Symantec Access Management

  • Private Community
 View Only
Back to Library

Tech Tip : CA Single Sign-On :: SecureProxyServer::Enable SSL on ProxyUI 

Jan 05, 2016 12:41 AM

TITLE:  How to setup of SSL for access to Secure Proxy Server : Administrative User Interface (proxyui)

INSTRUCTIONS :

The first steps for proxy-engine/tomcat to listen on an SSL port is to obtain a certificate & private key pair.

In fact if the host name used to access the proxyui is identical to the one used to access the sps server itself  (eg:  http://sps.example.com/, and http://sps.example.com:8080/proxyui), which is usually the case, then proxyui can use the cert+private key generated for the apache front end (self signed or otherwise).  Otherwise a new cert+private key is required via steps 1-3 in the doco on this page.

 

  1. Convert the certificate & private key into a .p12 object

    The first step is to convert the certificate (we will say: server.crt) and private key (server.key) into a .p12 object. In the following example, we have ca.cer as the issuing certificate, but you may not require that option (if it is a self-signed certificate) or you may need a .pem file with all the certs in the trust chain as that parameter:

    ..\bin\openssl pkcs12 -export -in server_x509.cer -inkey server.key -out mycert.p12 -name tomcat -CAfile ca.cer -caname root -chain

    You will be asked for passwords to server.key, if there is one, and a password for the new mycert.p12 file.
  2. Create the tomcat java keystore from the  .p12 object.

    "c:\Program Files (x86)\Java\jdk1.6.0_31"\bin\keytool -importkeystore -srckeystore mycert.p12 -srcstoretype PKCS12 -destkeystore tomcat.keystore

    You will be prompted for password to access mycert.p12, and new password for the created tomcat.keystore

    Note: The tomcat.keystore file needs to be installed in the secure-proxy/SSL/keys directory. 
  3. Update the server.conf file
    Edit the following parameters in server.conf :
     
    #To enable SSL for localapp uncomment next three parameters
    local.https.port=543
    local.https.keyStoreFileName="tomcat.keystore"
  4. Storing the tomcat.keystore decrypt password
    To decrypt the tomcat.keystore proxy-engine needs the decrypt password, we do not want to store it in the clear, so the following method adds the (encrypted) password to the sslconfig.properties file, and code in proxy-engine will decrypt it and use it to access the URL :
    We change the the bin directory & run the GenerateSSLConfig.bat command with keystorepass option:
    cd \CA\proxy-engine\secure-proxy\bin
    GenerateSSLConfig.Bat -keystorepass password
     
    That generates output as follows:
    INFO: Successfully written SSL configuration properties file in: C:\CA\secure-proxy\Tomcat\properties\sslconfig.properties
  5. Restart the proxy-engine.
    Restart the proxy-engine via the system services.  
    Check SSL comes up
    netstat -an | find "543"
     
    Should show a process listening on port 543 :
    Otherwise will need to look into server.log & nohup log for clues as to what has occurred.
     
  6. Access Proxy ui on SSL port :
    https://www.example.com:543/proxyui/
    And you should be prompted to login.

 

     Credit : The full credit for this article goes to it's original author , our SPS guru Mark.ODonohue

Statistics
0 Favorited
11 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Mark ODonohue
Sep 23, 2018 07:01 PM

Hi Jeff, yeah it should be the same, they did change from RSA cryptoj.jar to bouncy castle provider and that did cause some hickups - so it is possible you have found one of them - but otherwise should work as it did before. 

 

Cheers - Mark

Legacy User
Sep 23, 2018 03:16 PM

Does this work for Secure-Proxy v12.8?   See conflicting information depending on what site I'm looking at as to what is required to make this work on 12.8, appears something under the covers changed and may be out of sync with current documentation.   The specific problem I have is around using self signed certs for the tomcat instance.  The same certs are in use for the apache front end, and working as expected.

