Replacing Wildfly Certificate on the vApp.

book

Article ID: 210939

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

The CA Identity Manager product documentation provides the following guidance on "Enabling the HTTPS listener in standalone.xml" (see below), but the config account does not appear to have the permissions to edit the "standalone.xml" file.

 

Documentation Extract


The following blocks are required in each application standalone.xml configuration file in order for the HTTPS listener to be enabled (utilizing the certificate):



<https-listener name="https" socket-binding="https" security-realm="WebSslRealm"/>

<security-realm name="WebSslRealm">

<server-identities>

<ssl> <keystore path="/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv" .../> </ssl>

</server-identities>

</security-realm>

 
Note 1: 
 
To enable TLSv1.2 and limited cipher suites, ensure that the 
 
/opt/CA/VirtualAppliance/custom/<Wildfly-Service>/https-listener-hardening 
 
file contains the line "true". If the file contains the line "true", the WildFly HTTPS Listener hardening will be enabled on the next service startup. The hardening can be disabled by removing the line "true" from the file.



# This file controls the list of enabled protocols and cipher suites for the HTTPS listener of wildfly

# If this file includes value "true" on a single uncommented line - TLSv1.2 is used and cipher suites are limited.

# Otherwise - the wildfly defaults are used (TLSv1.0, TLSv1.1 and TLSv1.2 and all cipher suites).

# Uncomment the following line to enable TLSv1.2 and limited cipher suites

# true

 

Note 2: 
In Identity Portal, the cookie is by default set to HttpOnly. You can set to secure by inserting the value "true" in /opt/CA/VirtualAppliance/custom/IdentityPortal/secure-cookie and then restarting Identity Portal.
 



https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/virtual-appliance/administering-virtual-appliance.html#concept.dita_484b93c7f06198e8b27adcc2537229358eb17777_WildflyHTTPSListenerandSSLCertificates


Environment

Release : 14.3 CP2

Component : IdentityMinder(Identity Manager)

Resolution

The standalone configuration files used by the vApp cannot be edited as the "config" user account does not have permission to edit these files.  However, the configuration file used by the vApp is the "ca-standalone-ful-ha.xml" which already includes the required block (see extract below).

 

 <security-realm name="WebSslRealm">
                <server-identities>
                    <ssl protocol="TLSv1.2">
                        <keystore path="/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv" keystore-password="changeit"/>
                    </ssl>
                </server-identities>
</security-realm>

 

The only requirement to enable the HTTPS Wilfly listener is to ensure that the "/opt/CA/VirtualAppliance/custom/<Wildfly-Service>/https-listener-hardening" file contains the uncommented line "true" (see below), which in 14.3 should be the default.


# This file controls the list of enabled protocols and cipher suites for the HTTPS listener of wildfly

# If this file includes value "true" on a single uncommented line - TLSv1.2 is used and cipher suites are limited.

# Otherwise - the wildfly defaults are used (TLSv1.0, TLSv1.1 and TLSv1.2 and all cipher suites).

# Uncomment the following line to enable TLSv1.2 and limited cipher suites

true