How to enable SSL on proxy UI

book

Article ID: 36079

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Summary:  How to setup SSL for access to Secure Proxy Server:: Administrative User Interface (Proxy UI)

Instructions:

The first steps for proxy-engine/tomcat to listen on an SSL port is to obtain a certificate & private key pair.

In fact if the host name used to access the proxyui is identical to the one used to access the sps server itself  (eg:  http://sps.example.com/, and http://sps.example.com:8080/proxyui), which is usually the case, then proxyui can use the cert+private key generated for the apache front end (self signed or otherwise).  Otherwise a new cert+private key is required via steps 1-3 in the document on this page.

 

  1. Convert the certificate & private key into a .p12 object

    The first step is to convert the certificate (we will say: server.crt) and private key (server.key) into a .p12 object. In the following example, we have ca.cer as the issuing certificate, but you may not require that option (if it is a self-signed certificate) or you may need a .pem file with all the certs in the trust chain as that parameter: 

    ..\bin\openssl pkcs12 -export -in server_x509.cer -inkey server.key -out mycert.p12 -name tomcat -CAfile ca.cer -caname root -chain

    You will be asked for passwords to server.key, if there is one, and a password for the new mycert.p12 file.
  2. Create the tomcat java keystore from the  .p12 object.

    "c:\Program Files (x86)\Java\jdk1.6.0_31"\bin\keytool -importkeystore -srckeystore mycert.p12 -srcstoretype PKCS12 -destkeystore tomcat.keystore

    You will be prompted for password to access mycert.p12, and new password for the created tomcat.keystore

    Note: The tomcat.keystore file needs to be installed in the secure-proxy/SSL/keys directory.  
  3. Update the server.conf file
    Edit the following parameters in server.conf :
      
    #To enable SSL for localapp uncomment next three parameters
    local.https.port=543
    local.https.keyStoreFileName="tomcat.keystore" 
  4. Storing the tomcat.keystore decrypt password 
    To decrypt the tomcat.keystore proxy-engine needs the decrypt password, we do not want to store it in the clear, so the following method adds the (encrypted) password to the sslconfig.properties file, and code in proxy-engine will decrypt it and use it to access the URL : 
    We change the the bin directory & run the GenerateSSLConfig.bat command with keystorepass option: 
    cd \CA\proxy-engine\secure-proxy\bin
    GenerateSSLConfig.Bat -keystorepass password
      
    That generates output as follows: 
    INFO: Successfully written SSL configuration properties file in: C:\CA\secure-proxy\Tomcat\properties\sslconfig.properties

  5. Restart the proxy-engine. 
    Restart the proxy-engine via the system services.   
    Check SSL comes up
    netstat -an | find "543"
      
    Should show a process listening on port 543 : 
    Otherwise will need to look into server.log & nohup log for clues as to what has occurred. 
     
  6. Access Proxy ui on SSL port :
    https://www.example.com:543/proxyui/

    And you should be prompted to login.

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: