SSL Configurator Utility Wizard for CA Service Management
This article contains the following topics:
This article contains the following topics:
CA Service Managementnow provides the SSL Configurator Utility Wizard to make it easier to configure SSL/TLS settings for CA Service Desk Manager, xFlow Interface, and CA Service Catalog. In addition, this utility provides the option to generate and import an SSL certificate for Apache Tomcat and IIS Web Servers.
SSL Configurator Wizard Utility is currently supported on CA SDM (Tomcat/IIS Web Servers), CA service Catalog, and on xFlow Interface (Play Web Server).
The SSL Configurator Wizard utility does not provide a history of completed tasks via user interface. To review previously completed tasks, open the log file
<root install>\log\jstd.logwhere each wizard task reports a successful or failed message.
Launch the SSL Configurator Utility
- Download theCA Service Management17.3 DVD from Broadcom Support.
- Extract the contents of the DVD and navigate to the Filestore location. The SSL Utility Wizard Installation files are available in: \filestore\SSL_TLS_Utility)
- The SSL_TLS Utility folder has:
- Create the following folder(s) in the shared components location( \Program Files\CA\SC\oropt/CA/SC) forCA Service Management:
- CASM SSL Configurator (Windows)
- CasmSSLConfigurator(NonWindows: Create a folder without spaces for Non-Windows.
- Now, copy and extractCASM-SSL-Configurator.zip(Windows)orCASM-SSL-Configurator.tar.gz(Non-Windows) to the folder created instep 4.
- Open thecasm_sslconfig.batfile (Windows) orcasm_sslconfig.shfile (Non-Windows) and update shared components JAVA home path.Example Window: SC_JAVA_HOME=C:\Program Files\CA\SC\JRE\11.0.3Example Non-Windows: SC_JAVA_HOME=/opt/CA/SC/JRE/11.0.3
- After extraction,casm_sslconfig.bat(Windows) andcasm_sslconfig.sh (Non-Windows)are generated.
- Run as Administrator the SSL Configurator Utility batch file fromstep 6as
- The SSL Configurator Utility Wizard is launched.
- Select a language of your choice: The language is defaulted to the default system locale. You can change it to a different locale as per your preference.
- Provide the CASM Keystore password. Perform the following steps:
- On the CASM Keystore page, provide the password, if you have an existing keystore already stored in your system.
- For users generating a keystore for the first time, provide a new password for the CASM Keystore. ClickNex
Generate a Certificate Signing Request
Generate a Certificate Signing Request (CSR). This task generates a certificate signing request (CSR) document which needs to be submitted to a Certificate Authority. The CSR is generated using the information provided on the wizard page.
Perform the following steps:
- On the Available Tasks page, select theGenerate a Certificate Signing RequestoptionCertificate Signing Request (CSR)document.
- Complete the field information shown on this page as shown below:Field InformationDescriptionAliasSpecifies the alias name and in most cases, it refers to the local host name.FQDNThe fully qualified domain name (FQDN) of the local server. Must match exactly the server name used in URL accessing the web interface.OrganizationSpecifies the legal name of your organization. Note that this must not be abbreviated and must include all suffixes as well.Organization UnitThe division or unit of your organization.CityThe city where your organization is located.StateThe state/region where your organization is located. This should not be abbreviated.Country CodeThe 2-letter ISO country code where your organization is located.Days ValidThe number of days the certificate is valid for.Key Algorithm:The algorithm to be used to generate the key pair. Possible values: RSA, DSA, EC. The following mapping for key size works and is a valid entry:Key AlgorithmKey SizeRSA2048, 4096DSA2048EC256, 512Key SizeThe size of each key (public and private) to be generated. Default: 2048Note: The Key Size is relevant to the key algorithm that is selected.
- ClickNextto review the Summary page.The .csrfile location is mentioned in the Review page.
- ClickFinish. After successful completion, the task summary will display the location of the generated CSR document.