Legacy User
Feb 06, 2018 08:17 AM

Hi,

 

One thing to mention: the password used when exporting the certificate in .p12 format must be the same with the tomcat.keystore password, otherwise port 543 won't come up and you'll see the following error in the nohup.out log:

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-543"]
java.io.IOException: Cannot recover key

 

Thank you,
Alex

Richard Leto
Aug 30, 2017 09:22 AM

Thanks Mark.ODonohue the steps you provided worked. I would like to add few more steps which will get the HTTP service running 

 

enable C:\Program Files\CA\secure-proxy\httpd\conf\spsapachessl.properties

apache.ssl.enabled=Y
#ssl.key.password=

 

Also in 

 

C:\Program Files\CA\secure-proxy\httpd\conf\extra\httpd-ssl.conf

 

enable SSLCertificateFile "C:/Program Files/CA/secure-proxy/SSL/certs/server.crt" 

 

before this HTTP service was failing to start.

Mark ODonohue
Aug 29, 2017 08:38 PM

Hi Richard, 

 

The setup for SSL to proxyui is a little different since it is direct access to the tomcat/proxy-engine part. 

    http://www.example.com:8080/proxyui

    https://www.example.com:543/proxyui

Because these are served from tomcat the server certificate has to be imported into tomcat. 

 

For your case, which is a normal virtual host, all the requests come in via apache on :80 and :443  and then get forwarded to tomcat via a localhost port.  

 

ProxyUI Method

For normal SPS apache SSL setup the proxyui is a much easier method than the manual steps - but this does not work with a self-signed certificate unfortunately.  

 

Manual Steps 

So the link you have is the correct one for the documentation, where you are putting in a certificiate into apache : 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/con… 

 

Since it covers, self signed & Cert request and FIPS/NON-FIPS and encrypted and not encrypted, there are a few repetitions.  I've just extracted the simplest self-signed certificate steps and put them here : 

 

Generate a self signed certificate : 

cd proxy-engine/SSL/bin

 

openssl genrsa -out server.key 2048

openssl req -new -x509 -key server.key -out server.crt -days 365 -config openssl.cnf

 

 

Copy them to the expected locations (as per httpd/conf/extra/httpd-ssl.conf settings) : 

mv server.key secure-proxy/SSL/keys/

mv server.crt secure-proxy/SSL/certs/

 

Then enable SSL (not using password in this case ) : 

cd secure-proxy/httpd/bin

 

(windows)  configssl.bat -enable  

(unix)     vi httpd/conf/spsapachessl.properties (add line) : apache.ssl.enabled=Y

 

Restart the httpd service 

 

 

If you have many virtual hosts with SSL, then you need to do a bit more work, to distinguish the cert needed for each virtual host in the apache configuration.   The old method had different IP address per cert, but nowadays we have SSL "Server Name Indication" field which helps a lot.:  There is some discussion about those options here: 

 

https://communities.ca.com/message/241995814-re-sps-1252-multiple-certificates-with-same-ip?commentID=241995814#comments 

 

Hope that helps 

Cheers - Mark

---

Mark O'Donohue
Snr Principal Support Engineer
CA Technologies Support

Richard Leto
Aug 29, 2017 02:33 PM

Thanks for the document Ujwol I have a question here, can you please suggest if I can use these steps for a Virtual host I define in server.conf file?

 

For instance: I have below virtual host defined, after making some modifications:

 

<VirtualHost name="test-host">

requestblocksize="4"
responseblocksize="8"
hostnames="test.ca.com"
defaultsessionscheme="default"
enablerewritecookiedomain="yes"
enablerewritecookiepath="yes"
enableproxypreservehost="yes"
<WebAgent>
sminitfile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent-test.conf"
</WebAgent>
</VirtualHost>

 

Can I use https://test.ca.com/affwebservices/assertionretriever

 

I idea here is to use SPS apache over SSL for Federation.

I was trying to use Configuring SSL on Apache Web Server Manually - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation  but its confusing and more of I want to use a Self Singed Certificate to enable SSL for the virtual host.

 

If you have some documentation created for enabling SSL for Virtual host please provide.

Related Entries and Links

No Related Resource entered.