Configure CA Asset Portfolio Management and CA Software Asset Manager to communicate securely using the SSL protocol

Document ID : KB000031063
Last Modified Date : 14/02/2018
Show Technical Document Details

For use with APM 12.9.02 (RO71737) or above, OR APM 14.1 GA, any patch level

 

Part 1 - Configure CA SAM to work with SSL:

1. Configure the web site on the web server where CA SAM is installed.

The following link has a nice short video on configuring the web site for SSL:  http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

 

NOTE: If APM release is 14.1, skip Part 1 #2 and proceed to Part 2.

 

2. Change the web.config file of the SAMImportExport service on the CA SAM server. 

    a. Update the serviceBehaviors section.  Change it to httpsGetEnabled = True instead of httpGetEnabled = True, as below: 

 

<serviceBehaviors>
    <behavior name="CA.Applications.OEMService.OEMImportBehavior">
     <serviceMetadata httpsGetEnabled="true" />
     <serviceDebug includeExceptionDetailInFaults="false"/>
    </behavior>
</serviceBehaviors>

 

    b. Update the bindings section as shown below.  

    Note: Change the Security mode from "None" to "Transport". Add the <transport clientCredentialType="None" />,  if not already there.

 

   <bindings>
    <basicHttpBinding>
     <binding name="httpBinding_OEMService" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text" transferMode="Streamed">
      <readerQuotas maxArrayLength="2147483647"/>
         <security mode="Transport">
         <transport clientCredentialType="None" />
         </security>
     </binding>
    </basicHttpBinding>

   </bindings>

 

    c. Under the services section, if the following line exists, change <mexHttpBinding> to <mexHttpsbinding>:


    <services>
     <service behaviorConfiguration="CA.Applications.OEMService.OEMImportBehavior" name="CA.Applications.OEMService.OEMService">
      <clear/>
       <endpoint address="" binding="basicHttpBinding" bindingConfiguration="httpBinding_OEMService" name="BasicHttpBinding_OEMService"contract="CA.Applications.OEMService.IOEMService" listenUriMode="Explicit"/>
       <endpoint address="mex" binding="mexHttpsBinding" name="Mex" contract="IMetadataExchange" listenUriMode="Explicit"/>
     </service>
    </services>

 

d. Save the changes.

 

 

Part 2 - Configure CA APM to work with SSL:

 

1. Follow the APM Implementation guide - section titled 'Secure Network Communication Configuration'

2. Change the \CA\ITAM\Import Service\web.config file, on the CA APM application server: 

     a. Update the serviceBehaviors section.  Change it to httpsGetEnabled = True instead of httpGetEnabled = True like below

 

           <serviceBehaviors>
                  <behavior name="CA.Applications.OEMService.OEMImportBehavior">
                     <serviceMetadata httpsGetEnabled="true" />
                     <serviceDebug includeExceptionDetailInFaults="false"/>
                  </behavior>
           </serviceBehaviors>

 

    b. Change the bindings section as shown below:

    Note: Change the Security mode from "None" to "Transport" and 
             add or modify the transport line to read: <transport clientCredentialType="None" /> 

 

    <bindings>

      <basicHttpBinding>

        <binding name="httpBinding_ImportService" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text" transferMode="Streamed">

      <readerQuotas maxArrayLength="2147483647"/>

           <security mode="Transport" >

            <transport clientCredentialType="None" /> 

            <message clientCredentialType="UserName" algorithmSuite="Default" /> 

          </security>

        </binding>

      </basicHttpBinding>

    </bindings>

 

    c. Under the services section, if the following line exists, change    binding = <mexHttpBinding>  to    binding =<mexHttpsbinding>

    Example:

    <services>
      <service behaviorConfiguration="CA.Applications.OEMService.OEMImportBehavior" name="CA.Applications.OEMService.OEMService">
       <clear/>
       <endpoint address="" binding="basicHttpBinding" bindingConfiguration="httpBinding_OEMService"        name="BasicHttpBinding_OEMService"contract="CA.Applications.OEMService.IOEMService" listenUriMode="Explicit"/>
       <endpoint address="mex" binding="mexHttpsBinding" name="Mex" contract="IMetadataExchange" listenUriMode="Explicit"/>
      </service>
     </services>

 

d. Save the changes.

 

3. Change the \CA\ITAM\Import Driver\ImportDriver.exe.config file on the CA APM application server:

Change the key from <security mode=”None”> to <security mode=”Transport”> and save the changes.

 

4. Change the \CA\ITAM\WCF Service\web.config file on the CA APM server: 

Change two keys from <security mode=”None”> to <security mode=”Transport”> and save the changes.

One key is located under basicHttpBinding and the other under wsHttpBinding. 

 

5. Change the \CA\ITAM\ImportProcessor.exe.config file on the CA APM application server: 

FROM:

 

    <bindings>

      <basicHttpBinding>

        <binding name="BasicHttpBinding_ImportService"/>

      </basicHttpBinding>

    </bindings>

 

TO: 

    <bindings>

      <basicHttpBinding>

        <binding name="BasicHttpBinding_ImportService">

                   <security mode="Transport">

                   <transport proxyCredentialType="None" />

                   </security>

                   </binding>

      </basicHttpBinding>

    </bindings>

 

NOTE: Verify the URL for the ImportService contains the correct protocol (https) and port number in this file.  

For example:  address="https://MyAPMServer:443/ImportService/ImportService.svc" , where MyAPMServer is the actual server name. 

 

6. Change the \CA\ITAM\Event Service\CA.Applications.EventService.exe.config file on the CA APM application server: 

    a.  Change the key from <security mode=”None”> to <security mode=”Transport”> and save the changes.

    b.  Locate the line that reads: 

        <add name="CA SAM OEM Provider" type="CA.Applications.WorkFlowProviders.OEM.OEMWorkflowProvider, CA.Applications.WorkFlowProviders.OEM" webservice="http://localhost:2450/ITAMService/Service.asmx" username="uapmadmin" password="TVpcXaThnv/V69h5Zzv17g=="/>

and change the webservice URL to the correct protocol (https) and port number.

For example:   webservice="https://MyAPMServer:443/ITAMService/Service.asmx" ,  where MyAPMServer is the actual server name. 

 

7. Update the CA SAM URLs in APM > Administration > Software Asset Management to reflect the protocol (https) and SSL port number. 

NOTE: if all components are installed on the same server avoid using 'localhost' on the URLs, use the web servers' host name instead.

 

8. Perform an IISRESET on the CA SAM and APM servers.  Restart the CA APM Services. 

 

 

9. The SSL configuration is now complete.