How to Enable Communications between Service Desk and ITPAM when CA IT PAM is SSL Enabled?

Document ID : KB000009538
Last Modified Date : 14/02/2018
Show Technical Document Details

You access ITPAM from Service Desk via the Administrator tab and under Service Desk\Change Order\Categories. Select a category such as Select the Workflow tab, select Edit and click on the ITPAM button. Without Enabling communication between Service Desk and SSL ITPAM you will see the error:

"There is a problem accessing CA IT PAM Workflow - please try again or contact the administrator. Details: ; nested exception is: Error constructing implementation (algorithm: Default, provider: SunJSSE, class:"

This error is caused because the trust between the two products has not been created.


When CA IT PAM communicates via SSL, you must configure the primary and secondary CA Service Desk Manager servers to communicate with CA IT PAM.

To enable communications when CA IT PAM is SSL enabled, do the following:

  1. Verify that you can use CA IT PAM in a browser, without launching CA Service Desk Manager. Record the CA IT PAM URL and use it for reference when you configure the CA IT PAM Workflow options in Options Manager.

  2. Ensure both Service Desk servers and ITPAM servers alike are running the same release of Java Run time (JRE).  For further details on updating JRE on the Service Desk installation, please review the documentation link under "Additional Information"
  3. Log in to CA Service Desk Manager and install or modify the CA IT PAM Workflow options in Options Manager. For each of the following options, use the syntax https://server:8443 instead of http://server:8080 for reaching the SSL enabled CA IT PAM application. However, if the CA IT PAM installation uses another port instead of the 8443 SSL port, specify the appropriate port number.

    • caextwf_endpoint

    • caextwf_processdisplay_url

    • caextwf_worklist_url

      Note: If the values do not match the actual CA IT PAM installation values, CA Service Desk Manager cannot communicate with CA IT PAM and a runtime error occurs. Verify that the values match the actual CA IT PAM installation values because the CA IT PAM installer might have selected a different port instead of port 8443.

  4. On the CA IT PAM server, locate the KEYSTOREID entry in the following file:


  5. Copy the KEYSTOREID. Be prepared to paste the KEYSTOREID value as the password after you issue the keytool command.

  6. On the CA IT PAM server, issue the following keytool command as one line on the command line:

    C:\Progra~1\ca\sc\jre\1.6.0_24\bin\keytool.exe -keystore C:\Progra~1\ITPAM\server\c2o\.config\c2okeystore -export -alias ITPAM -file itpam.cer

    Default: ITPAM
    Note: In earlier versions of ITPAM, the default was c2o-j.

    The keytool utility prompts you for a password.

  7. Paste or type the KEYSTOREID value as the password.

    The keytool utility uses the final parameter (-file itpam.cer) to create a file named itpam.cer. The itapm.cer file contains the necessary certificate information for communications with CA Service Desk Manager.

  8. Move the itpam.cer file to one of the following locations on the CA Service Desk Manager server (%NX_ROOT% is the install directory for Service Desk Manager):

    • (Windows) %NX_ROOT%\bin

    • (UNIX) $NX_ROOT/bin
  9. Import the CA IT PAM certificate information into CA Service Desk Manager by entering the following command:

    (Windows) pdm_perl %NX_ROOT%\bin\ -import %NX_ROOT%\bin\itpam.cer
    (UNIX) pdm_perl $NX_ROOT/bin/ -import $NX_ROOT/bin itpam.cer

    The script generates the keystore file in the following locations:

    • (Windows) %NX_ROOT%\pdmconf\nx.keystore

    • (UNIX) $NX_ROOT/pdmconf/nx.keystore

  10. If your CA Service Desk Manager architecture includes secondary servers or is Advanced Availability, repeat steps 8 and 9 for each secondary or Application Servers in your environment.  You will also need to failover to your standby server and run steps 8 and 9 on your corresponding background/standby server as well. 

    Note: Make sure that the NX_KEYSTORE_REF file is unique across each server.

  11. Restart CA Service Desk Manager.

    The CA Service Desk Manager server can communicate with the SSL enabled CA IT PAM application.
Additional Information:

To update JRE on CA Service Desk, please review:


Previous versions of this document had alluded to using Service Desk version control to distribute the nx.keystore from the primary/background servers to the constituent secondary/application servers.  This is inadvisable as the NX_KEYSTORE_REF setting in the NX.env file may vary per secondary server depending on content in the nx.keystore.