How to enable SSL for Visualizer in containerized environment?

book

Article ID: 192631

calendar_today

Updated On:

Products

CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager

Issue/Introduction

How to enable SSL for Visualizer in containerized environment?

Cause

Engineering clarified that we have a limitation for Visualizer in current docker architecture. Because VIZ always has to connect to the local WebServices Server  and as we are using the Ingress it can go to another WebServices server as well - and there's no easy way to can't control that.

This will be fixed in the new Vizualiser, which will not use Web Services.

Environment

Release : 17.3

Component : SERVICE DESK MANAGER

Resolution

Follow steps in https://knowledge.broadcom.com/external/article?articleId=193629 to expose SDM SOAP Web Services to all pods first.

 

To enable HTTPS for CA Service Management Containers, perform the following steps:

1) Ensure that you have updated the containers.config file with the following changes. 
 SSL_REDIRECT=true
 SSL_CERTIFICATE_NAME="ssl-certificate"
 KEY_FILE="05 - ingress-nginx/certs/certificate.key"
 CERT_FILE="05 - ingress-nginx/certs/certificate.crt"

2) update the containers_recommended.config to have:
 INGRESS_PORT=31443

3) Understand your Ingress's EXTERNAL_HOST URL name and generate a self-signed certificate, run the command to generate the key and crt files (replace the ${KEY_FILE}  and ${CERT_FILE} and the {EXTERNAL_HOST} items from 
 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout "${KEY_FILE}" -out "${CERT_FILE}" -subj "/CN=${EXTERNAL_HOST}/O=${EXTERNAL_HOST}"

 NOTE: 
 To use a trusted Certificate Authority certificate copy the files received and name as:
 KEY_FILE and  CERT_FILE
 You may be required to combine the intermediate crt file with the certificate for the domain, you can append the content of the intermediate certificate at the end of the domain certificate using the "cat" command.

4) Run the apply.sh script.

5) Delete SDM BG pod to get the changes recognized in the above
 kubectl -n casm-docker delete pod sdmbg-XXXXX

6) Delete SDM APP pods to get the changes recognized in the above
 kubectl -n casm-docker delete pod sdmapp-XXXX

7) To enable VIZ/REST etc., follow steps here: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/Docker-Containers/Deploy-CA-Service-Management-Kubernetes-Containers/Deploy-CA-Service-Desk-Manager-Docker-Containers.html


Follow below steps to enable SSL on Visualizer:

8) Once sdmapp-XXXXX  pod starts, perform below steps on each APP server
 kubectl -n casm-docker exec -it sdmapp-XXXXX bash

 mkdir -p /opt/CA/ServiceDeskManager/symlinks/bopcfg/www/CATALINA_BASE_VIZ/webapps/CMDBVisualizer/WEB-INF/classes/com/ca/cmdbvisualizer/config
 cd /opt/CAisd/bopcfg/www/CATALINA_BASE_VIZ/webapps/CMDBVisualizer/WEB-INF/classes/com/ca/cmdbvisualizer/config/
 cp cmdbvisualizerconfig.properties.tpl /opt/CA/ServiceDeskManager/symlinks/bopcfg/www/CATALINA_BASE_VIZ/webapps/CMDBVisualizer/WEB-INF/classes/com/ca/cmdbvisualizer/config

9) edit the file in a text editor now 
 vi /opt/CA/ServiceDeskManager/symlinks/bopcfg/www/CATALINA_BASE_VIZ/webapps/CMDBVisualizer/WEB-INF/classes/com/ca/cmdbvisualizer/config/cmdbvisualizerconfig.properties.tpl

 ## Add a new line below:

NX_WEB_CGI_URL=https://LoadBalancer_ingres_URL:31443/CAisd/pdmweb.exe

10) save the file and exit the editor
 mkdir -p /opt/CAisd/symlinks/data/tagged
 cp /opt/CA/ServiceDeskManager/data/tagged/web_data.dat /opt/CAisd/symlinks/data/tagged

