TITLE: How to setup of SSL for access to Secure Proxy Server : Administrative User Interface (proxyui)
INSTRUCTIONS :
The first steps for proxy-engine/tomcat to listen on an SSL port is to obtain a certificate & private key pair.
In fact if the host name used to access the proxyui is identical to the one used to access the sps server itself (eg: http://sps.example.com/, and http://sps.example.com:8080/proxyui), which is usually the case, then proxyui can use the cert+private key generated for the apache front end (self signed or otherwise). Otherwise a new cert+private key is required via steps 1-3 in the doco on this page.
Credit : The full credit for this article goes to it's original author , our SPS guru Mark.ODonohue
Hi Jeff, yeah it should be the same, they did change from RSA cryptoj.jar to bouncy castle provider and that did cause some hickups - so it is possible you have found one of them - but otherwise should work as it did before.
Cheers - Mark
Does this work for Secure-Proxy v12.8? See conflicting information depending on what site I'm looking at as to what is required to make this work on 12.8, appears something under the covers changed and may be out of sync with current documentation. The specific problem I have is around using self signed certs for the tomcat instance. The same certs are in use for the apache front end, and working as expected.
Hi,
One thing to mention: the password used when exporting the certificate in .p12 format must be the same with the tomcat.keystore password, otherwise port 543 won't come up and you'll see the following error in the nohup.out log:
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-543"]java.io.IOException: Cannot recover key
Thank you,Alex
Thanks Mark.ODonohue the steps you provided worked. I would like to add few more steps which will get the HTTP service running
enable C:\Program Files\CA\secure-proxy\httpd\conf\spsapachessl.properties
apache.ssl.enabled=Y#ssl.key.password=
Also in
C:\Program Files\CA\secure-proxy\httpd\conf\extra\httpd-ssl.conf
enable SSLCertificateFile "C:/Program Files/CA/secure-proxy/SSL/certs/server.crt"
before this HTTP service was failing to start.
Hi Richard,
The setup for SSL to proxyui is a little different since it is direct access to the tomcat/proxy-engine part.
http://www.example.com:8080/proxyui
https://www.example.com:543/proxyui
Because these are served from tomcat the server certificate has to be imported into tomcat.
For your case, which is a normal virtual host, all the requests come in via apache on :80 and :443 and then get forwarded to tomcat via a localhost port.
ProxyUI Method
For normal SPS apache SSL setup the proxyui is a much easier method than the manual steps - but this does not work with a self-signed certificate unfortunately.
Manual Steps
So the link you have is the correct one for the documentation, where you are putting in a certificiate into apache :
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/con…
Since it covers, self signed & Cert request and FIPS/NON-FIPS and encrypted and not encrypted, there are a few repetitions. I've just extracted the simplest self-signed certificate steps and put them here :
Generate a self signed certificate :
cd proxy-engine/SSL/bin
openssl genrsa -out server.key 2048
openssl req -new -x509 -key server.key -out server.crt -days 365 -config openssl.cnf
Copy them to the expected locations (as per httpd/conf/extra/httpd-ssl.conf settings) :
mv server.key secure-proxy/SSL/keys/
mv server.crt secure-proxy/SSL/certs/
Then enable SSL (not using password in this case ) :
cd secure-proxy/httpd/bin
(windows) configssl.bat -enable
(unix) vi httpd/conf/spsapachessl.properties (add line) : apache.ssl.enabled=Y
Restart the httpd service
If you have many virtual hosts with SSL, then you need to do a bit more work, to distinguish the cert needed for each virtual host in the apache configuration. The old method had different IP address per cert, but nowadays we have SSL "Server Name Indication" field which helps a lot.: There is some discussion about those options here:
https://communities.ca.com/message/241995814-re-sps-1252-multiple-certificates-with-same-ip?commentID=241995814#comments
Hope that helps
---
Mark O'DonohueSnr Principal Support EngineerCA Technologies Support
Thanks for the document Ujwol I have a question here, can you please suggest if I can use these steps for a Virtual host I define in server.conf file?
For instance: I have below virtual host defined, after making some modifications:
<VirtualHost name="test-host">
requestblocksize="4"responseblocksize="8"hostnames="test.ca.com"defaultsessionscheme="default"enablerewritecookiedomain="yes"enablerewritecookiepath="yes"enableproxypreservehost="yes"<WebAgent>sminitfile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent-test.conf"</WebAgent></VirtualHost>
Can I use https://test.ca.com/affwebservices/assertionretriever
I idea here is to use SPS apache over SSL for Federation.
I was trying to use Configuring SSL on Apache Web Server Manually - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation but its confusing and more of I want to use a Self Singed Certificate to enable SSL for the virtual host.
If you have some documentation created for enabling SSL for Virtual host please provide.