How to enable SSL on ProxyUI in CA Access Gateway (SPS)
search cancel

How to enable SSL on ProxyUI in CA Access Gateway (SPS)

book

Article ID: 36079

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction


How to setup SSL access to CA Access Gateway (SPS) Administrative User Interface (ProxyUI)?

 

Resolution


The first steps for proxy-engine/tomcat to listen on an SSL port is to obtain a certificate & private key pair.

In fact, if the hostname used to access the ProxyUI is identical to the one used to access the sps server itself

eg:

http://sps.example.com/

and

http://sps.example.com:8080/proxyui

which is usually the case, then the ProxyUI can use the cert+private key generated for the apache front end (self signed or otherwise).

Otherwise, a new cert+private key is required via steps 1-3 in the document on this page.

  1. Convert the certificate & private key into a .p12 object:

    The first step is to convert the certificate (server.crt) and private key (server.key) into a .p12 object.
    In the following example, having ca.cer as the issuing certificate, but that option may not be required (if it is a self-signed certificate).
    Or a .pem file may be needed with all the certs in the trust chain as that parameter: 

    c:\> ..\bin\openssl pkcs12 -export -in server_x509.cer -inkey server.key -out mycert.p12 -name tomcat -CAfile ca.cer -caname root -chain

    If asked for passwords to server.key, if there is one, and a password for the new mycert.p12 file.
  2. Create the tomcat java keystore from the  .p12 object.

    c:\> c:\{home_java}\bin\keytool -importkeystore -srckeystore mycert.p12 -srcstoretype PKCS12 -destkeystore tomcat.keystore.

    A prompt for a password will raise to access mycert.p12, and new password for the created tomcat.keystore.
    Note: The tomcat.keystore file needs to be installed in the secure-proxy/SSL/keys directory.
  3. Update the server.conf file:
           
    Edit the following parameters in server.conf:
          
    #To enable SSL for localapp uncomment next three parameters
    local.https.port=543
    local.https.keyStoreFileName="tomcat.keystore"

  4. Storing the tomcat.keystore decrypt password:

    To decrypt the tomcat.keystore proxy-engine needs the decrypt password, don't store it in the clear, so the following method adds the (encrypted) password to the sslconfig.properties file, and code in proxy-engine will decrypt it and use it to access the URL: 

    Change the bin directory & run the GenerateSSLConfig.bat command with keystorepass option:

    c:\> cd \{home_SPS}\secure-proxy\bin
    c:\> GenerateSSLConfig.Bat -keystorepass <password>
          
    That generates output as follows: 
    INFO: Successfully written SSL configuration properties file in: C:\{home_sps}\Tomcat\properties\sslconfig.properties

  5. Restart the proxy-engine.

    Restart the proxy-engine via the system services.

    Check SSL comes up:

    c:\> netstat -an | find "543"

    Should show a process listening on port 543. 
    Otherwise, will need to look into server.log & nohup log for clues as to what has occurred.

  6. Access the ProxyUI on SSL port:

    https://sps.example.com:543/proxyui/

    And a prompt to login will show up.

 

Powered by Wolken Software