"Secure Connection Failed. PAMhost:8443 uses an invalid security certificate. The certificate is not trusted because it is self-signed".

Document ID : KB000044348
Last Modified Date : 24/05/2018
Show Technical Document Details

My company blocks SSL certificates that are self-signed.  How can I install PAM with SSL?


If you are unable to implement a pre-defined or self-signed certificate you will need to contact a 3rd party certificate authority and implement a 3rd party signed certificate for your site.
This information is taken from the production documentation.  Please see the docops.ca.com product page for your version for any changes to this process.


Implement Your Third-Party Trusted SSL Certificate

CA Process Automation supports third-party security certificates for HTTPS web access and signing of jars. You can obtain such certificates from a third-party Certificate Authority.

Follow these steps:

1. Decide on a certificate password and obtain a security certificate from a Certification Authority.

2. Using the instructions provided by the Certification Authority, import the certificate into a keystore.

Generally you use a command similar to keytool –import –alias myalias –file certfile –keystore "path_and_file_specification_for_keystore".

3. For the keystore password, enter the certificate password provided by the Certificate Authority.

4. Obtain an encrypted version of the keystore password.

               a. Navigate to install_dir/server/c2o.

               b. Locate the PasswordEncryption script (PasswordEncryption.bat for Windows, PasswordEncryption.sh for UNIX or Linux).

               c. Run PasswordEncryption passwordtoencrypt.

               d. Save the long encrypted value returned for entry in the properties file.

5. Stop the Orchestrator

6. Back up and edit the Oasis Configuration properties file to add or update the following:

               a. itpam.web.keystorepath to the location of the keystore using the fully qualified path and file name for the keystore file.

               b. itpam.web.keystore.password with the encrypted keystore password (do not surround encrypted password value with quotes)

               c. itpam.web.keystorealias to the alias used to reference the certificate in the keystore (myalias in the examples).

7. Sign the jars by running SignC2OJars (SignC2OJars.bat for Windows, SignC2OJars.sh for UNIX or Linux) included with CA Process Automation in install_dir/server/c2o.
Run SignC2oJars without parameters to sign the jars. If the keystore password you entered does not match the certificate password, enter the certificate password as each jar is signed.

Script Execution Completed.


Note: On AIX, there is a known problem when re-signing a jar file using SignC2OJars. To work around this problem, manually "unsign" the jars by removing the *.SF and *.RSA files in the META-INF folder for each Java Archive before running SignC2OJars.


8. If the keystore contains more than one alias, modify the connector entry in server.xml. The server.xm. is located in <install_dir>\server\c2o\deploy\jbossweb-tomcat55.sar\server.xml. Add the line in bold: 

<Connector port="${tomcat.secure.port}" address="${jboss.bind.address}"

maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"


scheme="https" secure="true" clientAuth="false"



keystorePass="${itpam.web.keystore.password}" sslProtocol = "${SSL_PROTOCOL}" algorithm = "${X509_ALGORITHM}" useBodyEncodingForURI="true"/>

9. Start the Orchestrator

10. Repeat this procedure for each Orchestrator that is to use the new certificate.


Please also see the PAM administration guide on “About Using a Certificate Issued by a Third-Party Certificate Authority”