To Use GRLoader with SSL, follow the instruction detailed below; it is a pre-requisite to configure Web Services to run on SSL
Configure SSL on Tomcat
- From the command line, change directories to the JRE install location; default directory: C:\Program Files\CA\SharedComponents\JRE\1.4.2_06, and enter the command:
bin\keytool -genkey -alias tomcat -keyalg RSAThis generates a .keystore file.
- Answer the prompts appropriately. The default password is changeit.
If you wish to enter a password other than the default one refer to Tomcat documentation for further configuration requirements.
Note: The .keystore file is created by default in the home directory of the logged in user. You may specify a different location during .keystore file generation. Refer to Tomcat documentation for information on specifying a different .keystore file location.
- Edit the server.xml file located in installation-directory \bopcfg\www\CATALINA_BASE\conf.
Uncomment the SSL section and add the location of the .keystore file generated in the previous steps, e.g.:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --><Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="100" debug="0" scheme="https" secure="true" useURIValidationHack="false" disableUploadTimeout="true"> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="C:\Documents and Settings\user\.keystore" /></Connector>'
- Cycle Tomcat as follows:
pdm_tomcat_nxd -c stop pdm_tomcat_nxd -c start
- To access the CA CMDB web interface with SSL, use https://< machinename >:8443/CAisd/pdmweb.exe. You can also derive the Web Services URL in a similar fashion.
Note:You may specify a port other than 8443 in the server.xml file. Refer to Tomcat documentation for further information.
You will be prompted to accept the certificate for this site -- View and install the SSL certificate to access CA CMDB.
Note:When accessing CA CMDB with SSL, through the web from a Windows 2003 server with Internet Explorer, you must clear the check mark in the Security section on the Advanced Tab of Internet Options for the following items and restart the browser:
Check for server certificate revocation (requires restart).
Configuring GRLoader to connect to SSL Web Service (https server)
To enable GRLoader to work correctly, java needs to be able to authenticate the certificate for the Web Services. This means that you will have to create a certificate, add it to the java's cacerts (trusted key store), then pass the URL of the https server to GRLoader.
Creating a certificate:
- From the command line, change directories to the JRE install location; default directory: C:\Program Files\CA\SharedComponents\JRE\1.4.2_06, and enter the command
bin\keytool -export -alias <insert alias here> -keystore <storename here> -rfc -file <insert .cer filename> -storepass <password here>E.g.:
bin\keytool -export -alias tomcat -keystore .keystore -rfc -file tomcat.cer -storepass changeit
- In order for GRloader to be able to communicate to the https server, java needs to be configured to use the certificate you created in the previous step.
Update your java's trust store:
- GRLoader uses the this copy of java:
C:\Program Files\CA\SharedComponents\JRE\1.4.2_06\You will need to run the command below on the cacerts(java's trusted keystore) file in this directory:
C:\Program Files\CA\SharedComponents\JRE\1.4.2_06\lib\securityThis means that you will have to import the .cer (tomcat.cer) file you just created into the cacerts (java's trusted keystore). From the command line, change directories to the JRE install location(default directory: C:\Program Files\CA\SharedComponents\JRE\1.4.2_06) and enter the command
bin\keytool -import -alias <insert alias here> -file <insert .cer filename> -keystore <storename here> -storepass <password here>E.g.
bin\keytool -import -alias tomcat -file tomcat.cer -keystore lib\security\cacerts -storepass changeitNote : For every machine you run GRLoader from, you will need to configure java's trust store
- In order to be able to use GRLoader with https server you must modify the -s flag to use the https server (by default http is changed to use https and the port is changed to 8443:
grloader -u <username> -p <password> -s <https server url:port> -i <input xml>E.g.
grloader -u cmdbadmin -p password -s https://localhost:8443/ -i test.xml