Steps to use a custom certificate in PAM that does not allow for jar signing.

Document ID : KB000009473
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Some Certificate Authorities provide certificates that do not allow for jar signing. This will produce an error stating this when put in place in PAM. A new certificate should be requested, but the following provides a workaround for this. It should be noted that an upgrade will override these steps and this doc will need to be followed again.

Instructions:

The following steps can be used to configure PAM's JBoss Web Server to use a third-party trusted SSL certificate while still using auto generated self-signed keystore for signing jars. The steps are useful to avoid restrictions at customer environments where generated certificates can only be used for Web Server but cannot be used for signing jars. The following steps allow you to use a third-party certificate only for JBoss Web Server.

Important: Customizations done here are overridden and will need to be redone after a major upgrade (applying SPs or version upgrade) but are maintained on patch or hotfixes install.

You can skip the steps to generate a PKCS keystore (steps 1 - 4) if you already have one. Your PKCS keystore should have a private key and its corresponding certificate that can be imported into a JKS keystore for use with PAM.

  1. Use openssl to create private key. 

    openssl genrsa -out automation.key 2048 

  2. Create a CSR.

    openssl req -new -key automation.key -out automation.csr

    You are about to be asked to enter information that will be incorporated into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank. 
    For some fields there will be a default value, 
    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [GB]:
    State or Province Name (full name) [Berkshire]:
    Locality Name (eg, city) [Newbury]:
    Organization Name (eg, company) [My Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:
    Email Address []:
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    NOTE: In the last 2 prompts, do not enter a challenge password or optional company name. Just click ENTER to keep them empty.The common name must be the fully qualified domain name of the ITPAM server. If using a load balancer, it must be the fully qualified domain name of the load balancer.

  3. Send automation.csr to your Certificate Authority and save the resulting server certificate (in this example automation.cer)

  4. Use server private key and public certificate to create a PKCS key store.

    openssl pkcs12 -export -in automation.cer -inkey automation.key -out automation.p12 -name automation

    Note: The -name switch is used in next step for importing into jks keystore (using -srcalias switch). The password used here is required to create JKS keystore to be used with PAM as well.

  5. Use keytool (comes in JDK bin directory) to import PKCS key store to JKS keystore.

    Keytool -importkeystore -srckeystore automation.p12 -destkeystore automation.jks -srcstoretype pkcs12 -srcalias automation -destalias automation

    Note: You can view the alias of your pkcs12 cert (required parameter for -srcalias) by entering the following command to list the contents:

    keytool -v -list -storetype pkcs12 -keystore automation.p12

    To list the contents of jks keystore:

    keytool -v -list -keystore automation.jks

    Important: Source and destination passwords must be same. Use the same password for the new JKS keystore as used to create PKCS keystore in step 4.

  6. Stop PAM Orchestrator (all nodes if clustered environment).

  7. Backup current server\c2o\deploy\jbossweb.sar\server.xml file OUTSIDE of PAM install directory.

    Important : Don't make a backup copy in the same folder, copy and paste server.xml in some temp backup directory.

  8. Edit the Connector element to use non-default properties (example below has the word custom added to out of the box properties)
       <Connector protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"     port="${tomcat.secure.port}" address="${jboss.bind.address}"     maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"     emptySessionPath="true"     scheme="https" secure="true" clientAuth="false"     keystoreFile="${itpam.custom.web.keystorepath}"     keyAlias="${itpam.custom.web.keystorealias}"     keystorePass="${itpam.custom.web.keystore.password}"     sslProtocol = "${SSL_PROTOCOL}" algorithm = "${X509_ALGORITHM}" ciphers="${jboss.ssl.ciphers}"      useBodyEncodingForURI="true" maxPostSize="12582912"/>
  9. Encrypt password used for automation.jks using PasswordEncryption utility in server\c2o folder.

    Eg in Windows, run the following from command prompt:

    PasswordEncryption.bat passwordUsedForJKSKeystore > automation-pass.txt

    This will create a new file with encrypted password.

    Note : You might need to hit enter for the utility to return to command prompt.

  10. Copy automation.jks to <pam_dir>/server/c2o/.config/ folder.

  11. Backup current server\c2o\.config\OasisConfig.properties file and add the following new parameters based on what has been added to server.xml in step 8 next to the their corresponding out of the box parameters.
          itpam.web.keystorepath=<pam_dir>/server/c2o/.config/c2okeystore      itpam.custom.web.keystorepath=<pam_dir>/server/c2o/.config/automation.jks      itpam.web.keystore.password=<leave_default>      itpam.custom.keystore.password=<encrypted_password_from_step_9>      itpam.web.keystorealias=ITPAM      itpam.custom.web.keystorealias=automation
  12. Start PAM Orchestrator.

  13. Repeat this for any other nodes of the cluster.