How to setup SSL in Identity Manager 12.6.x (JBoss)

Document ID : KB000038544
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

This document describes how to setup SSL in CA Identity Manager 12.6 with SSL and JBoss 6.x

 

Instructions:

Some notes before starting:

Note 1: Check if you have more than one Java installed on your Server. If you have more than one, check what the Java version used by JBoss during its startup. Usually, during the JBoss startup you can see the JBoss used. Make sure that your JAVA_HOME environment variable is pointing to the correct path, in the example below the JAVA_HOME should be “D:\Program Files\Java\jdk1.7.0_75”

screen1.png

 

Note 2: This document describe the process using Self-signed certificate, if you want to use MS Certificate for example, please see the Microsoft support website to know how to do that.

 

Creating the self-signed certificate

1) Open a command prompt

2) Enter the following command (keytool.exe is located under folder %JAVA_HOME%\bin)

          keytool -genkey -alias name -keyalg RSA -keystore server.keystore

              -alias

                     Defines the alias to use for adding an entry to the keystore.

              -keyalg

                     Specifies the algorithm to use to generate the key pair.

The keytool utility starts.

3) For “first and last name” question, type the FQDN of your CA Identity Manager Server

4) In the sample below it was created a temp folder to store the server.keystore file

5) A server.keystore file is created and placed in the specified folder.

screen2.png

 

6) Copy server.keystore file to your JBoss folder “<JBoss_Installation_folder>/standalone/configuration”

 

 

Add Your Digital Certificate to the Keystore 

Now, we need to export the digital certificate from the CA Identity Manager server and import this certificate into keystore.

Follow these steps:

1) Stop JBoss if it is running

2) Open the command prompt window where you created the self-signed certificate 

3) Export the digital certificate from the server to JBoss with the following command:

                       "%JAVA_HOME%\bin\keytool" -v -export -alias name -keystore server.keystore -storepass password -file example.cer

For our example, the command should be:

screen3.png

 

screen1.png4) Import the digital certificate to the keystore with the following command:

                  "%JAVA_HOME%\bin\keytool" -v -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts"-storepass password -file example.cer

For our example, the command should be:

screen4.png

 

If you didn’t change the “cacerts” keystore password, it is “changeit” without quotes

5) Copy the example.cer file to the following JDK security folder:

               X:\Program Files\Java\jdk1.7.0_75\jre\lib\security

6) Add the certificate to the local certificate store.

         a. Locate and double-click the example.cer file.

                 A Certificate window opens. 

         b. On the General tab, click Install Certificate.

                The Certificate Import Wizard opens.

         c. Complete the prompts as required, click Finish, and click OK when the confirmation dialog opens.

                 You have added the digital certificate to the keystore.

 

 

Activate SSL Communication in JBoss

To activate SSL communication in JBoss, block the default port and edit the server.xml file to include the certificate path and password.

Follow these steps:

1) Stop JBoss if it is running.

2) Locate standalone-full.xml in the following folder and open it for editing:

              X:\<JBoss_installation_folder>\standalone\configuration\

3) Disable default port 8080. Locate and comment out the following code section:

         <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

         You have disabled default port 8080.

 

4) Edit the JBoss standalone-full.xml file to enable SSL and to include the certificate path and password.

              a. Locate the following section:

                       <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

              b. Add a line directly below and paste the following code:

                   <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">

                              <ssl name="ssl" password="password" key-alias="Alias-Name" certificate-key-file="<JBoss_Installation_folder>/standalone/configuration/server.keystore" />

                   </connector>

               c. Replace the password with the keystore password

               d. Replace the Alias-Name with the value type when you generate the server.keystore file

 

5) Save and close the standalone-full.xml file

6) Locate standalone.bat in the following folder and open it for editing:

            X:\<JBoss_installation_folder>\bin\standalone.bat

7) Edit standalone.bat 

         a. Locate the following line

                set "JAVA_OPTS=-Dprogram.name=%PROGNAME% %JAVA_OPTS%"

         b. Add the lines directly below and paste the following:

                set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore="C:\ConfigurarSSL\cacerts" 

                set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=changeit

8) Save and close standalone.bat

9) Start JBoss

You have activated SSL communication in JBoss

 

 

Additional Information:

 

To integrate Identity Manager and Identity Governance both with SSL

 

1) Copy the .cer file generated in section “Add Your Digital Certificate to the Keystore” step 3 to Identity Governance machine

2) From Identity Governance machine, run the keytool command line to import it to JDK cacerts, the same command from section “Add Your Digital Certificate to the Keystore”, step 4, but now the change to Identity Governance certificate file

          "%JAVA_HOME%\bin\keytool" -v -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts"-storepass password -file identitygovernance.cer

3) Restart JBoss (IdM) service

Note: Please, refers to the document “How to setup SSL in IG 12.6.x (JBoss 5 and 6EAP)” TEC1237693 for details about how to import Identity Manager certificate to Identity Governance truststore.

 

Tech doc: how to enable SSL in BulkLoad Client

https://communities.ca.com/docs/DOC-231159591