Endevor Web Service SSL/TSL RACF Keyring
search cancel

Endevor Web Service SSL/TSL RACF Keyring

book

Article ID: 240181

calendar_today

Updated On:

Products

Endevor

Issue/Introduction

Using the VS Code Endevor Explorer plug-in to connect to Endevor WS Tomcat instance.

Enabled HTTPS using a RACF keyring in Endevor Web Service. Requested a CA certificate and added it to RACF keyring for the ID that the server runs under, also uncommented and edited the section of the server.xml:

     <!-- Define a SSL HTTP/1.1 Connector on port 8443 using SAF keyring -->   
     <Connector port="XXXX" maxHttpHeaderSize="8192"                           
           maxThreads="150" minSpareThreads="25"                               
           enableLookups="false" disableUploadTimeout="true"                   
           SSLEnabled="true"                                                   
           algorithm="IbmX509"                                                 
           acceptCount="100" scheme="https" secure="true"                      
           clientAuth="false" sslProtocol="TLS"                                
           sslEnabledProtocols="+TLSv1.2,+TLSv1.1,+TLSv1"                      
           keystoreType="JCERACFKS"                                            
           keystoreFile="safkeyring://kryringowner/keyring"                        
           sslImplementationName="com.ca.sslsocket.CASSLImplementation" />     

Then set up a new Endevor profile on the explorer, reject any self signed certificates. Cannot connect to the server and keep getting an HTTPS error. 

 

Environment

Release : 18.1

Component : Endevor Software Change Manager

Cause

Tried the visual verification on the browser:  https://host:port/EndevorService/services/EndevorService?wsdl 

Noticed that there is a mismatch in the name of the certificate and the Endevor Tomcat server hostname (got connection not private warning and the following message):

"This server could not provide that it is xxxxxxxxxxx; its security certificate is from TOMCATH8.xxxxxxxxxxxxxx.  This may be caused by a misconfiguration or an attacker intercepting your connection"

 

 

Resolution

To get the SSL/TLS connection work using CA certificate: 

The CN of the CA certificate should match Tomcat server hostname

Or

SAN (Subject Alternate Name) in CA certificate match the Tomcat server hostname.

Or

Create DNS alias 

 

 

 

Additional Information