Import a Certificate
- Launch the Wizard and select theImport an SSL Certificateoption to import an SSL certificate or certificate chain provided by a Certificate Authority (CA) into the keystore created earlier as part of generating a Certificate Signing Request (CSR).You may need to import multiple certificates into the keystore based on your configuration requirements.ClickNext.
- Provide the following information to import the SSL certificate:
- Provide the alias or entry name that you used while creating the Certificate Signing Request (CSR)
- Browse and select the location of the SSL certificate.
- ClickNextto review the summary page.
- ClickFinishto complete importing the SSL certificate.
Enable HTTPS for Service Management (Service Desk Manager, xFlow Interface, and Service Catalog)
Perform the following steps to complete the SSL Configuration for SDM along with xFlow interface and Service Catalog:
Enable HTTPS for CA Service Desk Manager Web Servers and xFlow Interface
Launch the SSL Configurator Wizard utility and select the option to enable HTTPS for Service Desk Manager Web Servers.
Ensure that the Service Desk Manager services are up and running in order to complete this task.
Perform the following steps:
- After launching the SSL Configurator Wizard, select the Enable HTTPS for Service Desk Manager option from the Main page of the SSL Wizard.ClickNext.The ports for Tomcat server instances that are not installed are greyed out.If IIS is not installed in your environment,IIS SSL Portfields will be hidden.Provide the following details:FieldsDescriptionSDM Tomcat HTTPS PortSpecify the Tomcat HTTPS port for the Web Client Interface.Federated Search Tomcat HTTPS PortSpecify the Tomcat HTTPS port for the Federated Search Service.REST Tomcat HTTPS PortSpecify the Tomcat HTTPS Port for REST Web Service.Support Automation HTTPS PortSpecify the Tomcat HTTPS port for Support Automation, if you have enabled this component for CA SDM.Visualizer Tomcat HTTPS PortSpecify the Tomcat HTTPS port for CMDB Visualizer port, if you have enabled this CA SDM Component.Available CertificatesSpecify the certificate entry to be used for HTTPS.WebsiteSpecifies the IIS Web Server with CA SDMIIS HTTPS PortSpecifies the HTTPS port number for IIS Web Server.Web CGI URLSpecifies the HTTPS URL value for the global SDM Option web_cgi_url mainly used for user notifications. Can be left unchanged. When updating this value, make sure the HTTPS protocol and HTTPS port number are part of the URL.Upload Servlet URLSpecifies the HTTPS URL value for the Attachment Servlet Path for this local server. Can be left unchanged. When updating this value, make sure the HTTPS protocol and HTTPS port number are part of the URL.
- ClickNextto configure the xFlow Interface for HTTPS (if you have installed xFlow Interface in your environment).Provide the HTTPS ports for the xFlow Interface as shown in the image:If the xFlow Analyst Interface is not installed in your system, a message is displayed "The xFlow Analyst Interface is not installed on this environment".
Enable HTTPS for CA Service Catalog
Perform the following steps:
The SSL Configuration batch file must be updated with the JRE path used in CA Service Catalog before running the utility.
- After launching the SSL Configurator Wizard, select the Enable HTTPS for CA Service Catalog option from the Main page of the SSL Wizard.If the catalog Analyst Interface is not installed in your system, a message is displayed " CA Service Catalog is not installed in this environment ".
- Complete the following information:Catalog Tomcat HTTPS Port: Specify the Tomcat HTTPS port used by Service Catalog Web Client InterfaceAvailable Certificates: Specify the certificate entry to be used for HTTPS.
- Click Next.CA Service Catalog tasks get added to the summary.
- Review the Summary page.For any file updated by this task, a backup file is created on the same location as the source.
