Configure CA Service Catalog to Use Secure Socket Layer

You can optionally configure CA Service Catalog to use Secure Socket Layer (SSL). SSL establishes an encrypted link between a server and a client. For example, a web server and a browser; or a mail server and a mail client. This link helps ensure that all data passed between the server and client remain private and integral. When you configure a product to use SSL, you change its communication method from HTTP to HTTPS.
casm1401
You can optionally configure CA Service Catalog to use Secure Socket Layer (SSL). SSL establishes an encrypted link between a server and a client. For example, a web server and a browser; or a mail server and a mail client. This link helps ensure that all data passed between the server and client remain private and integral. When you configure a product to use SSL, you change its communication method from HTTP to HTTPS.
Follow these steps:
  1. Use a single keystore for all integrated products. This approach is recommended.
    If you have multiple keystores for different products and cannot use a single keystore for all of them, you can merge keystore files.
  2. Configure CA Service Catalog.
  3. If you are integrating CA Service Catalog with CA Process Automation, perform the following steps:
    1. Configure CA Process Automation to use Secure Socket Layer. For more information, see your CA Process Automation documentation.
  4. If you are integrating CA Service Catalog with CA Business Intelligence, perform the following steps:
    1. Configure CA Business Intelligence to use Secure Socket Layer. For more information, see your CA Business Intelligence documentation.
Step 1 - Create a Keystore File
A keystore file is required to enable SSL. Create a keystore file  if you do not have one already for another CA product that integrates with CA Service Catalog. You can use a keystore file for a single product or for multiple products. If you must create individual keystores for each product, you can optionally merge your keystore files.
Follow these steps:
  1. Open a command window on the Catalog Component server.
  2. Enter the following command:
    keytool -genkey -alias alias_name -keyalg RSA -keystore "USM_HOME\.keystore" -keysize 1024
    alias_name
    Specifies the logical name for the certificate that you are using for CA Service Catalog and possibly for other products. Record this alias name for reference.
  3. Enter the password at the “Enter keystore password” prompt. To make configuring Tomcat easier, you can use “changeit” as the password.
  4. Record your password for reference.
  5. Enter your password at the prompt.
You have created the keystore file.
Step 2 - (Optional) Merge Keystore Files
A keystore file is required to enable SSL. If you are using SSL for two or more products and have two or more keystore files, use a single keystore for all integrated products. However, if you have multiple keystores for different products and cannot use a single keystore for them all, you can merge the contents of the individual keystore files.
Follow these steps:
  1. Copy all keystore files to the USM_HOME folder. For example, any keystore files for CA Process Automation, CA CMDB, or other products that integrate with CA Service Catalog.
  2. Find and record all required keystore files, keystore aliases, and keystore passwords for the products of interest. For example, for CA Process Automation, you can retrieve the c2okeystore password from KEYSTOREID property of the OasisConfig.properties file.
  3. Restart Catalog Component.
  4. Enter the keytool command to merge the keystore of the first product, using the following command as a model:
    keytool -importkeystore -srckeystore "product1_keystore" -destkeystore "USM_HOME\.keystore" -srcalias product1_alias -destalias alias_name-srckeypass "product1_password" -destkeypass "changeit"
    • "
      product1
      _
      keystore
      "
      Specifies the name of keystore file (including the complete path name) for the product you are merging.
    • product1_alias
      Specifies the keystore alias for the product you are merging.
    • product1_password
      Specifies the keystore password for the product you are merging.
    • alias_name
      Specifies the
      alias_name
      that you specified when you created a keystore file for CA Service Catalog.
    The following command merges the contents of the CA Process Automation keystore (c2okeystore) into the CA Service Catalog keystore:
    keytool -importkeystore -srckeystore "%ITPAM_HOME%\server\c2o\.config\c2okeystore" -destkeystore "USM_HOME\.keystore" -srcalias c2o-j -destalias tomcat -srckeypass "475ba811-62cd-4ec8-b757-cd7710de3fa8" -destkeypass "changeit"
    The following command merges the contents of the CA CMDB keystore (.cmdb_keystore) into the CA Service Catalog keystore:
    keytool -importkeystore -srckeystore ".cmbd_keystore" -destkeystore "USM_HOME\.keystore" -srcalias cmdb -destalias tomcat -srckeypass "changeit" -destkeypass "changeit"
  5. Respond No when you are prompted to overwrite the source alias.
  6. Repeat the previous two steps for each product whose keystores you are merging.
  7. Verify if all the certificates that you want are in one keystore, using the following command:
    keytool -list -keystore "USM_HOME\.keystore"
    This command lists the contents of the merged keystore.
