Endevor Web Service SSL/TSL RACF Keyring
Article ID: 240181
Updated On:
Products
Issue/Introduction
Using the VS Code Endevor Explorer plug-in to connect to Endevor WS Tomcat instance.
Enabled HTTPS using a RACF keyring in Endevor Web Service. Requested a CA certificate and added it to RACF keyring for the ID that the server runs under, also uncommented and edited the section of the server.xml:
<!-- Define a SSL HTTP/1.1 Connector on port 8443 using SAF keyring -->
<Connector port="XXXX" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
SSLEnabled="true"
algorithm="IbmX509"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="+TLSv1.2,+TLSv1.1,+TLSv1"
keystoreType="JCERACFKS"
keystoreFile="safkeyring://kryringowner/keyring"
sslImplementationName="com.ca.sslsocket.CASSLImplementation" />
Then set up a new Endevor profile on the explorer, reject any self signed certificates. Cannot connect to the server and keep getting an HTTPS error.
Environment
Release : 18.1
Component : Endevor Software Change Manager
Cause
Tried the visual verification on the browser: https://host:port/EndevorService/services/EndevorService?wsdl
Noticed that there is a mismatch in the name of the certificate and the Endevor Tomcat server hostname (got connection not private warning and the following message):
"This server could not provide that it is xxxxxxxxxxx; its security certificate is from TOMCATH8.xxxxxxxxxxxxxx. This may be caused by a misconfiguration or an attacker intercepting your connection"
Resolution
To get the SSL/TLS connection work using CA certificate:
The CN of the CA certificate should match Tomcat server hostname
Or
SAN (Subject Alternate Name) in CA certificate match the Tomcat server hostname.
Or
Create DNS alias
Additional Information
Feedback
