Enable SSL in Tomcat for CA Service Desk Manager using a Self-Signed Certificate

Document ID : KB000009752
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Many customers have asked about setting up Tomcat for CA Service Desk Manager to use SSL using a self-signed certificate.  This document provides the steps to do so.

CAUTION:  We do not recommend using a self-signed certificate because browsers will not accept it as being from a trusted certificate authority.  Thus, users who access service desk using https (SSL) will see a warning in their browser saying "The security certificate presented by this website was not issued by a trusted certificate authority.", and the user will have to click on "continue to this website (not recommended)" in order to actually get to the site.

Additionally, along with that, if you end up using web services and those web services calls hit tomcat using https (SSL) they may not work because they cannot automatically click the link to continue to the site despite the warning - that can only be done by human intervention, so the web services calls will fail.

However, you may want to do some testing by using a self-signed certificate, but please do so with an understanding of the cautionary comments above.

Environment:
CA Service Desk Manager - ALL VERSIONS
Instructions:

First, you will have to generate the certificate using IIS on each server in your environment.  You will need to ensure that this is done using IIS ON the specific server for which the certificate will be used. To do this, follow these steps:

1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

3. In the Actions column on the right, click on Create Self-Signed Certificate...

4. Enter any friendly name such as "sdmsslcert" or "sdmcert" and then click OK.

5. You will now have an IIS Self Signed Certificate valid for 1 year listed under Server Certificates. The certificate common name (Issued To) is the server name. Now we just need to bind the Self signed certificate to the IIS site.

Next you have to export that certificate to a .pfx file.  To do this, follow these steps:

1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

3. Right click on the certificate that you created (sdmsslcert or sdmcert), and select "Export"

4. In the "Export to" field - click the elipsis and select a directory to store your certificate, and a filename such as "sdmsslcert" or "sdmcert" (it will have a .pfx file extension), then create a password for that certificate (you will need this password later to configure tomcat to access that certificate)

5. Click OK on the Export Certificate window, then use windows explorer to navigate to the directory where you specified to save the .pfx cert file and ensure its there.

Next, you will configure tomcat to use the certificate.  Follow these steps:

1. Make a copy of the file ..NX_ROOT\bopcfg\www\CATALINA_BASE\conf\server.xml for backup purposes, name it "orig_server.xml" and then open the server.xml file using a text  editor.

2. Locate the following section:

 <!--

   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

              maxThreads="150" scheme="https" secure="true"

              clientAuth="false" sslProtocol="TLS" />

   -->

3. Change it as follows:

***IMPORTANT NOTE***

You must remove the "<--" and "-->" tags at the start and end of the section shown above which currently comment out the HTTPS/SSL connector for Tomcat.  Then set the appropriate path, filename and password for your certificate in the "keystoreFile" and "keystorePass" attributes as shown below.

<Connector SSLEnabled="true" 

ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_ CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_C BC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CB C_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC _SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" 

clientAuth="false" keystoreFile="C:\keystore\sdmcert.pfx" 

keystorePass="YOURPASSWORD" keystoreType="PKCS12" 

maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>

4. Save the server.xml file

5. Recycle CA Service Desk Manager services

Now, once services come back up, which can take up to 5-10 minutes in some environments, test using the SSL url as follows:  https://localhost:8443.  This should take you to the login page for Service Desk.  NOTE:  You may get the warning page first as noted earlier beacuse you are using a self signed certificate.