You have merged keystore files.
Step 3 - Configure CA Service Catalog to Use Secure Socket Layer
Configure CA Service Catalog to use Secure Socket Layer (SSL).
Follow these steps:
  1. Edit the server.xml file to support SSL.
    The file is updated to help support SSL for CA Service Catalog.
  2. Open the USM_HOME\view\conf\viewService.conf file, using a text editor.
  3. Update the following line with the path name and file name of the keystore file:
    wrapper.java.additional.number=-Djavax.net.ssl.trustStore="USM_HOME/.keystore"
  4. Update the following line with the password of the keystore file:
    wrapper.java.additional.number=-Djavax.net.ssl.trustPass=changeit
  5. Save and close the viewService.conf file.
  6. Select Administration, Configuration, Server Information on the CA Service Catalog GUI.
  7. Complete the fields in this section as follows:
    For Host Name, specify the name of the host where CA Service Catalog is installed.
    For Port Number, specify the port where HTTPS is configured.
    For Enable HTTPS, specify Yes. Restart CA Service Catalog.
  8. Log in to CA Service Catalog using the following URL:
    https://hostname:port/usm/wpf
  9. You see a trusted certificate prompt, which indicates that you are using HTTPS.
  10. Optionally, disable HTTP access by commenting the section for the HTTP connector, as shown in the following example:
<!-- <Connector port="8080" enableLookups="false" redirectPort="8443" tomcatAuthentication="false" maxThreads="400" minSpareThreads="25" maxSpareThreads="100" debug="0" connectionTimeout="15000" disableUploadTimeout="true" compression="on" compressionMinSize="2048" compressableMimeType="text/html,text/plain,text/xml,text/css,text/javascript,image/png,image/gif,image/jpeg,application/json" useBodyEncodingForURI="false" URIEncoding="UTF-8" /> -->
You have configured CA Service Catalog to use SSL.
Edit the Server.xml File to Support SSL
As part of configuring CA Service Catalog to use Secure Socket Layer (SSL), edit the server.xml file to support SSL.
Follow these steps:
  1. Open the USM_HOME\view\conf\server.xml file.
  2. Search for the following section. Enable the commented section by removing "<!--" and "-->" from the first and last lines, as shown in the following example:
    <!-- <Connector port="8443" enableLookups="false" tomcatAuthentication="false" maxHttpHeaderSize="8192" maxThreads="400" minSpareThreads="25" maxSpareThreads="100" debug="0" connectionTimeout="15000" disableUploadTimeout="true" compression="on" compressionMinSize="2048" compressableMimeType="text/html,text/plain,text/xml,text/css,text/javascript,image/png,image/gif,image/jpeg,application/json" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" keystoreFile="__USMHOME__\.keystore" keyAlias="alias_name" keystorePass="changeit"/> -->
    • alias name
      Specifies the logical name for the certificate that you are using for CA Service Catalog and possibly for other products.
  3. Update the default port (8444) to another secure socket layer port, if necessary.
  4. Verify whether either or both of the following conditions exist:
    • You are using an existing keystore.
    • You have changed either the CA Service Catalog installation path or generated keystore name.
  5. Perform the following actions, if either or both of the conditions in the previous step exist:
    • Update the keystoreFile parameter with the correct path and file name, typically USM_HOME\.keystore.
    • Update the keyAlias parameter with the
      alias_name
      that you specified when you created a keystore file for CA Service Catalog.
  6. Save and close the server.xml file.
You have edited the server.xml file. You can continue configuring CA Service Catalog to use Secure Socket Layer (SSL).
Step 4 - (Optional) Configure CA Process Automation to Communicate with CA Service Catalog Using Secure Socket Layer
Configure CA Process Automation to communicate with CA Service Catalog using SSL.
Follow these steps:
  1. On the CA Service Catalog GUI, select Administration, Configuration, CA Process Automation.
  2. Complete the fields in this section as follows:
    For Host Name, specify the name of the host where CA Process Automation is installed.
