How to enable SSL on Service Catalog r17.0 using .pfx certificate (alternative option)?

Document ID : KB000017215
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

With the availability of Service Management r17.0, the way SSL certificate are imported and configured on Service Catalog changed, compared to how it was configured on r14.1.

Question:

How to enable SSL on Service Catalog r17.0 using .pfx certificate (alternative option)?

Answer:

There is an already published document about how a .PFX certificate must be configured on Service Catalog r17.0, which is:

 

How to install and use a CA Certificate (.pfx) using Service Catalog 17.0?

 

Depending on the CA certificate, that procedure may not work exactly as it's described. For this kind of scenarios, the steps to follow are:

 

1.- Generate self-singed certificate using java key tool:

a. Open command prompt
b. Go to location where we have keytool.exe (eg: C:\jdk1.7.0_45\bin )
c. Run the below command:


keytool -genkey -keyalg RSA -alias tomcat -keystore selfsigned.jks -validity <days> -keysize 2048


d. Where <days> indicate the number of days for which the certificate will be valid.
e. Enter a password for the keystore. Note this password as you require this for configuring the server.
f. When prompted for first name and last name, enter the domain name of the server
example: cat-nightly-3-2
g. Enter the other details, such as Organizational Unit, Organization, City, State, and Country.
h. Confirm that the information entered is correct.
i. When prompted with Enter key password for <tomcat>, press Enter to use the same password as the keystore password.
j. Run the below command to verify the contents of the keystore:


keytool -list -v -keystore selfsigned.jks

2.- Since the above is a self-singed certificate, we need to add any other additional CA certificate to it:


a. Open internet explorer->options->content->certificates->select the certificate you use for this server & export it into the same location where we have self-singed keystore
b. Import that to keystore with the below command:
keytool -import -noprompt -alias <alias_name> -file verison.cer -keystore selfsigned.jks -storepass <password>

NOTE: This needs first to import the .PFX certificate into Service Catalog machine (double click in .pfx file) and then export it using IE.

3.- Configure your SSL connector:


a. In server.xml file change the values of KeystoreFile, keyAlias, keystorePass accordingly.
b. Add below two commands to the Viewservice.conf:


wrapper.java.additional.10=-Djavax.net.ssl.trustStore=<path>
wrapper.java.additional.11=-Djavax.net.ssl.trustPass=<password>

example:

wrapper.java.additional.10=-Djavax.net.ssl.trustStore="c:\program files\CA\Service Catalog\selfsigned.jks"
wrapper.java.additional.11=-Djavax.net.ssl.trustPass=changeit
wrapper.java.additional.24=-Djavax.net.ssl.trustStoreType=JKS

4. Import PFX certificate into JKS file previously created:

a. Backup original .jks file, import the .pfx (example: ca_certificate.pfx) on this .jks, which was set on variable "-Djavax.net.ssl.trustStore=".
b. Command to import it:

keytool -v -importkeystore -srckeystore ca_certificate.pfx -srcstoretype PKCS12 -destkeystore selfsigned.jks -deststoretype JKS

NOTE: "ca_certificate.pfx" is the CA provided certificate and "selfsigned.jks" is the one created in the previous steps.

5. Configure the new value into server.xml as well.

Save the changes, restart Service Catalog service and test HTTPS URL using desired port.