How to setup CA EEM UI to use a custom signed certificate

Document ID : KB000074845
Last Modified Date : 26/03/2018
Show Technical Document Details
Introduction:
How to setup CA Embedded Entitlements Manager (EEM) r12.x UI to use a custom signed certificate.
Instructions:
This instruction is not for setting SSL connectivity to an LDAP source. It is for setting a custom certificate that a customer would use to add the default EEM UI spin page to the local machines’ trusted certificate authority. The finished certificate file is made up of only the EEM server certificate. The root, intermediate, and all other associated parts of the chain need not be included, and is the responsibility of the customer to deploy to the local machines’ trusted certification authorities.

Edit the following file 'igateway.conf', located in %IGW_LOC% or $IGW_LOC.  The server's certificate should be added in 'defaultport' section in igateway.conf file.  Sample for pem certificate is given below:
<Connector name="defaultport">
                        <port>5250</port>
                        <mustlisten>true</mustlisten>
                        <conntype/>
                        <conntimeout>120</conntimeout>
                        <peektimeout>30</peektimeout>
                        <maxconnections>1000</maxconnections>
                        <maxrequestbytes>10000000</maxrequestbytes>
                        <maxpiperequests>10</maxpiperequests>
                        <maxAcceptRate/>
                        <certType>pem</certType>
                        <certURI>Server_cer.cer</certURI>
                        <certPW/>
                        <keyURI>Server_key.key</keyURI>
                        <keyPW/>
                        <secureProtocol/>

Supported Certificate types are p11, p12 and pem. If the certificate type is p12, you will fill in the certURI and certPW fields.   If it is pem, you will fill in the certURI, and keyURI fields.  If a password is used to encrypt the key file, you will fill in the keyPW field as well.  The top of the .key file will say “Start Encrypted RSA string”.
You can remove a passphrase from a private key by running: (Requires openssl libraries)
•    openssl rsa -in privateKey.pem -out newPrivateKey.pem

This is the only change required in igateway.conf file. 
iGateway always uses munged passwords for certificates. This is true for both pem and p12 certificates. Pem certificates are unencrypted and are not password protected. Hence, igateway does not check the certificate password of pem format certificates.

Although we can directly edit iGateway.conf files, it’s not the recommended way to update the certificates and other information in iGateway.conf file. Igateway comes with a tool named “ConfigTool” which can be used to update any iGateway.conf file values. 
For example, to munge the certPW password in above sample igateway.conf file, you can use the command below:
C:\Program Files (x86)\CA\SC\iTechnology>ConfigTool -munge -version 4.6.0.0 -comp igateway -tag "TransportReceiver=HTTP;Connector=defaultport;certPW;" -passwd testpassword

After the changes are made, save the igateway.conf file, and restart the iTechnology igateway services, in order for the new changes to take effect.