Implementing HTTPS on an ETC cluster with a self-signed certificate.

Document ID : KB000015160
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

    The following steps describe how to change ETC from using HTTP to HTTPS and register in ETC with HTTPS paths.

Question:

 How do I setup HTTPS for CA APM Enterprise Team Center cluster with a self-signed certificate?

 

Environment:
APM 10.5.x
Answer:

Using just one machine:

    create certificate with wily alias valid for domain EMs are on (or use * if you do not care about hostname validation or have troubles to have FQDN in configuration...) into new keystore.new
   
   
    $ keytool -genkey -keyalg RSA -alias wily -keystore keystore.new -storepass changeit  -validity 360 -keysize 2048
            What is your first and last name?
              [Unknown]:  *.ca.com
            What is the name of your organizational unit?
              [Unknown]:
            What is the name of your organization?
              [Unknown]:
            What is the name of your City or Locality?
              [Unknown]:
            What is the name of your State or Province?
              [Unknown]:
            What is the two-letter country code for this unit?
              [Unknown]:
            Is CN=*.ca.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
              [no]:  yes
    
            Enter key password for <wily>
                (RETURN if same as keystore password):
               
               

    export certificate to wily.cert
    $ keytool -exportcert -alias wily -keystore keystore.new -storepass changeit -file wily.cert
            Certificate stored in file <wily.cert>
           
           
           

Using multiple machines:

    copy keystore.new (generated by first step) to <EM>/config/internal/server
    uncomment introscope.enterprisemanager.webserver.jetty.configurationFile=em-jetty-config.xml line in IntroscopeEnterpriseManager.properties
    uncomment introscope.webview.jetty.configurationFile=webview-jetty-config.xml line in IntroscopeWebView.properties
    modify introscope.webview.enterprisemanager.webserver.tcp.port, introscope.webview.enterprisemanager.rest.base (http->https) in IntroscopeWebView.properties
   

    edit em-jetty-config and webview-jetty-config.xml to use new keystore (keystore.new) and password (chageit)
    <Set name="keystore"><SystemProperty name="introscope.config" default="./config" />/internal/server/keystore.new</Set>
    <Set name="password">changeit</Set>
    <Set name="keyPassword">changeit</Set>
    <Set name="truststore"><SystemProperty name="introscope.config" default="./config" />/internal/server/keystore.new</Set>
    <Set name="trustPassword">changeit</Set>


    copy exported wily.cert to machine


    add certificate to java global truststore FOR JDK/JRE USED TO RUN EM


    $ cd <em>/jre/lib/security/
            
    $ keytool -importcert -trustcacerts -keystore cacerts -storepass changeit -file <path_to_wily.cert>
            Password:
            Owner: CN=*.ca.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
            Issuer: CN=*.ca.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
            Serial number: 41e0d11d
            Valid from: Thu Mar 16 15:54:03 CET 2017 until: Sun Mar 11 15:54:03 CET 2018
            Certificate fingerprints:
                 MD5:  8C:46:07:CF:08:44:AA:E3:84:6A:B0:64:00:97:2B:13
                 SHA1: 3C:87:85:FB:8B:EA:CD:79:89:F4:CB:02:21:22:F9:E5:5B:30:4A:D6
                 SHA256: FC:D5:69:97:CA:E5:5B:ED:52:C6:2F:EF:C5:F1:8D:04:7C:89:FA:3F:5D:F8:28:B9:56:7E:5C:B6:9A:FF:68:1E
                 Signature algorithm name: SHA256withRSA
                 Version: 3
    
            Extensions:
    
            #1: ObjectId: 2.5.29.14 Criticality=false
            SubjectKeyIdentifier [
            KeyIdentifier [
            0000: 99 2D 16 3A 04 B8 DB C4   4C C5 4F FF F4 10 57 A0  .-.:....L.O...W.
            0010: 0B 36 36 59                                        .66Y
            ]
            ]
    
            Trust this certificate? [no]:  yes
            Certificate was added to keystore


    

    Run EMs, Webviews and register to APM Grand Central (ETC) with https paths

     

Additional Information:

 

Configure Enterprise Team Center