SSL Configurator Utility Wizard for CA Service Management

This article contains the following topics:
casm172
This article contains the following topics:
 
 
 
CA Service Management
 now provides the SSL Configurator Utility Wizard to make it easier to configure SSL/TLS settings for CA Service Desk Manager and xFlow Interface. In addition, this utility provides the option to generate and import an SSL certificate for Apache Tomcat and IIS Web Servers.
 SSL Configurator Wizard Utility is currently supported on CA SDM (Tomcat/IIS Web Servers) and on xFlow Interface (Play Web Server).
The SSL Configurator Wizard utility does not provide a history of completed tasks via user interface. To review previously completed tasks, open the log file 
<root install>\log\jstd.log
 where each wizard task reports a successful or failed message.
Launch the SSL Configurator Utility
  1. Download the 
    CA Service Management
     17.2 DVD from CA Support. 
  2. Extract the contents of the DVD and navigate to the Filestore location. The SSL Utility Wizard Installation files are available in:  \
    filestore\SSL_TLS_Utility)
     
  3. The SSL_TLS Utility folder has:
    1.  
      CASM-SSL-Configurator.zip
       (Windows)
    2.  
      CASM-SSL-Configurator.tar.gz
       (Non-Windows)
  4. Create the following folder(s) in the shared components location 
    ( \Program Files\CA\SC\
     or 
    opt/CA/SC
    ) for 
    CA Service Management
    :
    1.  
      CASM SSL Configurator (Windows)
       
    2.  
      CasmSslConfigurator
       (
      NonWindow
      s)
      Create a folder without spaces for Non-Windows.
  5. Now, copy and extract 
    CASM-SSL-Configurator.zip
     (Windows)
     
    or
     
     
    CASM-SSL-Configurator.tar.gz 
    (Non-Windows) to the folder created in 
    step 4
    .
  6. Open the 
    casm_sslconfig.bat
    file (Windows) or
    casm_sslconfig.sh
     file (Non-Windows) and update shared components JAVA home path.
    Example Window: SC_JAVA_HOME=C:\Program Files\CA\SC\JRE\11.0.3
    Example Non-Windows: SC_JAVA_HOME=/opt/CA/SC/JRE/11.0.3
  7. After extraction, 
    casm_sslconfig.bat
     (Windows) and 
    casm_sslconfig.sh (Non-Windows) 
    are generated
     
  8. Run as Administrator the SSL Configurator Utility batch file from 
    step 6 
    as
     
    per your platform requirements.
  9. The SSL Configurator Utility Wizard is launched.  
  10. Select a language of your choice.
    The language is defaulted to the default system locale. You can change it to a different locale as per your preference. 
  11. Click 
    Next
  12. Provide the CASM Keystore password: 
    1. On the CASM Keystore page, provide the password, if you have an existing keystore already stored in your system.  
    2. For users generating a keystore for the first time, provide a new password for the CASM Keystore,
      Click 
      Next
      .
  13. Select the following options based on your requirements:
    SSL_MainPage_WithOptions.png
Generate a Certificate Signing Request
Generate a Certificate Signing Request (CSR). This task generates a certificate signing request (CSR) document which needs to be submitted to a Certificate Authority.  The CSR is generated using the information provided on the wizard page.
Perform the following steps:
  1. On the Available Tasks page, select the 
    Generate a Certificate Signing Request 
    option
     
    to
     
    create a 
    Certificate Signing Request (CSR)
     document.
    Generate_CSR.png
    1. Complete the field information shown on this page as shown below:
      Field Information
      Description
       
      Alias
       
      Specifies the alias name and in most cases, it refers to the local host name. 
       
      FQDN
       
      The fully qualified domain name (FQDN) of the local server. Must match exactly the server name used in URL accessing the web interface.
       
      Organization
       
      Specifies the legal name of your organization. Note that this must not be abbreviated and must include all suffixes as well.
       
      Organization Unit
       
      The division or unit of your organization.
       
      City
       
      The city where your organization is located.
       
      State
       
      The state/region where your organization is located. This should not be abbreviated.
       
