Clarity Service Management

Expand all | Collapse all

Configure REST SSL on CA ServiceDesk 14.1

Jump to Best Answer
  • 1.  Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-08-2017 06:43 AM

    Hi All

     

    I'm trying to configure the REST service for SSL whereby the Andoid App 'CA Service Management' makes use of a SSL url within the Android App.

     

    To make my setup more complicated, Service Desk and Mobility runs on the same server and can I ONLY use port 443 for both environments. The server is an Application Server (Advance Availablity). I believe the solution is IP Binding, I allocated an additional IP to this server and configured my CATALINA_BASE (server.xml) to use the one IP that redirects to SSL (443)

    The second IP I configured within CATALINA_BASE_REST (server.xml) to use and redirects to SSL (443) for the Android Mobile App

     

    The *.xml looks something like that ...

     

    <Connector connectionTimeout="20000" address="*.*.*.*" port="8050" protocol="HTTP/1.1" redirectPort="443"/>

     

    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
    port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="8443" />
    -->
    <!-- Define a SSL HTTP/1.1 Connector on port 8443
    This connector uses the JSSE configuration, when using APR, the
    connector should be using the OpenSSL style configuration
    described in the APR documentation -->

     

    <Connector
    protocol="org.apache.coyote.http11.Http11NioProtocol" address="*.*.*.*" port="443" SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="***" keystorePass="***" keystoreType="PKCS12" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" cheme="https" secure="true" sslProtocol="TLS"
    />

     

    Via chrome browser was I able to login and authenticate "https://*.*.*.*/casdm/ " 

    ... BUT .. the Andoid App does not want to authencate me, error message "No Response from Server. Please contact your administartor"

     

    Can anybody assist

     



  • 2.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-08-2017 08:04 AM

    Hi Jacques, 

    I dont think this will work properly using the same ports. This is most likely due to DNS and the network externally only seeing one IP for the machine and not two.  I believe you will have to use separate port numbers, one for SDM tomcat, and one for REST tomcat in order for this to work properly from a mobile device using the mobile app.

    Anyone else have any ideas here?

    Jon I.



  • 3.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-09-2017 12:01 AM

    Hi Jon

     

    Yes I agree but I will be making use of DNS entries to drive that. One IP will be associated with https://support:443 (Service Desk) and the other IP with https://mobisupport:443 (Mobility)

     

    If anyone feels that will not work. I would like to know your view please.

     

    Thank you



  • 4.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-10-2017 04:40 AM

    if you are binding correctly your 2 IP's to the corresponding API and then use DNS to resolve the correct one, this must work. You need to make sure you did that in both

    Not sure I still  have this config anymore anywhere but I did it successfully in the past

    I will recommend you test your setup outside of the mobile app first using SOAPUI or others to verify that the RESTFull API is up and correctly responding in your setup.

    my 2 cents

    /J



  • 5.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-10-2017 04:54 AM

    Hi Jerome

     

    Thank you for your feedback, both server.xml within 'CATALINA_BASE' and 'CATALINA_BASE_REST' has been configured to bind with their own IP. This is successfully tested via chrome browser ... BUT, this does not work in Android AP, I was told that the https (SSL) URL needs to be configured in USS within the "(Optional) SERVICE DESK REST URL FOR MOBILE APP:" section. I'm still to test this as my QA environment is now giving failures when testing the connection for integration.



  • 6.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-10-2017 05:06 AM

    well this is only necessary if you have in fact USS in the picture(this is the best option to benefits of all functionalities)

    The mobile app can connect directly to the SDM REST API too (but SC and communities will not be available then)or use USS(and in this case only the REST URL option will be needed in USS) in This case you can use directly the IP:port directly. Something to look into too is to make sure that your SSL certificates have a fully trusted chain.

    Good luck

    /J



  • 7.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-10-2017 06:31 AM

    Thanks Jerome

     

    Do you think the android app will complain because it is a self signed cert?
    I'm running bluestacks to simulate this on our LAN.



