We have imported custom certificate in PAM however after starting PAM the agents are showing as inactive.

Article Id: 33625
Status: Published
Updated On: 14-02-2018 08:19
Legacy Id: TEC1444749
Products:
CA IT PROCESS AUTOMATION MANAGER , CA Process Automation Base
Issue/Introduction:

Question:
After importing custom certificate in PAM, the agents status changed to inactive.
What is the correct procedure to install custom certificates?

Answer: 
Use following steps to import the certificate.

1. Stop PAM Service

2. To generate new keystore Open command prompt and navigate to '.JDK\bin' directory then execute following command.
  
   Keytool -genkey -alias <<aliasname>> -keyalg RSA -keystore <<keystorename>>

   The above command will prompt for a password to secure the c2okeystore. This password will be required in a later stage therefore lease keep a note of it.

3. Import the certificate in keystore using below command
    keytool - import - alias myalias - file certfile - keystore  "path_and_file_specification_for_keystore".

4. Copy the new keystore to <<PAM_INSTALLATION_DIRECTORY>>/server/c2o/.config/
    Don t delete the existing “c2okeystore” from <<PAM_INSTALLATION_DIRECTORY>>\server\c2o\.config

5. Go to <<PAM_INSTALLATION_DIRECTORY>>\server\c2o


6. Run the command
   PasswordEncryption.bat NEW_KEYSTORE_PASSWORD >password.txt


7. Edit and update the <<PAM_INSTALLATION_DIRECTORY>>\server\c2o\.config\OasisConfig.properties with the following entries

   itpam.custom.web.keystorepath=<pam_dir>/server/c2o/.config/newcustomkeystore.jks
   itpam.custom.web.keystore.password=<encrypted_password_of_custom_Cert>
   itpam.custom.web.keystorealias=newaliasname

8. Backup current '.\PAM\server\c2o\deploy\jbossweb.sar\server.xml file OUTSIDE of PAM install directory.

Note: Don't backup the file in same folder.
               
9. Edit the Connector element to use non-default properties (example below has the word custom keyword added to out of the box properties)
   <Connector protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
    port="${tomcat.secure.port}" address="${jboss.bind.address}"
    maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
    emptySessionPath="true"
    scheme="https" secure="true" clientAuth="false"
    keystoreFile="${itpam.custom.web.keystorepath}"
    keyAlias="${itpam.custom.web.keystorealias}"
    keystorePass="${itpam.custom.web.keystore.password}"
    sslProtocol = "${SSL_PROTOCOL}" algorithm = "${X509_ALGORITHM}"ciphers="${jboss.ssl. ciphers}" useBodyEncodingForURI="true"   

     maxPostSize="12582912"/>

10. Save the file and Start PAM service

 

Environment:

Release: ITPASA99000-4.3-Process Automation-Add On License for-CA Server Automation
Component: