Implementing HTTPS on an ETC cluster with a self-signed certificate.

Document ID : KB000015160
Last Modified Date : 14/02/2018
Show Technical Document Details

    The following steps describe how to change ETC from using HTTP to HTTPS and register in ETC with HTTPS paths.


 How do I setup HTTPS for CA APM Enterprise Team Center cluster with a self-signed certificate?


APM 10.5.x

Using just one machine:

    create certificate with wily alias valid for domain EMs are on (or use * if you do not care about hostname validation or have troubles to have FQDN in configuration...) into new
    $ keytool -genkey -keyalg RSA -alias wily -keystore -storepass changeit  -validity 360 -keysize 2048
            What is your first and last name?
              [Unknown]:  *
            What is the name of your organizational unit?
            What is the name of your organization?
            What is the name of your City or Locality?
            What is the name of your State or Province?
            What is the two-letter country code for this unit?
            Is CN=*, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
              [no]:  yes
            Enter key password for <wily>
                (RETURN if same as keystore password):

    export certificate to wily.cert
    $ keytool -exportcert -alias wily -keystore -storepass changeit -file wily.cert
            Certificate stored in file <wily.cert>

Using multiple machines:

    copy (generated by first step) to <EM>/config/internal/server
    uncomment introscope.enterprisemanager.webserver.jetty.configurationFile=em-jetty-config.xml line in
    uncomment introscope.webview.jetty.configurationFile=webview-jetty-config.xml line in
    modify introscope.webview.enterprisemanager.webserver.tcp.port, (http->https) in

    edit em-jetty-config and webview-jetty-config.xml to use new keystore ( and password (chageit)
    <Set name="keystore"><SystemProperty name="introscope.config" default="./config" />/internal/server/</Set>
    <Set name="password">changeit</Set>
    <Set name="keyPassword">changeit</Set>
    <Set name="truststore"><SystemProperty name="introscope.config" default="./config" />/internal/server/</Set>
    <Set name="trustPassword">changeit</Set>

    copy exported wily.cert to machine

    add certificate to java global truststore FOR JDK/JRE USED TO RUN EM

    $ cd <em>/jre/lib/security/
    $ keytool -importcert -trustcacerts -keystore cacerts -storepass changeit -file <path_to_wily.cert>
            Owner: CN=*, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
            Issuer: CN=*, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
            Serial number: 41e0d11d
            Valid from: Thu Mar 16 15:54:03 CET 2017 until: Sun Mar 11 15:54:03 CET 2018
            Certificate fingerprints:
                 MD5:  8C:46:07:CF:08:44:AA:E3:84:6A:B0:64:00:97:2B:13
                 SHA1: 3C:87:85:FB:8B:EA:CD:79:89:F4:CB:02:21:22:F9:E5:5B:30:4A:D6
                 SHA256: FC:D5:69:97:CA:E5:5B:ED:52:C6:2F:EF:C5:F1:8D:04:7C:89:FA:3F:5D:F8:28:B9:56:7E:5C:B6:9A:FF:68:1E
                 Signature algorithm name: SHA256withRSA
                 Version: 3
            #1: ObjectId: Criticality=false
            SubjectKeyIdentifier [
            KeyIdentifier [
            0000: 99 2D 16 3A 04 B8 DB C4   4C C5 4F FF F4 10 57 A0  .-.:....L.O...W.
            0010: 0B 36 36 59                                        .66Y
            Trust this certificate? [no]:  yes
            Certificate was added to keystore


    Run EMs, Webviews and register to APM Grand Central (ETC) with https paths


Additional Information: