Automation Point

 View Only

Tuesday Tip: How to Secure the CA Automation Point Web Services Communication Channel

  • 1.  Tuesday Tip: How to Secure the CA Automation Point Web Services Communication Channel

    Broadcom Employee
    Posted Dec 09, 2014 10:07 AM

    A few months ago, I posted a Tuesday Tip regarding deploying, configuring, and using Automation Point Web Services https://communities.ca.com/message/241709769#241709769, and today I am following up with today’s tip about securing your Web Services communications with TLS encryption. To secure the transmission of the user ID and password from the remote client to the CA Automation Point server, configure your communications to use TLS. TLS stands for Transport Layer Security, also known as SSL – Secure Sockets Layer.

     

    You should follow the instructions in the Tuesday Tip cited above to configure and deploy web services, in general, before you take the steps indicated in this Tuesday Tip.


    In today’s tip, I will show you the steps to take to secure the remote client and the server sides of the web services communication channel.

     


    Steps on SERVER:

     

    Issue CD command for path where keytool utility resides:

     

    C:> CD C:\Program Files (x86)\Java\jre7\bin

     

    Issue commands from prompt C:\Program Files (x86)\Java\jre7\bin> as follows:

     

    keytool –genkey –alias tomcat –keyalg RSA

     

    Enter keystore password: yourpassword

    Re-enter new password: yourpassword              

     

    What is your first and last name?

    [unknown]:        Joe Customer

    What is the name of your organizational unit?

    [unknown]:        Automation

    What is the name of your organization?

    [unknown]:        ACME

    What is the name of your City or Locality?

    [unknown]:        Dallas

    What is the name of your State or Province?

    [unknown]:        TX

    What is the two-letter country code for this unit?

    [unknown]:        US

    Is CN=Joe Customer, OU=Automation, O=ACME, L=Dallas, ST=TX, C=US correct?

    [no]:                      Yes

     

    Enter key password for <tomcat>

                    (RETURN if same as keystore password):                              yourpassword

    Re-enter new password:                                                                 yourpassword

     

    The above created file .keystore in C:\Users\NameofUserAccount (see screen snapshot below).

     

     

     

    Issue CD command for path where Apache Tomcat 7.0 configuration files reside:

     

    CD C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf

     

    Edited file server.xml in E:\Program Files\Apache Software Foundation\Tomcat 7.0\conf as shown below.  The begin comment and end comment characters have been removed around the Connector statement, and the lines in red text were added. I also changed the maxThreads value to what was shown in the “Apache Tomcat 7 (7.0.55) – SSL Configuration HOW-TO” document …


    From:


        <!-- Define a SSL HTTP/1.1 Connector on port 8443

             This connector uses the JSSE configuration, when using APR, the

    connector should be using the OpenSSL style configuration

    described in the APR documentation -->

        <!--

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

    maxThreads="150" scheme="https" secure="true"

    clientAuth="false" sslProtocol="TLS" />

        -->

     

    To:


        <!-- Define a SSL HTTP/1.1 Connector on port 8443

             This connector uses the JSSE configuration, when using APR, the

    connector should be using the OpenSSL style configuration

    described in the APR documentation -->

        

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

    maxThreads="200" scheme="https" secure="true"

    keystoreFile=”C:\Users\Administrator\.keystore” keystorePass=”mypassword”

    clientAuth="false" sslProtocol="TLS" />

        

     

    Steps on CLIENT:


    Issue CD command for path where SendMsgToSession.bat file utility resides.

    C:\Program Files (x86)\CA\CA Automation Point\Sample\websvc\scripts

     

    Edit the initSamples.bat file to set the uriRoot for your web services requests to use https and the correct server and port:

    set uriRoot=https://slast02-U128197:8443/apwebsvc

     

    Issue commands from prompt C:\Program Files (x86)\CA\CA Automation Point\Sample\websvc\scripts as follows:

    SendMsgToSession


    Enter the name of a session for which we will send a message to AP:    WEBSVCS

    Enter message text to send:    TEST Encrypted message

     

    Next, a GUI dialog will be presented indicating the status of the communication.  Notice the https://slast02-U128197:8443 which indicates the message was sent and encrypted successfully:

     

     

     

    Follow-up steps on the Server:


    Check the ws-automation-audit log for confirmation that the message was received by the server:


    2014-12-08 14:47:41 [Administrator] (138.42.167.239) added new message '38' to session 'WEBSVCS' containing: TEST encrypted message