A few months ago, I posted a Tuesday Tip regarding deploying, configuring, and using Automation Point Web Services https://communities.ca.com/message/241709769#241709769, and today I am following up with today’s tip about securing your Web Services communications with TLS encryption. To secure the transmission of the user ID and password from the remote client to the CA Automation Point server, configure your communications to use TLS. TLS stands for Transport Layer Security, also known as SSL – Secure Sockets Layer.
You should follow the instructions in the Tuesday Tip cited above to configure and deploy web services, in general, before you take the steps indicated in this Tuesday Tip.
In today’s tip, I will show you the steps to take to secure the remote client and the server sides of the web services communication channel.
Steps on SERVER:
Issue CD command for path where keytool utility resides:
C:> CD C:\Program Files (x86)\Java\jre7\bin
Issue commands from prompt C:\Program Files (x86)\Java\jre7\bin> as follows:
keytool –genkey –alias tomcat –keyalg RSA
Enter keystore password: yourpassword
Re-enter new password: yourpassword
What is your first and last name?
[unknown]: Joe Customer
What is the name of your organizational unit?
[unknown]: Automation
What is the name of your organization?
[unknown]: ACME
What is the name of your City or Locality?
[unknown]: Dallas
What is the name of your State or Province?
[unknown]: TX
What is the two-letter country code for this unit?
[unknown]: US
Is CN=Joe Customer, OU=Automation, O=ACME, L=Dallas, ST=TX, C=US correct?
[no]: Yes
Enter key password for <tomcat>
(RETURN if same as keystore password): yourpassword
Re-enter new password: yourpassword
The above created file .keystore in C:\Users\NameofUserAccount (see screen snapshot below).
Issue CD command for path where Apache Tomcat 7.0 configuration files reside:
CD C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf
Edited file server.xml in E:\Program Files\Apache Software Foundation\Tomcat 7.0\conf as shown below. The begin comment and end comment characters have been removed around the Connector statement, and the lines in red text were added. I also changed the maxThreads value to what was shown in the “Apache Tomcat 7 (7.0.55) – SSL Configuration HOW-TO” document …
From:
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
To:
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="200" scheme="https" secure="true"
keystoreFile=”C:\Users\Administrator\.keystore” keystorePass=”mypassword”
clientAuth="false" sslProtocol="TLS" />
Steps on CLIENT:
Issue CD command for path where SendMsgToSession.bat file utility resides.
C:\Program Files (x86)\CA\CA Automation Point\Sample\websvc\scripts
Edit the initSamples.bat file to set the uriRoot for your web services requests to use https and the correct server and port:
set uriRoot=https://slast02-U128197:8443/apwebsvc
Issue commands from prompt C:\Program Files (x86)\CA\CA Automation Point\Sample\websvc\scripts as follows:
SendMsgToSession
Enter the name of a session for which we will send a message to AP: WEBSVCS
Enter message text to send: TEST Encrypted message
Next, a GUI dialog will be presented indicating the status of the communication. Notice the https://slast02-U128197:8443 which indicates the message was sent and encrypted successfully:
Follow-up steps on the Server:
Check the ws-automation-audit log for confirmation that the message was received by the server:
2014-12-08 14:47:41 [Administrator] (138.42.167.239) added new message '38' to session 'WEBSVCS' containing: TEST encrypted message