for these 2 idea which are related to SSL hardening.

     

    https://communities.ca.com/ideas/235719945

     

    https://communities.ca.com/ideas/235729573



  • 15.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Broadcom Employee
    Posted Mar 04, 2016 10:20 AM

    I'm watching this very closely and will be interested in how we can clarify the doc based on your experience. We've done a lot of work on this content to make it as accurate as possible (but it is a very complicated set of steps and everybody has different processes in their respective companies to consider). So if there is anything I do can do to clarify where you got tripped up, please let me know.

     

    Thanks,

    Archer



  • 16.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 07, 2016 01:14 AM

    Hi Archer,

     

    talking only about the Secure UI Communication part, the thing that struck us the most was the switch back to nolio.jks, as we didn't get the reason behind it. the next thing is, that there is nothing mentioned about the requirement of a codesigning certificate, this might be clear for some one who did this before and now I know as well, that when you sign a jar, you might need this, but as I said in one of my posts, I ignored the warning during the jarsigner call, because it was only a warning and not an error. so maybe some words regards that would be nice as well. I have confirmation from our certificate service that I'm allowed to order a codesigning certificate, so I will do this and see if this fixes the error I'm currently getting (will most likely be the case, but you never know)

     

    best regards

    michael



  • 17.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 07, 2016 06:18 AM

    nevermind that, we decided we're just leaving it as it is, as the ROC does work with the secured connection and that is all that matters. the automation studio is only used by us admins. so, no more testing on our side



  • 18.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Posted Mar 07, 2016 03:50 AM

    Hello Archer

    IMHO I'd rather you guys spend your efforts on hiding this complexity from the customer rather than documenting this much too complex setup. Today hardening this kind of software in companies is quite common, and the paying customer should not bear the burden of getting this software running in a secure way. In a banking environment you cannot simply rollout RA with default keystores and passwords. Don't get me wrong, a DETAILED and ACCURATE documentation mentionning ALL requirements and steps is of course more than welcome. I battled a long time to get this working properly and undersand the different levels of communication between RA components. What I found is ok for our environment, but may not work in another setup. There are many pitfalls till you get to a properly communicating RA using custom SSL crypto materiel E2E.

    Cheers

    Bernard



  • 19.  Re: Secure UI Communication - Automation Studio not running anymore! (5.5.2.191)

    Broadcom Employee
    Posted Mar 07, 2016 11:07 AM

    Thank you both for the information. I will see what I can do about clarifying the codesigning certificate requirement.

    Bernard, I definitely agree with you and have voted for both ideas . I hope the team can address this soon. In the meantime, we'll do the best we can with the complicated doc.

     

    Thanks,

    Archer