Skip to content
CA Service Management - 14.1
Documentation powered by DocOps

Enable Secure Socket Layer (SSL)

Last update December 21, 2018

To configure and enable SSL for xFlow Analyst Interface and Search Server, perform the following steps:

Create a Self-Signed Certificate from JKS for Apache Server (CA SDM with xFlow Analyst Interface)

Perform the following steps:

  1. Create a document with names that you intend to use for the java keystore - the client certificate alias, the client certificate request file, the server certificate alias, the server certificate request file, the server certificate name, the OpenSSL private key name, and the OpenSSL certificate name. Enter the following values in the document:

    • Java keystore = hostname_keystore.jks

    • Client certificate alias = hostname_clientcert

    • Client certificate request file = hostname_clientcert.crt

    • Server certificate alias = hostname_certname

    • Server certificate request file= hostname_certname.csr

    • Server certificate name = hostname_certname.crt

    • OpenSSL private key name = hostname_SSL.key

    • OpenSSL certificate = hostname_SSL.crt

  2. Navigate to <xFlowInstallation Home Dir>\jre\bin and run the following commands to generate key and certificates:

    keytool -genkeypair -v -alias hostname_clientcert -dname "CN=hostname, OU=sdm, O=ca, L=hyd, ST=ts, C=in" -keystore hostname_keystore.jks -keyalg RSA -keysize 4096 -ext KeyUsage:critical="keyCertSign" -ext BasicConstraints:critical="ca:true" -validity 9999
    keytool -export -v -alias hostname_clientcert -file hostname_clientcert.crt -keystore hostname_keystore.jks -rfc
    keytool -genkeypair -v -alias hostname_certname -dname "CN=hostname, OU=sdm, O=ca, L=hyd, ST=ts, C=in" -keystore hostname_keystore.jks -keyalg RSA -keysize 2048 -validity 385
    keytool -certreq -v -alias hostname_certname -keystore hostname_keystore.jks -file hostname_certname.csr
    keytool -gencert -v -alias hostname_clientcert -keystore hostname_keystore.jks -infile hostname_certname.csr -outfile hostname_certname.crt -ext KeyUsage:critical="digitalSignature,keyEncipherment" -ext EKU="serverAuth" -ext SAN="DNS:hostname" -rfc
    keytool -import -v -alias hostname_certnameimport -importcert -file hostname_certname.crt -keystore hostname_keystore.jks -storetype JKS
    keytool -list -v -keystore hostname_keystore.jks

  3. Copy the .crt and .jks files in one location.

    Note: We recommend that you create a folder called certificates on the root of your drive, that is.C:\certificates. You can now veiw the C:\certificates\hostname_keystore.jks and C:\certificates\hostname_certname.crt at this time. This article here will refer to these paths, and if you decide to use a different path, you need to change the paths.

  4. Navigate to <xFlowInstallation Home Dir>\APPS\Services\ on the command line, and run the following commands: 

    echo -Dhttps.port=9444 -Dplay.server.https.keyStore.path=C:\certificates\hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > incidentmicroservice-0.1-SNAPSHOT\INCIDENTMICROSERVICE_config.txt
    echo -Dhttps.port=9448 -Dplay.server.https.keyStore.path=C:\certificates\hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > pushmicroservice-0.1-SNAPSHOT\PUSHMICROSERVICE_config.txt
    echo -Dhttps.port=9446 -Dplay.server.https.keyStore.path=C:\certificates\hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > searchmicroservice-0.1-SNAPSHOT\SEARCHMICROSERVICE_config.txt

Enable SSL on Apache for xFlow Analyst Interface

Perform the following steps:

  1. Download the OpenSSL binary (http://downloads.sourceforge.net/gnuwin32/openssl-0.9.8h-1-setup.exe) and install it on the server where you have installed the xFlow Analyst Interface. 

  2. Navigate to the directory where OpenSSL is installed and execute the following command:

     SET OPENSSL_CONF=C:\Program Files (x86)\GnuWin32\share\openssl.cnf

  3. Generate the key and certificate:

    1. From the command prompt, execute the following command to generate the self-signed certificate:

      openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout hostname_SSL.key -out hostname_SSL.crt

    2. Define the following details:
      Country; state; city; organization name; organization unit name; common name; email address

  4. Copy hostname_SSL.key and hostname_SSL.crt to the same directory as the java certificates that you generated generated earlier in step 3  (i.e. C:\certificates\).

  5. Navigate to <xFlowInstallation Home Dir>\APPS\UI\Apache24\conf and edit the httpd.conf file for Apache and enable the SSL module.