- ClickFinishto complete the process.Click finish will update Catalog Server and viewService.conf files (after taking the backup)in the location.For Example: C:\Program Files\CA\Service Catalog\view\confviewService.conf:- wrapper.java.additional.10=-Djavax.net.ssl.trustStore="C:/Program Files/CA/SC/JRE/11.0.1/lib/security/cacerts" Server.xml file:- <Service name="Catalina"> <Connector SSLEnabled="true" maxThreads="200" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"> <SSLHostConfig ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA" honorCipherOrder="true" protocols="TLSv1.2" sslProtocol="TLSv1.2"> <Certificate certificateKeyAlias="gopas01-z23807" certificateKeystoreFile="C:/Program Files/CA/SC/CASM-SSL-Configurator//casm.keystore" certificateKeystorePassword="N0tallowed" certificateKeystoreType="PKCS12"/> </SSLHostConfig> </Connector>
Remove a Certificate
Launch the SSL Configurator Wizard and from the Available Tasks Page, select this option to remove a Keystore entry:
Tasks for Test Environments
From the Available Tasks Page, select this option for test environments/ Non-Production environments to generate a self-signed certificate.
- Generate a self-signed certificate, using default values.Follow the steps shown in Generate a Certificate Signing Request.Provide theAlias and FQDNdetails. All other properties are defaulted.
Turning Debug On
To turn on debug level logging for the SSL Configurator wizard utility, open the file <root install>\cfg\log4j.properties and change the following line:
Customize Tomcat Connectors
The SSL Configurator wizard utility uses a default set of properties to generate the Tomcat connector definitions. These default properties are available in <
root install>\cfg\config.properties. This file can be updated to add/remove or modify default properties. The file consists of variable and value pairs on each line.
Variable names that start with
base.tomcat.Connectoris applicable for all Tomcat Servers. In addition, to the base variables, single Tomcat variables can be used to override the base variables. Single Tomcat variables start with a pre-defined name:
- sdm.tomcat.Connector for SDM Tomcat
- fs.tomcat.Connector for Federated Search Tomcat
- rest.tomcat.Connector for REST Tomcat
- sa.tomcat.Connector for Support Automation Tomcat
- viz.tomcat.Connector for Visualizer Tomcat
For example, if you want all Tomcat Servers to have the property
maxThreads=250but want the SDM Tomcat to have a value of
300. The settings for that property would be as follows:
Backing Out Completed Task for SSL-Enabled Web Servers
If you have performed the steps shown in Enable HTTPS for CASM Web Servers , if required, you can perform the backing out steps as shown.
To backout a successfully completed task after enabling HTTPS for CASM web servers, perform the following steps:
- Stop the Service Desk Manager Server services.
- Navigate to Service Desk Manager install folder
- For each Tomcat server that is updated in your environment, navigate to the corresponding Tomcat conf folder.For example: bopcfg\www\CATALINA_BASE\conf
- Remove or rename the server.xml file.
- Rename the backup file to server.xml.The backup file has a name pattern ofserver.xml.1551384371419.bak
- Start Service Desk Manager Server services.
- The Web CGI URL and the Upload Servlet URL can be updated via the Administration tab in SDM Web Interface as usual
If the xFlow Analyst Interface is installed on the system, follow the steps below.
- Stop the xFlow Analyst Interface services.
- Navigate to xFlow Analyst Interface Services folder.For example: \Program Files\CA\xFlow\APPS\Services
- For each of the subfolders, remove or rename the text file as following:(Current) File Name(To) Rename or Remove Filecollabmicroservice17.0.479\COLLABMICROSERVICE_config.txtincidentmicroservice17.0.479\INCIDENTMICROSERVICE_config.txtinsightmicroservice17.1.706\INSIGHTMICROSERVICE_config.txtpushmicroservice17.0.479\PUSHMICROSERVICE_config.txtsearchmicroservice17.0.479\SEARCHMICROSERVICE_config.txt
- Navigate to the web server conf folder.For example:\Program Files\CA\xFlow\APPS\Services\incidentmicroservice-17.0.479\public\conf
- Remove or rename thecasm.conf.jsfile.
- Rename the backup file tocasm.conf.js.The backup file has a name pattern ofcasm.conf.js.1551384372153.bak
- Start the CA xFlow Analyst Interface services.
Uninstall the SSL Configurator Utility
To uninstall the SSL Configurator wizard utility, just delete the