      Country Code
       
      The 2-letter ISO country code where your organization is located.
       
      Days Valid
       
      The number of days the certificate is valid for.
       
      Key Algorithm
      :
       The algorithm to be used to generate the key pair. Possible values: RSA, DSA, EC. The following mapping for key size works and is a valid entry:
      Key Algorithm
      Key Size
      RSA
      2048, 4096
      DSA
      2048
      EC
      256, 512
       
      Key Size
       
      The size of each key (public and private) to be generated. Default: 2048 
      Note: The Key Size is relevant to the key algorithm that is selected.
  2. Click
     Next
     to review the Summary page.
    The .
    csr
     file location is mentioned in the Review page. 
  3. Click 
    Finish
    . After successful completion, the task summary will display the location of the generated CSR document.
Import a Certificate
  1. Launch the Wizard and select the 
    Import an SSL Certificate
     option to import an SSL certificate or certificate chain provided by a Certificate Authority (CA) into the keystore created earlier as part of generating a Certificate Signing Request (CSR).
    : You may need to import multiple certificates into the keystore based on your configuration requirements.
    Click 
    Next
  2. Provide the following information to import the SSL certificate:
    1. Provide the alias or entry name that you used while creating the Certificate Signing Request (CSR)
    2. Browse and select the location of the SSL certificate.
  3. Click 
    Next
     to review the summary page.
  4. Click 
    Finish
     to complete importing the SSL certificate. 
Enable HTTPS for CA Service Desk Manager Web Servers
Launch the SSL Configurator Wizard utility and select the option to enable HTTPS for CA Service Desk Manager Web Servers.
 Ensure that the CA Service Desk Manager services are up and running in order to complete this task.
Perform the following steps: 
  1. Launch the SSL Configurator Wizard and select the Enable HTTPS for CA Service Desk Manager option from the Main page of the SSL Wizard. 
    Click 
    Next
    .
    The ports for Tomcat server instances that are not installed are greyed out.
     If IIS is not installed in your environment, 
    IIS SSL Port
     fields will be hidden.
      HTTPS_Tomcat_IIS.png
    Provide the following details:
    Fields
    Description
    SDM Tomcat HTTPS Port
    Specify the Tomcat HTTPS port for the Web Client Interface.
    Federated Search Tomcat HTTPS Port
    Specify the Tomcat HTTPS port for the Federated Search Service.
    REST Tomcat HTTPS Port
    Specify the Tomcat HTTPS Port for REST Web Service.
    Support Automation HTTPS Port
    Specify the Tomcat HTTPS port for Support Automation, if you have enabled this component for CA SDM.
    Visualizer Tomcat HTTPS Port
    Specify the Tomcat HTTPS port for CMDB Visualizer port, if you have enabled this CA SDM Component.
    Available Certificates
    Specify the certificate entry to be used for HTTPS.
    Website
    Specifies the IIS Web Server with CA SDM
    IIS HTTPS Port
    Specifies the HTTPS port number for IIS Web Server.
    Web CGI URL
    Specifies the HTTPS URL value for the global SDM Option web_cgi_url mainly used for user notifications.  Can be left unchanged.  When updating this value, make sure the HTTPS protocol and HTTPS port number are part of the URL.
    Upload Servlet URL
    Specifies the HTTPS URL value for the Attachment Servlet Path for this local server. Can be left unchanged. When updating this value, make sure the HTTPS protocol and HTTPS port number are part of the URL.
  2. Click 
    Next
     to configure the xFlow Interface for HTTPS (if you have installed xFlow Interface in your environment).
    Provide the HTTPS ports for the xFlow Interface as shown in the image: 
     If the xFlow Analyst Interface is not installed in your system, a message is displayed "
    The xFlow Analyst Interface is not installed on this environment
    ".
    Enable_HTTPS_xFlowAnalyst.png
  3. Click 
    Next
    .
  4. Review the Summary page.
    For any file updated by this task, a backup file is created on the same location as the source.
  5. Click 
    Finish
     to complete the process.  
Remove a Certificate
Launch the SSL Configurator Wizard and from the Available Tasks Page, select this option to remove a Keystore entry as shown below:
  Remove_Certificate_2.png  
Tasks for Test Environments
From the Available Tasks Page, select this option for test environments/ Non-Production environments to generate a self-signed certificate.
  1. Generate a self-signed certificate, using default values.
    Provide the 
    Alias and FQDN 
    details. All other properties are defaulted. 
    Follow the steps shown in Generate a Certificate Signing Request.
Turning Debug On
To turn on debug level logging for the SSL Configurator wizard utility, open the file <root install>\cfg\log4j.properties and change the following line:
log4j.rootCategory=INFO, jstdlog
to
log4j.rootCategory=DEBUG, jstdlog
Customize Tomcat Connectors
The SSL Configurator wizard utility uses a default set of properties to generate the Tomcat connector definitions. These default properties are available in <
root install>\cfg\config.properties
. This file can be updated to add/remove or modify default properties. The file consists of variable and value pairs on each line.
Variable names that start with 
base.tomcat.Connector
 is applicable for all Tomcat Servers. In addition, to the base variables, single Tomcat variables can be used to override the base variables. Single Tomcat variables start with a pre-defined name:
  • sdm.tomcat.Connector for SDM Tomcat
  • fs.tomcat.Connector for Federated Search Tomcat
  • rest.tomcat.Connector for REST Tomcat
  • sa.tomcat.Connector for Support Automation Tomcat
  • viz.tomcat.Connector for Visualizer Tomcat
For example, if you want all Tomcat Servers to have the property 
maxThreads=250
 but want the SDM Tomcat to have a value of 
300
. The settings for that property would be as follows:
base.tomcat.Connector.maxThreads=250
sdm.tomcat.Connector.maxThreads=300
Backing Out Completed Task for SSL-Enabled Web Servers
If you have performed the steps shown in Enable HTTPS for CASM Web Servers , if required, you can perform the backing out steps as shown. 
 To backout a successfully completed task after enabling HTTPS for CASM web servers, perform the following steps:
  1. Stop the CA Service Desk Manager Server services.
  2. Navigate to Service Desk Manager install folder
  3. For each Tomcat server that is updated in your environment, navigate to the corresponding Tomcat conf folder.
    For example: bopcfg\www\CATALINA_BASE\conf
  4. Remove or rename the server.xml file.
  5. Rename the backup file to server.xml.
    The backup file has a name pattern of 
    server.xml.1551384371419.bak
     
