How do I configure Inbound Notifications via HTTPS?

Document ID : KB000054198
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This techdoc shows how to configure Inbound Notifications via HTTPS using JBoss, WebSphere or WebLogic application servers. This functionality is available with CA Identity Manager r12 CR6 and later.

Solution:

JBoss Specific Instructions

The steps are compatible with JBoss 4.2.3. There could be minor differences in other versions. The Java keytool is used to create the certificate but it is possible to use other certificates in a similar manner if you wish.

  1. Creating the Self-Signed Certificate:

    1. Go to a command line and type the following (Requires JDK):

      keytool -genkey -alias tomcat -keyalg RSA

    2. Provide password

    3. In the First and Last name provide the Host Name

    4. For the other details you can type anything you want

  2. Moving the Keystore:

    1. Copy C:\Documents and Settings\User\.keystore to C:\jboss-4.2.3\server\default\conf

    2. Change the .keystore file name to: "chap8.keystore"

  3. Update the Configuration File:

    1. Shut down JBoss server

    2. Edit the file "server.xml" located in: c:\jboss-4.2.3 \server\default\deploy\jboss-web.deployer as follows:

      1. Locate this section:

        <!-- SSL/TLS Connector configuration using the admin devl guide keystore

      2. Uncomment the entire block

      3. Add the keystore name and password. The results should like this:

        <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="C:\jboss-4.2.3.GA\server\default\conf\chap8.keystore" keystorePass="firewall" sslProtocol="TLS" /> //

    3. Start JBoss server. Now it should run on the https port as well. To validate try browsing to: https:<server_name>:8443

  4. Go to the section "Configure the Provisioning Server Side for SSL Inbound Notification"

WebLogic Specific Instructions

The steps are compatible with WebLogic 9.2.x. There could be minor differences in other versions.

Weblogic provides a demo trusted CA certificate and keystore which can be used for testing purposes only and should not be used in a production environment. This demo certificate is used here for example purposes only. If you want to use a custom certificate refer to the BEA documentation.

  1. Enable https access in the server on port 7002:

    1. Start weblogic domain

    2. Open the weblogic administrative console

    3. Go to Environments -> Servers -> AdminServer (admin)

    4. In the Configuration -> General tab enable the SSL by checking "SSL listen port enabled" check-box. Make sure the server listens on port 7002 - see below:

      Figure 1

  2. Go to the section "Configure the Provisioning Server Side for SSL Inbound Notification"

WebSphere Specific Instructions

The steps are compatible with WebSphere 6.1.0.x. There could be minor differences in other versions.
In the steps described below, the Default certificate provided by WebSphere is used for testing purposes only and should not be used in production environment. If you want to use a custom certificate refer to the IBM WebSphere documentation.

  1. Go to the WebSphere management console. From the left menu select Security -> SSL certificate and key management -> SSL configurations -> NodeDefaultSSLSettings

  2. Click the Get certificate aliases button. This will put the value "default" in the 2 empty fields as seen in the image below:

    Figure 2

  3. Save the changes and re-start WebSphere

  4. When the server starts up you should see the following message in the SystemOut.log:

    SSLComponentI I CWPKI0003I: SSL service is starting
    SSLComponentI I CWPKI0004I: SSL service started successfully

  5. Go to the section "Configure the Provisioning Server Side for SSL Inbound Notification"

Configure the Provisioning Server Side for SSL Inbound Notification

  1. Get the App Server certificate

    1. Start the Application Server

    2. From Internet Explorer, browse to:

      https:<im_domain>:<ssl port>

      For example:

      JBoss: https://myjbossserver.forward.inc:8443
      Weblogic: https://myweblogicserver.forward.inc:7002
      WebSphere: https://mywebsphereserver.forward.inc:9443

    3. Click on the padlock icon at the lower right corner, to open the certificate.

      Note: In IE 7 there is no padlock icon. Instead, there is a red "shield" sign next to the address bar. Click on it, and select "view certificate".

    4. Go to the Certificate Path tab. If there is only a root certificate, skip to step f.

    5. Select the Root certificate and click View Certificate.

    6. Install the certificate

    7. Open the certificate and go to the Details tab

    8. Click "Copy to File"

    9. Save the certificate in a DER encoded binary (.CER) format

  2. Converting the Certificate to PEM format using OpenSSL (This step can be skipped if you are using jBoss, perform this step only if you get SSL errors in the Provisioning Server log):

    1. Copy the OpenSSL tool to the Provisioning Server machine or any other computer where you have the CER certificate saved.

    2. From a command line run the following:

      openssl x509 -inform DEF -in <your_ca_certificate_name>.cer -out <your_ca_certificate_name>.pem

  3. Configuring notification in the Provisioning Server:

    1. Go to System -> Domain Configuration->Identity Manager Server -> Enable Notification

    2. Change the Value to Yes. See below:

      Figure 3

  4. Configure the Trusted CA Bundle in the Provisioning Server:

    1. Go to System -> Domain Configuration -> Identity Manager Server -> Trusted CA Bundle

    2. In the Value provide the location of the CER or PEM file created in step 1.i or 2.b.

      Figure 4

    3. Restart the Provisioning Server Service

Inbound Validation:

  1. Make sure Provisioning Inbound is properly configured.

  2. Create a Global User in the Provisioning Server

  3. Make sure the user is created in IM

  4. Check the ProvisioningServer\logs\etanotify<date>-<time>.log file. This file should contain an entry for each test that looks something like the following (note the entry shown in bold):

    =====================================
    20090615:163943:TID=001320:D: Sending Payload...
    20090615:163943:TID=001320:D: URL(https://cb15702.forward.inc:8443/idm/ETACALLBACK/?
    env=forward): No need to encrypt the payload