Configuring SSL for Tomcat with CA Service Desk Manager

Document ID : KB000020986
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This document provides an overview, and the specific steps required to enable and configure SSL for Tomcat with CA Service Desk Manager. This specifically covers information on vendor Signed certificates (not self signed certificates)

Solution:

To get us started, first we must understand that SSL requires the use of what is known as a valid SSL certificate. There are many ways to obtain an SSL certificate, including through a certified vendor such as Verisign, GoDaddy or DigiCert, and even ways to generate and use a self-signed certificate (although these are not preferred as they are not as secure and often don't work properly with Tomcat).

What do we mean by a "valid" SSL certificate? In order to be "valid" a certificate must be from a certified vendor, and must be generated based on the specific information for each individual server - which is generated into what is known as a "certificate request" - which is then sent to the vendor, and used to generate a certificate for the given server(s) on which the certificate request was generated.

So the first step to implementing SSL on Tomcat is to first decide what servers will need certificates - which will most likely be any server where Service Desk is installed.

Next, you will follow the steps (also stated in the admin guide for the product) to create what is called a Keystore. A Keystore is a "store" or storage unit for certificates, in which the certificates will be imported to, and then Tomcat will be pointed to use that Keystore and certificates for SSL.

To create the Keystore, follow these steps on each server that will require an SSL certificate:

Create a directory under the C: drive (or whatever LOCAL drive you choose) called "certificates".

On the command line navigate to the JRE bin directory (for the JRE installed with Service Desk - usually /SC/JRE).

Run the command "keytool -genkey -alias tomcat -keyalg RSA -keystore c:/certificates/keystore.jks".

Fill in the fields as appropriate (make sure to note what you filled in each filed as you may need this info later).

You should now see a keystore.jks file located in the C:\certificates\ directory.

Next, you need to generate the Certificate Request for each server:

On the command line navigate to the JRE bin directory (for the JRE installed with Service Desk - usually /SC/JRE).

Run the command "keytool -certreq -alias tomcat -keystore c:/certificates/keystore.jks -file servername-certreq.csr".

After performing the above steps, you should see a .csr file in the c:/certificates directory on each server where you generated the certificate request.

Next, you will take those .csr files and send them off to the vendor of your choice. The vendor will then generate the appropriate certificates you need based on the certificate request, for each server, and will then send you back the certificates for each.

The next part is where the confusion can get in the way sometimes, and here's why...

Each vendor is different. Some vendors will send you multiple certificated possibly including a root certificate, an intermediate certificate, and a certificate of authority. That said, each vendor has different instructions on which certificates they provide need to be imported into the keystore. So the key here is to ask the specific vendor that you used to generate the certificates for you, for specific instructions on how to import their certificates into a tomcat keystore.

Once you received the specific instructions from the vendor, you can follow those to import the appropriate certificates into the keystore on each server. Once that is complete, you can now configure Tomcat on the Service Desk side of things to point it to that keystore where the certificates have been imported.

To configure Service Desk Tomcat to use SSL follow these steps on each server where you are configuring SSL for Tomcat:

Open the \bopcfg\www\CATALINA_BASE\conf\server.xml file using a text editor

Locate the following:


 <!--
   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" />
   -->

Change it as follows:

**NOTE - be sure to remove the <-- and --> tags that currently comment out the HTTPS/SSL connector for Tomcat, and set the appropriate path and password for your keystore that you generated in the beginning


<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS"
    keystoreFile="keystoreFile="C:\certs\keystore.jks" 
    keystorePass="password"/>

Save the server.xml file

Recycle Tomcat by using the following commands

**NOTE: it is always better if you can to recycle CA Service Desk Manager services as a whole - this better ensures a successful restart of tomcat - however if you cannot do that, you can try to just recycle tomcat itself with these commands

pdm_tomcat_nxd -c stop
pdm_tomcat_nxd -c start

Now, test your tomcat SSL connection by opening a browser and navigating to the Service Desk URL, using the HTTPS protocol, and the tomcat port - similar to this: "https://servername:8080/CAisd/pdmweb.exe" - which should bring you to the Service Desk Login Screen.

That should be all you need to get SSL configured for Tomcat in Service Desk.

So in summary, the key points are that you need to select a certified vendor, create a certificate request on each server that requires one, send that cert request to the vendor of your choice - be sure when you send them the certificate requests for your servers that you generated, ask for the specific instructions on how to import their certificate(s) into a tomcat keystore, and then complete the configuration of the server.xml file to point Tomcat to the appropriate keystore.