  6. Start CA Service Desk Manager Server services.
  7. The Web CGI URL and the Upload Servlet URL can be updated via the Administration tab in SDM Web Interface as usual
If the xFlow Analyst Interface is installed on the system, follow the steps below.
  1. Stop the CA xFlow Analyst Interface services.
  2. Navigate to xFlow Analyst Interface Services folder.
    For example: \Program Files\CA\xFlow\APPS\Services
  3. For each of the subfolders, remove or rename the text file as following:
    (Current) File Name
    (To) Rename or Remove File
     
    collabmicroservice
     
    17.0.479\COLLABMICROSERVICE_config.txt
     
    incidentmicroservice
     
    17.0.479\INCIDENTMICROSERVICE_config.txt
     
    insightmicroservice
     
    17.1.706\INSIGHTMICROSERVICE_config.txt
     
    pushmicroservice
     
    17.0.479\PUSHMICROSERVICE_config.txt
     
    searchmicroservice
     
    17.0.479\SEARCHMICROSERVICE_config.txt
  4. Navigate to the web server conf folder.
    For example: 
    \Program Files\CA\xFlow\APPS\Services\incidentmicroservice-17.0.479\public\conf
     
  5. Remove or rename the 
    casm.conf.js
     file.
  6. Rename the backup file to
     casm.conf.js
    .
    The backup file has a name pattern of 
    casm.conf.js.1551384372153.bak
     
  7. Start the CA xFlow Analyst Interface services.
Uninstall the SSL Configurator Utility
To uninstall the SSL Configurator wizard utility, just delete the 
<root install>
 folder.