After upgrading to NFA 9.3.8 my SSO Service will not start

Document ID : KB000072483
Last Modified Date : 13/04/2018
Show Technical Document Details
Issue:
After upgrading to NFA 9.3.8 the SSO Service may not start if you previously had https configured, as some of the configuration files have changed to add enhanced security.
Environment:
NFA 9.3.8
Cause:
Changes to some of the Jetty/SSO configuration files to allow for security updates. 
Resolution:
If you were on 9.3.6 previously with https successfully configured, after upgrading to 9.3.8 you will only need to follow steps 6-9  of the NFA 9.3.8 Configuration Guide.
If you were on 9.3.3 or earlier you will also have to create a certs directory in \<Install Dir>\NFA\certs and copy your certificate files into this directory.

For your convenience we have attached the files in a .zip that will need to be updated in the correct format for proper https configuration.

To apply these files follow the steps below:

1. Download the attached NFA_9.3.8_HTTPS_Config.zip file to your NFA console server and unzip the file.

2. Copy the start.ini to \<Install Directory>\Portal\SSO\.

3. Copy the other 3 files to \<Install Directory>\Portal\SSO\etc\

4. Edit the jetty-ssl-context.xml in wordpad or notepad++ (it is easier to view then in notepad).
    Modify the lines below to reflect the location of your \<Install Directory>\NFA\certs directory and certificate files names where it says C:\CA\NFA\certs\CertificateName.pfx.

    Also modify the password for your certificates where it states "YourPassword"

<Set name="KeyStorePath">C:\CA\NFA\certs\CertificateName.pfx</Set>
<Set name="KeyStorePassword">YourPassword</Set>
<Set name="KeyStoreType">pkcs12</Set>
<Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set>
<Set name="KeyManagerPassword">YourPassword</Set>
<Set name="TrustStorePath">C:\CA\NFA\certs\CertificateName.pfx</Set>
<Set name="TrustStorePassword">YourPassword</Set>
<Set name="TrustStoreType">pkcs12</Set>

5. Save the file and restart your CA Performance Center SSO server and attempt to access NFA again using https.
Additional Information:
As part of the update to the https configuration, you can now restrict the SSO service to use TLS 1.2 only.
To do so, follow the steps  to Enable TLS 1.2 for HTTPS Connection.
 
File Attachments:
NFA_9.3.8_HTTPS_Config.zip