 #edit the file in a text editor now
 vi /opt/CAisd/symlinks/data/tagged/web_data.dat

11) change http  references in that file to https 

12) save the file

13) delete the app pod

14) Delete SDM APP pods to get the changes recognized in the above
 kubectl -n casm-docker exec delete pod sdmapp-XXXX

 


## on the pod
kubectl -n casm-docker exec -it sdmapp-0 bash
mkdir -p /opt/CA/ServiceDeskManager/symlinks/pdmconf

## on the main NFS share 
1) Save the SSL cert chain as base64 files
##  copy your certificate + intermediate certificates to the PVC of the app
# example
2) Copy those files manually to:   <>/nfsshare/casm-docker-nxroot-sdmapp-0-pvc-34d5769d-bd54-462b-b48e-c9ca97d11bcd/symlinks/pdmconf/foo.cer   foo2.cer   foo3.cer
3) make sure those files are under 1010:1010 ownership
cd <>/nfsshare/casm-docker-nxroot-sdmapp-0-pvc-34d5769d-bd54-462b-b48e-c9ca97d11bcd/symlinks/pdmconf/
chown -R 1010:1010 *

## back on the pod
kubectl -n casm-docker exec -it sdmapp-0 bash
4) cp -p /usr/lib/jvm/adoptopenjdk-11-hotspot/lib/security/cacerts /opt/CA/ServiceDeskManager/symlinks/pdmconf/cacerts
4) 
keytool -importcert -trustcacerts -keystore /opt/CAisd/symlinks/pdmconf/cacerts -storepass changeit -file /opt/CAisd/symlinks/pdmconf/foo.cer -alias foo.cer
keytool -importcert -trustcacerts -keystore /opt/CAisd/symlinks/pdmconf/cacerts -storepass changeit -file /opt/CAisd/symlinks/pdmconf/foo2.cer -alias foo2.cer
keytool -importcert -trustcacerts -keystore /opt/CAisd/symlinks/pdmconf/cacerts -storepass changeit -file /opt/CAisd/symlinks/pdmconf/foo3.cer -alias foo3.cer

5) cp /opt/CAisd/pdmconf/NX.env.tpl /opt/CAisd/symlinks/pdmconf
7) grep JAVA_OPTIONS symlinks/pdmconf/NX.env.tpl   
 It looks like:
 @NX_JAVA_OPTIONS=-Djava.net.preferIPv4Stack=false -Xms64M -Xmx1024M
 @NX_JAVA_OPTIONS_REST=-Djava.net.preferIPv4Stack=false -Xms64M -Xmx512M -Djavax.servlet.request.encoding=UTF-8 -Djavax.servlet.response.encoding=UTF-8 -Dfile.encoding=UTF-8
 @NX_JAVA_OPTIONS_FS=-Djava.net.preferIPv4Stack=false -Xms64M -Xmx512M -Djavax.servlet.request.encoding=UTF-8 -Djavax.servlet.response.encoding=UTF-8 -Dfile.encoding=UTF-8
 @NX_JAVA_OPTIONS_VIZ=-Djava.net.preferIPv4Stack=false -Xms64M -Xmx1024M -Djava.util.PropertyResourceBundle.encoding=ISO-8859-1

8) edit this file to make the above options look like:
@NX_JAVA_OPTIONS=-Djava.net.preferIPv4Stack=false -Xms64M -Xmx1024M -Djavax.net.ssl.trustStore=/opt/CAisd/symlinks/pdmconf/cacerts -Djavax.net.ssl.trustPass=changeit
@NX_JAVA_OPTIONS_VIZ=-Djava.net.preferIPv4Stack=false -Xms64M -Xmx1024M -Djava.util.PropertyResourceBundle.encoding=ISO-8859-1 -Djavax.net.ssl.trustStore=/opt/CAisd/symlinks/pdmconf/cacerts -Djavax.net.ssl.trustPass=changeit

# If you need it to be enabled on other JAVA_OPTIONS too, you can add them

9) Save the file


Delete the pod