Implementing HTTPS on an ETC cluster with a self-signed certificate.
Article ID: 15160
Updated On:
Products
Issue/Introduction
The following steps describe how to change ETC from using HTTP to HTTPS and register in ETC with HTTPS paths.
How do I setup HTTPS for CA APM Enterprise Team Center cluster with a self-signed certificate?
Environment
Resolution
Using just one machine:
create certificate with wily alias valid for domain EMs are on (or use * if you do not care about hostname validation or have troubles to have FQDN in configuration...) into new keystore.new
$ keytool -genkey -keyalg RSA -alias wily -keystore keystore.new -storepass changeit -validity 360 -keysize 2048
What is your first and last name?
[Unknown]: *.ca.com
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=*.ca.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for <wily>
(RETURN if same as keystore password):
export certificate to wily.cert
$ keytool -exportcert -alias wily -keystore keystore.new -storepass changeit -file wily.cert
Certificate stored in file <wily.cert>
Using multiple machines:
copy keystore.new (generated by first step) to <EM>/config/internal/server
uncomment introscope.enterprisemanager.webserver.jetty.configurationFile=em-jetty-config.xml line in IntroscopeEnterpriseManager.properties
uncomment introscope.webview.jetty.configurationFile=webview-jetty-config.xml line in IntroscopeWebView.properties
modify introscope.webview.enterprisemanager.webserver.tcp.port, introscope.webview.enterprisemanager.rest.base (http->https) in IntroscopeWebView.properties
edit em-jetty-config and webview-jetty-config.xml to use new keystore (keystore.new) and password (chageit)
<Set name="keystore"><SystemProperty name="introscope.config" default="./config" />/internal/server/keystore.new</Set>
<Set name="password">changeit</Set>
<Set name="keyPassword">changeit</Set>
<Set name="truststore"><SystemProperty name="introscope.config" default="./config" />/internal/server/keystore.new</Set>
<Set name="trustPassword">changeit</Set>
copy exported wily.cert to machine
add certificate to java global truststore FOR JDK/JRE USED TO RUN EM
$ cd <em>/jre/lib/security/
$ keytool -importcert -trustcacerts -keystore cacerts -storepass changeit -file <path_to_wily.cert>
Password:
Owner: CN=*.ca.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=*.ca.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 41e0d11d
Valid from: Thu Mar 16 15:54:03 CET 2017 until: Sun Mar 11 15:54:03 CET 2018
Certificate fingerprints:
MD5: 8C:46:07:CF:08:44:AA:E3:84:6A:B0:64:00:97:2B:13
SHA1: 3C:87:85:FB:8B:EA:CD:79:89:F4:CB:02:21:22:F9:E5:5B:30:4A:D6
SHA256: FC:D5:69:97:CA:E5:5B:ED:52:C6:2F:EF:C5:F1:8D:04:7C:89:FA:3F:5D:F8:28:B9:56:7E:5C:B6:9A:FF:68:1E
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 99 2D 16 3A 04 B8 DB C4 4C C5 4F FF F4 10 57 A0 .-.:....L.O...W.
0010: 0B 36 36 59 .66Y
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Run EMs, Webviews and register to APM Grand Central (ETC) with https paths
Additional Information
Feedback
