This article describes couple of approaches that one can follow to implement CA USS to be able to connect to Service Desk Manager (CA SDM) or Service Catalog over HTTPS/SSL
This article also assumes that CA USS was already setup with CA SDM / Service Catalog over HTTP and that we are just adding HTTPS to the mixture now.
CA USS 14.1, CA SDM 14.1, CA Service Catalog 14.1 were considered for this.
There are couple of approaches that one can chose from:
1) Importing the SDM/Catalog SSL certificate in the same way that we can get PAM's SSL cert into CA Service Management installer Java Runtime Environment (JRE).
2) This involves in downloading the SSL Certificates for CA SDM or CA Service Catalog websites using a browser. Once you are on the CA SDM/CA Service Catalog SSL page, click on the security padlock in the URL and select View Certificates.
3) Copy the certificate in base64 format to this directory on CA USS server: C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security
4) If the certificate is a vendor issued certificate, make sure to save all the certificates in the certificate chain in the same format. Save them to different files to make it easier to understand what certificate is in which file.
5) Open a command prompt and set your JAVA_HOME like below:
set JAVA_HOME="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre"
cd "C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\bin"
6) Take a backup of this file next "C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\cacerts"
7) Now import each cert under a different alias by using a command like this:
keytool -import -trustcacerts -alias server -file "C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\server.cer" -keystore "C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\cacerts" -storepass changeit
note: default password is changeit for the cacerts keystore
8) Repeat the above process to import all certificates in the certificate chain. For each such requirement, a different alias is needed in Step#7. Example: alias root for RootCA certificate, alias intermediate for intermediate authority certificate.
9) Once all certs are imported, restart USS Tomcat via Windows Services Control Panel
10) Open a browser now and go to CA USS URL -> Administration -> Data sources
11) Use appropriate https URL for either Service Catalog or CA SDM datasources now.
This approach involves updating CA USS's references to a custom keystore in CA USS Tomcat worker.conf file.
1) Manually copy SDM/Catalog JKS keystore file over USS server. Lets call this keystore as custom.keystore file.
(Note: It has to be in JKS (Java Key Store) format. It cannot be in PKCS format.
If you need to convert PKCS to JKS, use steps from https://pubs.vmware.com/view-50/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-06A2FF09-777C-44F0-B240-497E771379F3.html ).
2) Make a backup of file: C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\bin\wrapper.conf
3) Edit the original file C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\bin\wrapper.conf
4) Identify the section which looks like:
wrapper.java.additional.25=-Dcatalina.home="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40"
wrapper.java.additional.26=-Djava.io.tmpdir="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\temp"
5) Note down the additional.XX number you see in that file, our goal is to create new numbers by an increment of one. So, in the above case, we only have additional.26 as the last entry in that section. So, we would use additional.27, additional.28 etc., for the next lines we add in this step.
wrapper.java.additional.27=-Djavax.net.ssl.trustStore="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\custom_keystore"
Note: -Djavax.net.ssl.trustStore refers to the JKS keystore file being used for SDM Tomcat
Note: -Djavax.net.ssl.trustStorePassword refers to the password for that keystore
6) Restart CA USS via Windows Services Control Panel.
7) Open a browser now and go to CA USS URL -> Administration -> Data sources
8) Use appropriate https URL for either Service Catalog or CA SDM datasources now.
NOTE: If CA SDM and Service Catalog using different SSL certificates, then you could import all those certificates into this one keystore, the custom_keystore, and then point CA USS to use this keystore.