  6. Uncomment the following line (remove #):

    LoadModule ssl_module modules/mod_ssl.so

  7. Add the SSL certificate and key details at the end of the file:

    Listen 9442
    <VirtualHost *:9442>
    ServerName <hostname>
    SSLEngine on
    SSLCertificateFile "C:\certificates\hostname_SSL.crt"
    SSLCertificateKeyFile "C:\certificates\hostname_SSL.key"
    </VirtualHost>

Configuring the Apache website to connect to SSL-based Micro Services

Perform the following steps:

  1. Backup files the casm.conf.js and casm.conf.do-not-change.js. The default location is:
    C:\Program Files\CA\xFlow\APPS\UI\Apache24\htdocs\conf\casm.conf.js and casm.conf.do-not-change.js

  2. Verify that SSL is enabled for Tomcat in CA Service Desk Manager. 

  3. Edit the casm.conf.do-not-change.js file and locate these lines:

    api : {server : 'http://localhost:8080'},

  4. Modify the casm.conf.do_not_change.js to look like the following:

    api : {server : 'https://localhost:8443'},

  5. Save the file.

  6. Edit the casm.conf.js file and locate the following lines:

    api : {server : 'http://<hostname>:9004'},
    search : {server : 'http://<hostname>:9006'},
    sdm : {server : 'http://<hostname>/CAisd/pdmweb.exe' // - example:http://sdmurl:8080/CAisd/pdmweb.exe},
    websocket : {server : 'ws://<hostname>:9008'},

  7. Change the above lines (step 6) in casm.conf.js to read as follows (replacing host name in each line):

    api : {server : 'https://hostname:9444'},
    search : {server : 'https://hostname:9446'},
    sdm : {server : 'https://hostname:8443/CAisd/pdmweb.exe' // - example:http://sdmurl:8443/CAisd/pdmweb.exe},
    websocket : {server : 'wss://hostname:9448'},

  8. Save the file.
  9. Navigate to IIS Manager, xFlow website, and Add a new SSL binding to the xFlow website (port: 9443) in order to use the SSL certificate that was just imported.
  10. Restart the xFlow Analyst Interface Service.
  11. Verify browser access <https://hostname:9442> to access the xflow Analyst Interface server.

Create a Self-Signed Certificate from JKS for IIS (CA SDM with xFlow Analyst Interface)

Perform the following steps:

  1. Open a command prompt and change directory, say for example:

    cd "C:\Program Files (x86)\CA\SC\JRE\1.7.0_10\bin"

  2.  Enter the following to get help on keytool

    keytool -h

  3. Create a Java Keystore:

    keytool -genkeypair -v -alias < Provide Alias for Client Certification > -dname "CN=<hostname>, OU=CA, O=COM, L=New York, ST=NY, C=US" -keystore < Provide Alias for Client Certification>.jks  

    -keyalg RSA -keysize 2048 -validity 365 -storepass "changeit"  -keypass "changeit"

  4. Export the Self Signed Certificate from the above Java keystore:

    keytool -exportcert -v -alias < Provide Alias for Client Certification > -file < Provide Alias for Client Certification >.jks -rfc -storepass "changeit"

  5. Convert Java Keystore to PFX/PKCS12 format for IIS usage:

    Note: If keypassword and keystore password are different, you may encounter problems while importing or while using the keystore.

    keytool -importkeystore -srckeystore << Provide Alias for Client Certification >.jks -srcstoretype jks -srcstorepass "changeit" -destkeystore < Provide Alias for Client Certification >.pfx -deststoretype pkcs12 -deststorepass "changeit"

  6. Navigate to IIS Manager using Windows Explorer and Import the PFX into IIS Server Certificate.
  7. Add an SSL binding to use the SSL certificate that was just imported.
     Select a site in the tree view and click Bindings in the Actions pane.
    This brings up the bindings editor that lets you create, edit, and delete bindings. Click Add to add your new SSL binding.
  8. Restart IIS.
  9. Import the certificate in Windows keystore.
  10. Navigate to Microsoft Management Console (MMC), Add Certificates Snap-in, Verify the Certificate.
  11. Verify browser access.

