ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Endevor Web Service SSL/TSL RACF Keyring

book

Article ID: 240181

calendar_today

Updated On:

Products

Endevor Software Change Manager (SCM)

Issue/Introduction

Using the VS Code Endevor Explorer plug-in to connect to Endevor WS Tomcat instance.

Enabled HTTPS using a RACF keyring in Endevor Web Service. Requested a CA certificate and added it to RACF keyring for the ID that the server runs under, also uncommented and edited the section of the server.xml:

     <!-- Define a SSL HTTP/1.1 Connector on port 8443 using SAF keyring -->   
     <Connector port="8443" maxHttpHeaderSize="8192"                           
           maxThreads="150" minSpareThreads="25"                               
           enableLookups="false" disableUploadTimeout="true"                   
           SSLEnabled="true"                                                   
           algorithm="IbmX509"                                                 
           acceptCount="100" scheme="https" secure="true"                      
           clientAuth="false" sslProtocol="TLS"                                
           sslEnabledProtocols="+TLSv1.2,+TLSv1.1,+TLSv1"                      
           keystoreType="JCERACFKS"                                            
           keystoreFile="safkeyring://TOMCATPR/SSLRING"                        
           sslImplementationName="com.ca.sslsocket.CASSLImplementation" />     

Then set up a new Endevor profile on the explorer, reject any self signed certificates. Cannot connect to the server and keep getting an HTTPS error. 

 

Cause

Tried the visual verification on the browser:  https://th84tcp.travp.net:8443/EndevorService/services/EndevorService?wsdl 

Noticed that there is a mismatch in the name of the certificate and the Endevor Tomcat server hostname (got connection not private warning and the following message):

https://api-broadcom-ca-user.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=te8LaxUIsbG/Hg9d6SLSLg==

 

Environment

Release : 18.1

Component : Endevor Software Change Manager

Resolution

To get the SSL/TLS connection work using CA certificate: 

The CN of the CA certificate should match Tomcat server hostname

Or

SAN (Subject Alternate Name) in CA certifcate match the Tomcat server hostname.

Or

Create DNS alias (in this example creating a DNS alias tomcath8.travp.net for th84tcp.travp.net)

 

 

 

Additional Information

Configure Apache Tomcat to Use SSL with Keyrings