How to configure SDM with SSL when using IIS with SSL?

Document ID : KB000039849
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary: 

When using Service Desk Manager (SD) with Internet Information Server (IIS) configured with SSL, it is necessary that the TOMCAT server also uses the SSL certificate from the IIS server, otherwise features like the attachments will never work as they need to interact between IIS and the TOMCAT server.

Background:  

The next instructions apply only if the IIS server is already configured with SSL with SD.

Environment:  

Windows OS

 Service Desk 12.9, 14.1

Instructions: 

1.    1. First export the certificate from IIS

IIS7,8,8.5

  • On the Start menu click Run and then type mmc.
  • Click File > Add/Remove Snap-in.
  • Click Certificates > Add.
  • Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  • Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  • Right-click on the certificate you want to backup and select ALL TASKS > Export.
  • Choose Yes, export the private key and include all certificates in certificate path if possible.
    Warning: Do not select the delete private key option.
  • Leave the default settings and then enter your password if required.
  • Choose to save the file and then click Finish. You should receive an "export successful" message. The .pfx file is now saved to the location you selected.

IIS6

  • Open IIS Management Console.
  • Go to Start –> Administrative Tools –> Internet Information Services (IIS) Manager.
  • Navigate to the site which contains the SSL certificate you want to export.
  • Make a right click on the site and choose properties.
  • Go to the Directory Security Tab and press the Server Certificate button.
  • Click ‘next’ on the welcome screen.
  • Select the option ‘Export’ the current certificate to a .pfx file.
  • Select a name and location and click next.
  • Type in the password for the file and keep it safe.
  • Click OK.
  • Close out of the wizard.

2. Configure TOMCAT for using the exported SSL certificate:

Make a copy of the file ..\nxroot\bopcfg\www\CATALINA_BASE\conf\server.xml and then open it using a text  editor.

Locate the following line:

 <!--

   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

              maxThreads="150" scheme="https" secure="true"

              clientAuth="false" sslProtocol="TLS" />

   -->

Change it as follows:

NOTE - be sure to remove the <-- and --> tags that currently comment out the HTTPS/SSL connector for Tomcat, and set the appropriate path and password for your certificate.

<Connector SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_ CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_C BC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CB C_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC _SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" clientAuth="false" keystoreFile="C:\keystore\sdm.pfx" keystorePass="YOURPASSWORD" keystoreType="PKCS12" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>

 

  • keystoreFile="C:\keystore\sdm.pfx", should match the location of the exported certificate from the IIS server.
  • keystorePass="YOURPASSSWORD" is the password set for your environment.
  • ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_ CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_C BC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CB C_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC _SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA", this tag will prevent the error described in TEC1197111.
  • keystoreType=”PKCS12”, this will allow TOMCAT be able to understand or interpret the new certificate from IIS.
  • sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2", this tag prevents a vulnerability described in TEC1250834.

3. Repeat the same steps in all the application servers or secondary servers.

4. Restart the TOMCAT servers.

5. Configure Service desk to use the SSL server URL in the following path Administration tab->system-> servers.
Upload server

Additional Information:

TEC1250834

TEC1197111

TEC1748804

TEC587823

How to Import and Export SSL Certificates in IIS 7

IIS 8 and IIS 8.5: How to Import and Export SSL Certificates