Configuring xFlow Analyst Interface website (IIS) to connect to SSL-based Micro Services

Perform the following steps:

  1. Backup files the casm.conf.js and casm.conf.do-not-change.js. The default location is:

    C:\Program Files\CA\xFlow\APPS\UI\IISWebsite\conf\casm.conf.js and casm.conf.do-not-change.js

  2. Edit the file: casm.conf.do-not-change.js and locate these lines:

    api : {server : 'http://localhost:8080'},

  3. Modify the casm.conf.do_not_change.js to look like the following:

    api : {server : 'https://<hostname:9444>'},
    search : {server : 'https://<hostname:9446>'},
    sdm : {server : 'https://<hostname>/CAisd/pdmweb.exe'},
    websocket : {server : 'wss://hostname:9448'},

  4. Save the file.
  5. Edit the casm.conf.js file and locate the following lines. Make changes as shown in step 3:

    api : {server : 'http://<hostname>:9004'},
    search : {server : 'http://<hostname>:9006'},
    sdm : {server : 'http://<hostname>/CAisd/pdmweb.exe' // - example:http://sdmurl:8080/CAisd/pdmweb.exe},
    websocket : {server : 'ws://<hostname>:9008'},

  6. Save the file.
  7. Navigate to IIS Manager, xFlow website, and Add a new SSL binding to the xFlow website (port: 9443) in order to use the SSL certificate that was just imported.
  8. Restart the xFlow Analyst Interface Service.
  9. Verify browser access <https://hostname:9443> to access the xflow Analyst Interface server. 

Enable SSL for EBL and Search Server

The search servers do not have SSL/TLS enabled, by default. For the search microservices and event-based load to interact with the search server securely, you can configure SSL. SSL encrypts any communication with the search server.

Step 1: Install and Configure Reverse-Proxy on the ngnix Server

This procedure explains how to configure the nginx-1.10.0 server as a reverse-proxy on Windows. You can follow similar steps to configure reverse-proxy on Apache or other similar servers.

Prerequisite

  • Download and install the nginx-1.10.0 server on each search server.

Note: Configure nginx server as reverse-proxy on all the search servers in the cluster.

Follow these steps:

  1. Navigate to the <nginx_install>\conf folder and define the search server details in the nginx.conf file.

    • Locate the server section in the file and perform the following actions:

      • (Optional) Edit the listen port number, if necessary.
        For example, if you have IIS running, which listens to port 80, then change to a different port number in the listen property.

      • Edit the proxy_pass value in the location section and define the search server port number.
        Default Port Number: 9012

        server {


        listen 80;

        server_name localhost;

        #charset koi8-r;

        #access_log logs/host.access.log main;


        location / {
            proxy_pass http://localhost:9012;
            proxy_read_timeout 90; 
        }

      • Save the file.

  2. Verify the configuration:

    • From the command prompt, navigate to the nginx folder and execute nginx.exe script to start the ngnix server.
    • Access the search server: http://<hostname>:<listen-port>/

      For example, access http://localhost:80/

      A message appears displaying the search server details, such as cluster name and version, in JSON format.

      Note: To troubleshoot, view the logs\error.log file.

Step 1.1: Create an SSL Certificate

Prerequisite

  • Ensure that you have installed OpenSSL 0.9.8zh.

Note: You can create a certificate on any system that has OpenSSL installed. However, create the SSL certificate for each search server in the cluster.


Perform the following steps:

  1. From the command prompt, execute the following command to generate the self-signed certificate: 

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout <hostname>.key -out <hostname>.crt

    Note: In this command, replace the <hostname> with the search server hostname.

  2. Define the following details:

    Country; state; city; organization name; organization unit name; common name; email address

    Note: Define the common name as the hostname of the nginx server.

    The command generates these files:  <hostname>.crt and <hostname>.key

  3. Repeat step 1 and 2 to create SSL certificates for each search server.

Step 1.2: Configure the Certificates in the ngnix Server

Note: Define the certificate details in the ngnix.conf file in each search server.

Follow these steps:

  1. In the search server, navigate to the <nginx_install>\conf folder and edit the ngnix.conf file.

  2. Disable the existing listen port.

    For example, #listen 80

    server {
    #listen 80;

    server_name localhost;


    #charset koi8-r;

    #access_log logs/host.access.log main;


    location / {
       proxy_pass http://localhost:9012/;
       proxy_read_timeout 90; 
    }

  3. Define the new listen port.

    For example, define the new listen port as 443.

    server {
    #listen 80;

    server_name localhost;


    #charset koi8-r;

    #access_log logs/host.access.log main;


    listen 443 ssl;


    location / {
       proxy_pass http://localhost:9012/;
       proxy_read_timeout 90; 
    }

  4. Define the search server certificate details.

    server {
    #listen 80;

    server_name localhost;


    #charset koi8-r;

    #access_log logs/host.access.log main;


    listen 443 ssl;

    ssl_certificate ./cert/<hostname>.crt; 
    ssl_certificate_key ./cert/<hostname>.key;

    location / {
       proxy_pass http://localhost:9012/;
       proxy_read_timeout 90; 
    }

  5. Navigate to the nginx folder  and execute nginx.exe to restart the nginx server.

  6. Verify if you can access the URL: https://
    For example, access https://<hostname>:443

  7. Install the certificates when prompted.

Step 2: Configure Certificates on the xFlow Analyst Interface Server and Event-Based Load

Step 2.1: Configure the Certificates on the xFlow Analyst Interface Server

Configuring the search server certificates on the xFlow Analyst Interface server enables secure communication between the search microservices and search servers.

Note: Configure certificates of each search server on each xFlow Analyst Interface server. For example, if there are two search servers and two xFlow Analyst Interface servers, configure the certificates of both the search servers on each xFlow Analyst Interface server.

Follow these steps:

  1. In the xFlow Analyst Interface server, copy the <hostname>.crt file.
  2. Navigate to the path that stores keytool.
    For example, navigate to C:\Program Files\CA\SC\JRE\1.8.0_74\bin.
  3. Execute the following command:

    keytool -importcert -alias "<hostname>" -file <hostname>.crt -keystore c:\\es_new_keystore.jks -keypass <password> -storepass <password>

  4. Repeat step 1 and 2 for each search server.

    Note: Replace the <hostname> values with the search server host names.

  5. Navigate to the <xFlow_server>\APPS\Services\searchmicroservice- 0.1-SNAPSHOT\conf\application.conf file and add the java keystore path (jks):

    #https configurations


    play.ws.ssl {  

        trustManager = {    

            stores = [      

                { path = "C:\\es_new_keystore.jks"}    

            ]  

        }

    }

Step 2.2: Configure the HTTPS NX Variables for Event-Based Load

  1. Ensure that you have the path to the java keystore file created in the procedure Step 2.1: Configure the Certificates on the xFlow Analyst Interface Server.

  2. Generate an encrypted password by executing the following command: 

    $<sdm_install>\bin\pdm_pen <password>

    Note: Password is the same as the one you used in Step 2.1: Configure the Certificates on the xFlow Analyst Interface Server procedure.

  3. Execute the pdm_options_mgr command to configure the jks file and the encrypted password in the https NX variables.
    For more information about configuring the NX variables, see Configure Event-Based Load.

Step 2.3: Update the Search server port number and protocol Details in CA SDM.

For example, in CA SDM update the port number as 443 and protocol as httpsFor more information about editing the server details, see Configure Search Servers in CA SDM.

Step 2.4: (Optional) If your search server is secure by a firewall, update the HTTP port from 9012 to 443.

Step 2.5: Restart the CA SDM services.

Step 2.6: Restart the CA Service Management xFlow Analyst Interface Server service.

Modify the Configuration file

After completing the above procedures, perform the following steps to modify the casm.conf.js configuration file:

  1. Navigate to xFlow_home/Apps/UI/Apache24/htdocs/conf  and open the casm.conf.js file.
  2. In the casm.conf.js file modify http to https for API, search, and SDM services. Also, modify the port numbers with valid SSL port numbers.
  3. For websocket, change ws to wss and change the SSL port numbers.
Was this helpful?

Please log in to post comments.

  1. Joe Busuttil
    2016-09-08 01:49

    Are there instructions for IIS? Even for just Login Screen SSL?

    1. Rajashree Nair
      2016-09-08 04:02

      Hi Joe Busuttil,

      We will be shortly updating instructions for IIS. Engineering is working towards it. 

       

      Thanks for bringing this up. 

       

      Regards,

      DocOps Services Team

  2. Joe Busuttil
    2016-09-11 11:43

    There are some errors in this, docs say: -Dhttps.port= Dplay.server.https.keyStore.path=Certificate_location/.jks -Dplay.server.https.keyStore.password= Should say: -Dhttps.port= -Dplay.server.https.keyStore.path=Certificate_location/.jks -Dplay.server.https.keyStore.password= In case you're having trouble spotting the differences, remove the space after Dhttps.port= and add a hyphen/dash before Dplay.server.https.keyStore.path=

    1. Rajashree Nair
      2016-09-12 06:10

      Hi Joe Busuttil, thanks for the feedback. We will update the documentation after discussion with Engineering.

       

      Regards,

      DocOps Services Team