How to enable SSL on proxy UI
search cancel

How to enable SSL on proxy UI


Article ID: 36079


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Summary:  How to setup SSL for access to Secure Proxy Server:: Administrative User Interface (Proxy UI)


The first steps for proxy-engine/tomcat to listen on an SSL port is to obtain a certificate & private key pair.

In fact if the host name used to access the proxyui is identical to the one used to access the sps server itself  (eg:, and, which is usually the case, then proxyui can use the cert+private key generated for the apache front end (self signed or otherwise).  Otherwise a new cert+private key is required via steps 1-3 in the document on this page.


  1. Convert the certificate & private key into a .p12 object

    The first step is to convert the certificate (we will say: server.crt) and private key (server.key) into a .p12 object. In the following example, we have ca.cer as the issuing certificate, but you may not require that option (if it is a self-signed certificate) or you may need a .pem file with all the certs in the trust chain as that parameter: 

    ..\bin\openssl pkcs12 -export -in server_x509.cer -inkey server.key -out mycert.p12 -name tomcat -CAfile ca.cer -caname root -chain

    You will be asked for passwords to server.key, if there is one, and a password for the new mycert.p12 file.
  2. Create the tomcat java keystore from the  .p12 object.

    "c:\Program Files (x86)\Java\jdk1.6.0_31"\bin\keytool -importkeystore -srckeystore mycert.p12 -srcstoretype PKCS12 -destkeystore tomcat.keystore

    You will be prompted for password to access mycert.p12, and new password for the created tomcat.keystore

    Note: The tomcat.keystore file needs to be installed in the secure-proxy/SSL/keys directory.  
  3. Update the server.conf file
    Edit the following parameters in server.conf :
    #To enable SSL for localapp uncomment next three parameters
  4. Storing the tomcat.keystore decrypt password 
    To decrypt the tomcat.keystore proxy-engine needs the decrypt password, we do not want to store it in the clear, so the following method adds the (encrypted) password to the file, and code in proxy-engine will decrypt it and use it to access the URL : 
    We change the the bin directory & run the GenerateSSLConfig.bat command with keystorepass option: 
    cd \CA\proxy-engine\secure-proxy\bin
    GenerateSSLConfig.Bat -keystorepass password
    That generates output as follows: 
    INFO: Successfully written SSL configuration properties file in: C:\CA\secure-proxy\Tomcat\properties\

  5. Restart the proxy-engine. 
    Restart the proxy-engine via the system services.   
    Check SSL comes up
    netstat -an | find "543"
    Should show a process listening on port 543 : 
    Otherwise will need to look into server.log & nohup log for clues as to what has occurred. 
  6. Access Proxy ui on SSL port :

    And you should be prompted to login.


Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus