When enabling SSL in Service Catalog, it is vital to utilize a keystore that contains certificates

Here we explain the necessary steps

For release 17.3 and upward, the CA-signed cert is already in the correct PKCS12 format, so rather than perform an export/import, rename it to casm.keystore, and then run the configurator Utility to register this alias.

SSL Configurator Utility Wizard for CA Service Management

If you need to perform this manually, however, these steps exist:

1. "Create Keystore File"

keytool -genkey -alias alias_name -keyalg RSA -keystore "USM_HOME\.keystore" -keysize 1024

ensure .keystore is created in USM_HOME\.keystore

2. Copy pfx to %USM_HOME%

3. Run %USM_HOME%\usm.cmd

4. Type:

keytool -importkeystore -deststorepass <pfx_password> -destkeystore "%USM_HOME%\.keystore" -srckeystore <pfx_file> -srcstoretype PKCS12 -srcstorepass <pfx_password>

5. Set password in %USM_HOME%\viewService.conf:

wrapper.java.additional.11=-Djavax.net.ssl.trustPass=<pfx_password>

6. Set the path to the keystore:

wrapper.java.additional.10=-Djavax.net.ssl.trustStore="C:/Program Files/CA/Service Catalog/.keystore"

7. Open the .pfx and install on the machine. Export all the certificate chain and import into the keystore:

keytool -import -alias <alias_name> -file <certfile> -keystore <path_and_file_specification_for_keystore>

Example import 3 certificates:

keytool -import -alias root -file "C:\Users\Administrator\Desktop\Certificados\test\root.cer" -keystore "C:\Program Files\CA\Service Catalog\.keystore"
keytool -import -alias intermediate -file "C:\Users\Administrator\Desktop\Certificados\test\intermmediate.cer" -keystore "C:\Program Files\CA\Service Catalog\.keystore"
keytool -import -alias last -file "C:\Users\Administrator\Desktop\Certificados\test\last.cer" -keystore "C:\Program Files\CA\Service Catalog\.keystore"

8. Run a list command to get the alias of the pfx, which should be similar to:

keytool -list -v -keystore "C:\Program Files\CA\Service Catalog\.keystore" > list.txt

The alias id should be similar to:

le-c337f214-5606-4b20-bcc1-2af15b2a4f53

9. Remove the self-signed from the keystore:

keytool -delete -alias <alias_value_from_step1> -keystore "C:\Program Files\CA\Service Catalog\.keystore"

10. Go to %USM_HOME%\view\conf\server.xml and configure the following:


<Connector port="8443" enableLookups="false" tomcatAuthentication="false" maxHttpHeaderSize="20480"
maxThreads="400" minSpareThreads="25" maxSpareThreads="100" debug="0" connectionTimeout="15000"
disableUploadTimeout="true" compression="on" compressionMinSize="2048"
compressableMimeType="text/html,text/plain,text/xml,text/css,text/javascript,image/png,image/gif,image/jpeg,application/json"
scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
keystoreFile="C:/Program Files/CA/Service Catalog/.keystore" keyAlias="le-c337f214-5606-4b20-bcc1-2af15b2a4f53" keystorePass="password" URIEncoding="UTF-8/"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"/>

11. Start Catalog services.