How to configure CA Unified Self Service (USS) to connect to HTTPS based Service Catalog/Service Desk?

Document ID : KB000044098
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

This article describes couple of approaches that one can follow to implement CA USS to be able to connect to Service Desk Manager (CA SDM) or Service Catalog over HTTPS/SSL

 

Background:

This article also assumes that CA USS was already setup with CA SDM / Service Catalog over HTTP and that we are just adding HTTPS to the mixture now.

 

Environment:

CA USS 14.1, CA SDM 14.1, CA Service Catalog 14.1 were considered for this.

 

Instructions:

There are couple of approaches that one can chose from:

 

Approach A:

1) Importing the SDM/Catalog SSL certificate in the same way that we can get PAM's SSL cert into CA Service Management installer Java Runtime Environment (JRE).  

2) This involves in downloading the SSL Certificates for CA SDM or CA Service Catalog websites using a browser.  Once you are on the CA SDM/CA Service Catalog SSL page,  click on the security padlock in the URL  and select View Certificates.

3) Copy the certificate in base64 format to  this directory on CA USS server: C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security 

4) If the certificate is a vendor issued certificate, make sure to save all the certificates in the certificate chain in the same format. Save them to different files to make it easier to understand what certificate is in which file.

5) Open a command prompt and set your JAVA_HOME like below:

set JAVA_HOME="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre" 
set PATH=%JAVA_HOME%\bin;%PATH% 

cd "C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\bin" 

6) Take a backup of this file next "C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\cacerts" 

7) Now import each cert under a different alias by using a command like this:

keytool -import -trustcacerts -alias server -file "C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\server.cer" -keystore "C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\cacerts" -storepass changeit 

 

note: default password is changeit for the cacerts keystore


8) Repeat the above process to import all certificates in the certificate chain.  For each such requirement, a different alias is needed in Step#7.  Example:  alias root   for  RootCA certificate,   alias intermediate  for intermediate authority certificate.

9) Once all certs are imported, restart USS Tomcat via Windows Services Control Panel

10) Open a browser now and go to CA USS URL -> Administration -> Data sources

11) Use appropriate https URL for either Service Catalog or CA SDM datasources now.

 

 

 Approach B:

This approach involves updating CA USS's references to a custom keystore in CA USS Tomcat worker.conf file.

1) Manually copy SDM/Catalog JKS keystore file over USS server. Lets call this keystore as  custom.keystore  file.

(Note: It has to be in JKS (Java Key Store)  format. It cannot be in PKCS format.

If you need to convert PKCS to JKS,  use steps from https://pubs.vmware.com/view-50/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-06A2FF09-777C-44F0-B240-497E771379F3.html ).    

 

2) Make a backup of file: C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\bin\wrapper.conf

3) Edit the original file C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\bin\wrapper.conf 

4) Identify the section which looks like:

wrapper.java.additional.25=-Dcatalina.home="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40"
wrapper.java.additional.26=-Djava.io.tmpdir="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\temp"

..

..

5) Note down the  additional.XX  number you see in that file, our goal is to create new numbers by an increment  of one.  So, in the above case, we only have  additional.26  as the last entry in that section.  So, we would use additional.27,  additional.28  etc., for the next lines we add in this step.

wrapper.java.additional.27=-Djavax.net.ssl.trustStore="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\custom_keystore"
wrapper.java.additional.28=-Djavax.net.ssl.trustStorePassword="changeit"

Note: -Djavax.net.ssl.trustStore    refers to the JKS keystore file being used for SDM Tomcat

Note: -Djavax.net.ssl.trustStorePassword   refers to the password for that keystore

 

6) Restart CA USS  via Windows Services Control Panel.

7) Open a browser now and go to CA USS URL -> Administration -> Data sources

8) Use appropriate https URL for either Service Catalog or CA SDM datasources now.

 

NOTE: If CA SDM and Service Catalog using different SSL certificates, then you could import all those certificates into this one keystore, the custom_keystore,   and then point CA USS to use this keystore.