Alternative SSL Setup for CABI External

book

Article ID: 194874

calendar_today

Updated On:

Products

NIMSOFT PROBES DX Infrastructure Management

Issue/Introduction

The CABI/Jasperserver documentation describes a process for installing a certificate for HTTPS/SSL encryption on the CABI server:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/business-management/business-intelligence/6-4-2/administration/configuring-ssl.html

The documentation appears to make an assumption that a signed certificate has already been obtained externally from a Certificate Authority and needs to be re-keyed for CABI.   (For example, by filling out a web-based form on a Certificate Authority's site with the relevant server information and then receiving a certificate in response.)

However, in some cases it is necessary to generate a .CSR (Certificate Signing Request) rather than purchasing an external certificate through the above means and then install the certificate which is generated as a result of that request.  The official documentation does not describe the steps for this process and only mentions that you should "obtain a signed certificate."

In this KB article we will outline a process from start-to-finish for requesting a certificate via an internal security team or submitting a CSR directly to the signing authority.  This will avoid the need to re-key and re-package the certificate files and generally makes for an easier and more streamlined experience.

Environment

Release : 9.2.0

Component : UIM - CABI

Resolution

The steps below will generate a new Java keystore which contains a private key unique to the CABI installation; then a CSR will be generated which can be used to obtain a certificate which is signed with the same private key.  Finally, the resulting certificate will be imported to the keystore and CABI will be configured to access it.

The following steps assume that you have downloaded and installed a recent version of Java JDK which contains the Java keytool.  This will be located in your (JAVA_HOME)/bin folder.  

Once you have keytool available you will follow these steps/commands (customized as necessary for your particular environment/filenames/etc.)  It is likely you will need to specify the full path to files, as noted by X:\PATHTO\ in the commands below.

First the following will generate a new keystore called cabikeystore.jks with a unique private key:

X:\PATHTO\keytool -genkey -keystore X:\PATHTO\cabikeystore.jks -alias cabi -keyalg RSA -keysize 2048 -validity 365


At this point you will be prompted with questions we need to answer to add the key details, such as common name and so forth.

The only requirement here is that the common name should be the FQDN of the CABI server as it appears in DNS in your organization.

Other values such as organization, country, state, province, country code, etc. may be filled in according to your needs.

You will also be prompted to create a password -- keep this password as it will be needed later including to renew the certificate at a later date!

At this point the file cabikeystore.jks will be created (in the location you specified e.g. X:\PATHTO\).


The next step will be to generate the CSR (Certificate Signing Request) as follows:

X:\PATHTO\keytool -certreq -alias cabi -keystore X:\PATHTO\cabikeystore.jks -file X:\PATHTO\cabi.csr

You will be prompted to enter the keystore password from above.  Once you have done so the cabi.csr file gets created in the specified path.


At this point you must submit the CSR to your Signing Authority to request the certificate.  At this time, or when downloading the certificate later, you may be asked what type of certificate or what format you wish to acquire.  You should request a "Chained" certificate in PEM format.  Your Certificate Authority can answer any questions about how to obtain this.

Once you have obtained the certificate, which will be provided as a .CER or .CRT file, copy it to a location on the CABI server and import it to the keystore as a trusted chain as follows:

X:\PATHTO\keytool -import -trustcacerts -alias cabi -file X:\PATHTO\FILENAME.CRT  (or FILENAME.CER) -keystore X:\PATHTO\cabikeystore.jks

example-

X:\PATHTO\keytool -import -trustcacerts -alias cabi -file X:\PATHTO\mychainedcert.cer -keystore X:\PATHTO\cabikeystore.jks

You will be asked if you want to trust the certificate - reply yes.  In some cases you may be asked if you want to overwrite the existing "cabi" alias - reply yes.

At this point you have successfully imported the chain into the keystore and the only remaining step is to configure CABI.

Locate the Tomcat configuration at  C:\Program Files\CA\SharedComponents\CA Business Intelligence\apache-tomcat\conf\server.xml file (or the correct jasper tomcat location on your machine).

Add the following connector element to support SSL or an https connection. Ensure to replace the keystore name and password with actual values.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
                keystoreFile="X:\PATHTO\cabikeystore.jks"
                keystorePass="keystorepassword" />

Restart the CABI Tomcat Service and HTTPS will now be enabled on port 8443.