SPS Proxy UI not accessible on port 8443

book

Article ID: 37197

calendar_today

Updated On:

Products

CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

Issue

We have done the configurations for SPS ProxyUI as per the guideline given in the Secure Cloud 1.54 bookshelf. 

When we tried accessing the URL provided in the guide, we got a message that the URL was unreachable

When trying to access the URL with port 8080 and using http, we were able to access the URL. 

 

We also checked the server.xml of the Tomcat webserver in the SPS server, and we found out that port 8443 was SSL enabled and all the requests going to 8080 port should be redirected to 8443.

At the same time it is revealed that there is no process listening on port 8443 (netstat -an | grep 8443 returns nothing)

 

Environment: 

CA Secure Cloud. All versions

 

Cause:

This may be due to a missing Tomcat keystore. If this is the case, the following message will be present in the nohup.out log of Tomcat in the SPS server
 
Dec 01, 2015 11:20:47 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore SEVERE: Failed to load keystore type JCEKS with path /opt/CA/secure-proxy/Tomcat/../SSL/keys/tomcat.keystore due to /opt/CA/secureproxy/Tomcat/../SSL/keys/tomcat.keystore (No such file or directory) java.io.FileNotFoundException: /opt/CA/secure-proxy/Tomcat/../SSL/keys/tomcat.keystore (No such file or directory) at java.io.FileInputStream.open(Native Method)
 

Resolution: 

  1.  Run the following command 

 
 "$OPENSSL" pkcs12 -export -in $SPS_HOME/SSL/certs/server.crt -inkey $SPS_HOME/SSL/keys/server.key -out serverkey.p12 -name cmcert -passout pass:$_cert_passwd 
 
   Here I have specified the standard locations and names, but  you need to figure out how those files are called in each case and which one is the key and which one is the certificate for it as they may not be the standard ones 
 
   Also the name of the p12 file may be any name of choice
 
   The $_cert_passwd corresponds to the _cert_password value which you can be found inside the properties.sh file for the latest upgrade (if at the beginning of the actions the properties.sh was already sourced or run, then all environment variables will the set and no need to worry about actual values, but we need to make sure the variables are correctly set) 
 
    It will also ask you for a passphrase: This is NOT the _cert_passwd in general, but the password with which the private key was protected. 
 
    It is strongly advised to put all certificates under the $SPS_HOME/SSL/cert and the keys under the $SPS_HOME/SSL/keys directories, as a good practice 
 
    Also the -alias name can be anything. To simplify things let's assume it is called cmcert as in the example. 
 
2. Now it is time to generate the keystore. In the same place where we have the serverkey.p12 run the following 
 
  "$KEYTOOL" -importkeystore -deststorepass $_cert_passwd -destkeypass $_cert_passwd -destkeystore tomcat.keystore -srckeystore serverkey.p12 -srcstoretype PKCS12 -srcstorepass $_cert_passwd -alias cmcert 
 
   Same thing as before: if serverkey.p12 is a different filename, use the appropriate one, and of course use the values corresponding to _cert_passwd, etc if these have not been defined as environment variables. 
 
3. Restart the SPS services 
 
4. Upon wake up again tomcat should be listening on port 8443, as well as 8080, and  the GUI should be accessible on port 8443

Environment

Release: CLDIDM99000-1.5-Identity Manager SaaS-for Business Users
Component: