SSL Configurator Utility Wizard for CA Service Management

This article contains the following topics:
casm173
This article contains the following topics:
CA Service Management
now provides the SSL Configurator Utility Wizard to make it easier to configure SSL/TLS settings for CA Service Desk Manager, xFlow Interface, and CA Service Catalog. In addition, this utility provides the option to generate and import an SSL certificate for Apache Tomcat and IIS Web Servers.
SSL Configurator Wizard Utility is currently supported on CA SDM (Tomcat/IIS Web Servers), CA service Catalog, and on xFlow Interface (Play Web Server).
The SSL Configurator Wizard utility does not provide a history of completed tasks via user interface. To review previously completed tasks, open the log file
<root install>\log\jstd.log
where each wizard task reports a successful or failed message.
Launch the SSL Configurator Utility
  1. Download the
    CA Service Management
    17.3 DVD from Broadcom Support.
  2. Extract the contents of the DVD and navigate to the Filestore location. The SSL Utility Wizard Installation files are available in:  \
    filestore\SSL_TLS_Utility)
  3. The SSL_TLS Utility folder has:
    1. CASM-SSL-Configurator.zip
      (Windows)
    2. CASM-SSL-Configurator.tar.gz
      (Non-Windows)
  4. Create the following folder(s) in the shared components location
    ( \Program Files\CA\SC\
    or
    opt/CA/SC
    ) for
    CA Service Management
    :
    1. CASM SSL Configurator (Windows)
    2. CasmSSLConfigurator
      (
      NonWindows
      : Create a folder without spaces for Non-Windows.
  5. Now, copy and extract
    CASM-SSL-Configurator.zip
    (Windows)
    or
    CASM-SSL-Configurator.tar.gz
    (Non-Windows) to the folder created in
    step 4
    .
  6. Open the
    casm_sslconfig.bat
    file (Windows) or
    casm_sslconfig.sh
    file (Non-Windows) and update shared components JAVA home path.
    Example Window: SC_JAVA_HOME=C:\Program Files\CA\SC\JRE\11.0.3
    Example Non-Windows: SC_JAVA_HOME=/opt/CA/SC/JRE/11.0.3
  7. After extraction,
    casm_sslconfig.bat
    (Windows) and
    casm_sslconfig.sh (Non-Windows)
    are generated
    .
  8. Run as Administrator the SSL Configurator Utility batch file from
    step 6
    as
    per your platform requirements.
  9. The SSL Configurator Utility Wizard is launched. 
  10. Select a language of your choice: The language is defaulted to the default system locale. You can change it to a different locale as per your preference.
  11. Click
    Next
    .
  12. Provide the CASM Keystore password. Perform the following steps:
    1. On the CASM Keystore page, provide the password, if you have an existing keystore already stored in your system. 
    2. For users generating a keystore for the first time, provide a new password for the CASM Keystore. Click
      Nex
  13. Select the following options based on your requirements:
    SSL_MainPage_WithOptions.png
    1. Tasks for Test Environment (Non-Production Environment)
      1. Generate a Self-Signed Certificate
Generate a Certificate Signing Request
Generate a Certificate Signing Request (CSR). This task generates a certificate signing request (CSR) document which needs to be submitted to a Certificate Authority.  The CSR is generated using the information provided on the wizard page.
Perform the following steps:
  1. On the Available Tasks page, select the
    Generate a Certificate Signing Request
    option
    to
    create a
    Certificate Signing Request (CSR)
    document.
    Generate_CSR.png
    1. Complete the field information shown on this page as shown below:
      Field Information
      Description
      Alias
      Specifies the alias name and in most cases, it refers to the local host name.
      FQDN
      The fully qualified domain name (FQDN) of the local server. Must match exactly the server name used in URL accessing the web interface.
      Organization
      Specifies the legal name of your organization. Note that this must not be abbreviated and must include all suffixes as well.
      Organization Unit
      The division or unit of your organization.
      City
      The city where your organization is located.
      State
      The state/region where your organization is located. This should not be abbreviated.
      Country Code
      The 2-letter ISO country code where your organization is located.
      Days Valid
      The number of days the certificate is valid for.
      Key Algorithm
      :
      The algorithm to be used to generate the key pair. Possible values: RSA, DSA, EC. The following mapping for key size works and is a valid entry:
      Key Algorithm
      Key Size
      RSA
      2048, 4096
      DSA
      2048
      EC
      256, 512
      Key Size
      The size of each key (public and private) to be generated. Default: 2048
      Note: The Key Size is relevant to the key algorithm that is selected.
  2. Click
    Next
    to review the Summary page.
    The .
    csr
    file location is mentioned in the Review page.
  3. Click
    Finish
    . After successful completion, the task summary will display the location of the generated CSR document.
Import a Certificate
  1. Launch the Wizard and select the
    Import an SSL Certificate
    option to import an SSL certificate or certificate chain provided by a Certificate Authority (CA) into the keystore created earlier as part of generating a Certificate Signing Request (CSR).
    You may need to import multiple certificates into the keystore based on your configuration requirements.
    Click
    Next
    .
  2. Provide the following information to import the SSL certificate:
    1. Provide the alias or entry name that you used while creating the Certificate Signing Request (CSR)
    2. Browse and select the location of the SSL certificate.
  3. Click
    Next
    to review the summary page.
  4. Click
    Finish
    to complete importing the SSL certificate.
Enable HTTPS for Service Management (Service Desk Manager, xFlow Interface, and Service Catalog)
Perform the following steps to complete the SSL Configuration for SDM along with xFlow interface and Service Catalog:
Enable HTTPS for CA Service Desk Manager Web Servers and xFlow Interface
Launch the SSL Configurator Wizard utility and select the option to enable HTTPS for Service Desk Manager Web Servers.
Ensure that the Service Desk Manager services are up and running in order to complete this task.
Perform the following steps:
  1. After launching the SSL Configurator Wizard, select the Enable HTTPS for Service Desk Manager option from the Main page of the SSL Wizard.
    Click
    Next
    .
    The ports for Tomcat server instances that are not installed are greyed out.
    If IIS is not installed in your environment,
    IIS SSL Port
    fields will be hidden.
    HTTPS_Tomcat_IIS.png
    Provide the following details:
    Fields
    Description
    SDM Tomcat HTTPS Port
    Specify the Tomcat HTTPS port for the Web Client Interface.
    Federated Search Tomcat HTTPS Port
    Specify the Tomcat HTTPS port for the Federated Search Service.
    REST Tomcat HTTPS Port
    Specify the Tomcat HTTPS Port for REST Web Service.
    Support Automation HTTPS Port
    Specify the Tomcat HTTPS port for Support Automation, if you have enabled this component for CA SDM.
    Visualizer Tomcat HTTPS Port
    Specify the Tomcat HTTPS port for CMDB Visualizer port, if you have enabled this CA SDM Component.
    Available Certificates
    Specify the certificate entry to be used for HTTPS.
    Website
    Specifies the IIS Web Server with CA SDM
    IIS HTTPS Port
    Specifies the HTTPS port number for IIS Web Server.
    Web CGI URL
    Specifies the HTTPS URL value for the global SDM Option web_cgi_url mainly used for user notifications.  Can be left unchanged.  When updating this value, make sure the HTTPS protocol and HTTPS port number are part of the URL.
    Upload Servlet URL
    Specifies the HTTPS URL value for the Attachment Servlet Path for this local server. Can be left unchanged. When updating this value, make sure the HTTPS protocol and HTTPS port number are part of the URL.
  2. Click
    Next
    to configure the xFlow Interface for HTTPS (if you have installed xFlow Interface in your environment).
    Provide the HTTPS ports for the xFlow Interface as shown in the image:
    If the xFlow Analyst Interface is not installed in your system, a message is displayed "
    The xFlow Analyst Interface is not installed on this environment
    ".
    Enable_HTTPS_xFlowAnalyst.png
  3. Click
    Next
    .
Enable HTTPS for CA Service Catalog
Perform the following steps:
The SSL Configuration batch file must be updated with the JRE path used in CA Service Catalog before running the utility.
  1. After launching the SSL Configurator Wizard, select the Enable HTTPS for CA Service Catalog option from the Main page of the SSL Wizard.
    If the catalog Analyst Interface is not installed in your system, a message is displayed " CA Service Catalog is not installed in this environment ".
  2. Complete the following information:
    Catalog Tomcat HTTPS Port: Specify the Tomcat HTTPS port used by Service Catalog Web Client Interface
    Available Certificates: Specify the certificate entry to be used for HTTPS.
  3. Click Next.
    CA Service Catalog tasks get added to the summary.
  4. Review the Summary page.
    For any file updated by this task, a backup file is created on the same location as the source.
  5. Click
    Finish
    to complete the process.
      Click finish will update Catalog Server and viewService.conf files (after taking the backup)in the location.
    For Example: C:\Program Files\CA\Service Catalog\view\conf
    viewService.conf:- wrapper.java.additional.10=-Djavax.net.ssl.trustStore="C:/Program Files/CA/SC/JRE/11.0.1/lib/security/cacerts" Server.xml file:- <Service name="Catalina"> <Connector SSLEnabled="true" maxThreads="200" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"> <SSLHostConfig ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA" honorCipherOrder="true" protocols="TLSv1.2" sslProtocol="TLSv1.2"> <Certificate certificateKeyAlias="gopas01-z23807" certificateKeystoreFile="C:/Program Files/CA/SC/CASM-SSL-Configurator//casm.keystore" certificateKeystorePassword="N0tallowed" certificateKeystoreType="PKCS12"/> </SSLHostConfig> </Connector>
Remove a Certificate
Launch the SSL Configurator Wizard and from the Available Tasks Page, select this option to remove a Keystore entry:
Tasks for Test Environments
From the Available Tasks Page, select this option for test environments/ Non-Production environments to generate a self-signed certificate.
  1. Generate a self-signed certificate, using default values.
    Provide the
    Alias and FQDN
    details. All other properties are defaulted.
    Follow the steps shown in Generate a Certificate Signing Request.
Turning Debug On
To turn on debug level logging for the SSL Configurator wizard utility, open the file <root install>\cfg\log4j.properties and change the following line:
log4j.rootCategory=INFO, jstdlog
to
log4j.rootCategory=DEBUG, jstdlog
Customize Tomcat Connectors
The SSL Configurator wizard utility uses a default set of properties to generate the Tomcat connector definitions. These default properties are available in <
root install>\cfg\config.properties
. This file can be updated to add/remove or modify default properties. The file consists of variable and value pairs on each line.
Variable names that start with
base.tomcat.Connector
is applicable for all Tomcat Servers. In addition, to the base variables, single Tomcat variables can be used to override the base variables. Single Tomcat variables start with a pre-defined name:
  • sdm.tomcat.Connector for SDM Tomcat
  • fs.tomcat.Connector for Federated Search Tomcat
  • rest.tomcat.Connector for REST Tomcat
  • sa.tomcat.Connector for Support Automation Tomcat
  • viz.tomcat.Connector for Visualizer Tomcat
For example, if you want all Tomcat Servers to have the property
maxThreads=250
but want the SDM Tomcat to have a value of
300
. The settings for that property would be as follows:
base.tomcat.Connector.maxThreads=250
sdm.tomcat.Connector.maxThreads=300
Backing Out Completed Task for SSL-Enabled Web Servers
If you have performed the steps shown in Enable HTTPS for CASM Web Servers , if required, you can perform the backing out steps as shown.
To backout a successfully completed task after enabling HTTPS for CASM web servers, perform the following steps:
  1. Stop the Service Desk Manager Server services.
  2. Navigate to Service Desk Manager install folder
  3. For each Tomcat server that is updated in your environment, navigate to the corresponding Tomcat conf folder.
    For example: bopcfg\www\CATALINA_BASE\conf
  4. Remove or rename the server.xml file.
  5. Rename the backup file to server.xml.
    The backup file has a name pattern of
    server.xml.1551384371419.bak
  6. Start Service Desk Manager Server services.
  7. The Web CGI URL and the Upload Servlet URL can be updated via the Administration tab in SDM Web Interface as usual
If the xFlow Analyst Interface is installed on the system, follow the steps below.
  1. Stop the xFlow Analyst Interface services.
  2. Navigate to xFlow Analyst Interface Services folder.
    For example: \Program Files\CA\xFlow\APPS\Services
  3. For each of the subfolders, remove or rename the text file as following:
    (Current) File Name
    (To) Rename or Remove File
    collabmicroservice
    17.0.479\COLLABMICROSERVICE_config.txt
    incidentmicroservice
    17.0.479\INCIDENTMICROSERVICE_config.txt
    insightmicroservice
    17.1.706\INSIGHTMICROSERVICE_config.txt
    pushmicroservice
    17.0.479\PUSHMICROSERVICE_config.txt
    searchmicroservice
    17.0.479\SEARCHMICROSERVICE_config.txt
  4. Navigate to the web server conf folder.
    For example:
    \Program Files\CA\xFlow\APPS\Services\incidentmicroservice-17.0.479\public\conf
  5. Remove or rename the
    casm.conf.js
    file.
  6. Rename the backup file to
    casm.conf.js
    .
    The backup file has a name pattern of
    casm.conf.js.1551384372153.bak
  7. Start the CA xFlow Analyst Interface services.
Uninstall the SSL Configurator Utility
To uninstall the SSL Configurator wizard utility, just delete the
<root install>
folder.