    For Port Number, specify the CA Process Automation port where HTTPS is configured.
    For Enable HTTPS, specify Yes.
  3. Recycle Catalog Component.
  4. Click Test.
    The connection is tested, using the new values that you specified.
    If the connection fails, try using a different value.
  5. Click Configure.
    The CA Process Automation configuration details are updated with the new values that you specified.
  6. Perform this step if you are using content packs. Otherwise, you can skip this step.
    Edit the USM_HOME\build.xml file, and verify that the following parameters are correct. Update them, if applicable.
    • The file name and path name of the keystore
      For example, if the keystore is located in USM_HOME and the keystore file name is.mykeystore, update this line as follows:
      <sysproperty key="javax.net.ssl.trustStore" value="${env.USM_HOME}/.mykeystore" />
    • The keystore password
      For example, if the keystore password is mykeystorepw, update this line as follows:
      <sysproperty key="javax.net.ssl.trustPass" value="mykeystorepw" />
You have configured CA Process Automation to communicate with CA Service Catalog using SSL.
Step 5 - (Optional) Configure CA Business Intelligence to Communicate with CA Service Catalog Using Secure Socket Layer
As part of configuring CA Service Catalog to use Secure Socket Layer (SSL), you configure BusinessObjects Enterprise to communicate with CA Service Catalog using SSL.
Follow these steps:
  1. Select Administration, Configuration, CA Business Intelligence, on the CA Service Catalog GUI.
  2. Complete the fields in this section as follows:
    For Host Name, specify the computer name on which the Business Intelligence Launch Pad component of CA Business Intelligence is hosted.
    For Port Number, specify the port number on which CA Business Intelligence is running.
    For Enable HTTPS, specify Yes.
  3. Recycle Catalog Component.
  4. Click Launch.
  5. The connection is tested, using the new values that you specified. If the connection fails, try using a different value.
    The BusinessObjects Enterprise configuration details are updated with the new values that you specified.
Step 6 - Add Self-Signed Certificates to the Keystore
When you use self-signed certificates for any computer that connects directly to CA Service Catalog or that CA Service Catalog connects to, add these certificates to the keystore. For example, suppose that you are using clustering with load balancing for CA Service Catalog. In that case, if you are using a self-signed certificate for the load balancing computer, add them to the keystore.
 
If you are using trusted certificates for these computers, you do not need to add them to the keystore.
Follow these steps:
  1. Verify the computer to be trusted, that is, the computer that has direct connection with CA Service Catalog.
    For example, suppose that you integrate CA Service Catalog with CA Service Desk Manager through a load balancing computer. In that case, CA Service Catalog connects directly to the load balancer (not CA Service Desk Manager). Therefore, the computer to be trusted is the load balancer (not the CA Service Desk Manager computer).
  2. Go to a Catalog Component computer. Download the DER encoded binary X.509 file (the certificate) for the computer to be trusted.
    For example, use your web browser to visit the computer and obtain the certificate.
  3. Open the CA Service Catalog command prompt and enter the following command:
    keytool -importcert -alias aliasname -file pathname-to-certificate -keystore USM_HOME\.keystore
    • alias_name
      Specifies the logical name for the certificate that you are using for CA Service Catalog and possibly for other products.
    • pathname-to-certificate
      Specifies the complete path name to the certificate file that you downloaded in the previous step.
    You are prompted to enter a password.
  4. Perform one of the following actions:
    • Enter changeit as the keystore password.
    • Enter a different keystore password.
    The password is saved.
  5. Complete this step if you entered a different password than changeit in the previous step. Otherwise, skip this step.
    1. Open the viewService.conf file for editing.
    2. Find the line that contains the following phrase:
    -Djavax.net.ssl.trustPass=keystore-password
    1. Update the keystore-password to match the new password that you specified in the previous step.
    The viewService.conf file is updated with the new password.
  6. Remain at this Catalog Component computer. Repeat the previous steps for every computer to be trusted which has self-signed certificates.
    The keystore file is updated with the new self-signed certificates from each applicable computer to be trusted.
  7. Perform the following actions on of every other Catalog Component computer:
    1. Update the viewService.conf file to use a password other than
      changeit
      , if applicable.
    2. Copy the updated keystore file from this Catalog Component computer to all the remaining Catalog Component computers.
You have added self-signed certificates to the keystore.