  • 8.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-10-2017 07:24 AM

    Not sure as this really depend on how the CA dev will have implement but will have be me doing yes the app will have complain

    If you are testing internally you can quickly switch to http only and see if the app work fine in that setup. then you will have your answer

    /J



  • 9.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-14-2017 08:45 AM

    I re-checked my config and made sure that DNS entries are correctly configured per 2 IP addresses allocated to server.

    One IP is configured in server.xml within CATALINA_BASE - DNS entry points to this IP (https://support.*FQDN*)

    Other IP is configured in server.xml within CATALINA_BASE_REST - DNS entry points to this IP  (https://mobisupport.*FQDN*)

    The browser works fine but not the android app.

     

    Is there any documentation that shows end-to-end HTTP and HTTPS (TLS) configuration for Mobility and USS?



  • 10.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-14-2017 10:18 AM

    Hi Jacques,

    What do you mean by the browser work?

    That you are able from you mobile to access the "https://*.*.*.*/casdm/ " as you mentioned in one of your post above?

    CASDM is another web app  that is using the REST locally in the backend

    The mobile apps must not use the /casdm/ at the end only your DNS and eventually the port (but not necessary in your case as you use 443)

    https://mobilesupport.mydomain.com

    /J



  • 11.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-14-2017 03:26 PM

    Hi Jerome

     

    You assume correct, referring to the browser when testing the https connection config "https://*.*.*.*/casdm/ " via the backend. You are also correct ... I don't use the /casdm/ within the android app, only what you indicated above (https://mobilesupport.mydomain.com) but tested various permutations but none will work, the only URL that works is http://mobilesupport.mydomain.com:8050

     

    Hence me asking if there is a start-to-end complete guide that I can follow to make sure I did all the config required to make this work. What I do find is bit and drabs here and there.

     

    Thank you

    Jacques

     



  • 12.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-15-2017 03:45 AM

    HI Jacques,

    Unfortunately I'm not aware of such doc and in any case this will mostly only provide the standard setup.

    I don't get why this will not work as I successfully did similar setup with multiple IP's for different purpose in the past  including revers proxy and others.

    Unfortunately I don't have enough time right now to reproduce your test in my lab.

    Just to make sure we eliminate problem from your configuration and in this case identify that this is something coming from the app itself.

    A simple test can be to go directly to the URI  of the REST API using  a browser on your smartphone.

    https://mobilesupport.mydomain.com/caisd-rest/rest_access

    if you access correctly the REST API thereyou will receive a response page with a message like "Invalid REST Access key"

    Receiving this error we can then assume that the problem reside on the mobile app itself.

    if any other http error is returned (404,500,etc) you may have to look back in your config/dns/proxy, etc.

    Hope that make sense.

    /J



  • 13.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-15-2017 04:54 AM

    Hi Jerome

     

    Thank you so much for your assistance, it would seem it is the android App then, see screenshot.
    My next step is to update my support call with this.

     



  • 14.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-15-2017 06:01 AM

    Thanks

    Good luck then

    Hopefully they will find a solution for you

    Keep us posted

    /J



  • 15.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-22-2017 10:43 AM

    Both iOS/Android devices should have all your SSL certificates (including the certificate chain) added to the device's truststore before you can use the app properly over SSL.

     

    A quick test might be to kill all browser sessions first, and then open a new browser session to access the HTTPS URL for your REST port.  If you get a certificate warning error, then it usually means the cert is not a valid one and so the app would have difficulty that you speak about on this post above.

     

    Hope this helps

    _R



  • 16.  Re: Configure REST SSL on CA ServiceDesk 14.1

    Posted 02-23-2017 01:28 AM

    Hi Raghu

     

    Yes, it would seem you are correct ... the feedback I got from support is also saying the same thing.

    Also, the browser did complain about the cert.

     

    I'm waiting for public certs for my QA environment and will test again.

    I will feedback to this post once I tested to confirm this as correct.

     

    Thank you to all who gave their input and advice, it was much appreciated.

     

    Kind Regards

    Jacques



  • 17.  Re: Configure REST SSL on CA ServiceDesk 14.1
    Best Answer

    Posted 02-27-2017 08:50 AM

    Hi All

     

    This is now resolved, Entrust SSL cert is needed or at least install your self-signed cert as trusted on your mobile device for testing.