Introduction:

This document describes how to setup SSL in CA Identity Governance 12.6 with SSL and JBoss 5 and 6EAP

Instructions:

Note: This document describe the process using Self-signed certificate, if you want to use MS Certificate for example, please see the Microsoft support website to know how to do that.

Creating the self-signed certificate

1) Open a command prompt

2) Enter the following command (keytool.exe is located under folder %JAVA_HOME%\bin)

keytool -genkey -alias name -keyalg RSA -keystore server.keystore

       -alias

         Defines the alias to use for adding an entry to the keystore.

       -keyalg

         Specifies the algorithm to use to generate the key pair.

The keytool utility starts.

3) For “first and last name” question, type the FQDN of your CA Identity Manager Server

4) In the sample below it was created a temp folder to store the server.keystore file

5) A server.keystore file is created and placed in the specified folder.

<Please see attached file for image>

6) Copy server.keystore file to your JBoss folder “<JBoss_Installation_folder>/standalone/configuration”

Add Your Digital Certificate to the Keystore 

Now, we need to export the digital certificate from the CA Identity Governance server and import this certificate into keystore.

Follow these steps:

1) Stop JBoss if it is running

2) Open the command prompt window where you created the self-signed certificate 

3) Export the digital certificate from the server to JBoss with the following command:

       "%JAVA_HOME%\bin\keytool" -v -export -alias name -keystore server.keystore -storepass password -file example.cer

For our example, the command should be:

<Please see attached file for image>

4) Import the digital certificate to the keystore with the following command:

       "%JAVA_HOME%\bin\keytool" -v -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts"-storepass password -file example.cer

For our example, the command should be:

<Please see attached file for image>

If you didn’t change the “cacerts” keystore password, it is “changeit” without quotes

5) Copy the example.cer file to the following JDK security folder:

        X:\Program Files\Java\jdk1.6.0_23\jre\lib\security

6) Add the certificate to the local certificate store.

    a. Locate and double-click the example.cer file.

      A Certificate window opens. 

    b. On the General tab, click Install Certificate.

      The Certificate Import Wizard opens.

    c. Complete the prompts as required, click Finish, and click OK when the confirmation dialog opens.

You have added the digital certificate to the keystore.

Activate SSL Communication in JBoss

To activate SSL communication in JBoss, block the default port and edit the server.xml file to include the certificate path and password.

Follow these steps:

1) Stop JBoss if it is running.

2) Locate server.xml in the following folder and open it for editing:

      X:\...\eurekify-jboss\server\eurekify\deploy\jbossweb.sar\

3) Disable default port 8080. Locate and comment out the following code section:

           <Connector protocol="HTTP/1.1" URIEncoding="UTF-8" port="8080" address="${jboss.bind.address}" 

               connectionTimeout="20000" redirectPort="8443" />

You have disabled default port 8080.

4) Edit the JBoss server.xml file to enable SSL and to include the certificate path and password.

    a. Locate the following section:

           <Connector protocol="AJP/1.3" port="8009" address="${jboss.bind.address}" redirectPort="8443" />

    b. Add a line directly below and paste the following code:

           <Connector protocol="HTTP/1.1" URIEncoding="UTF-8" SSLEnabled="true" maxThreads="150"

           port="8443" address="${jboss.bind.address}"

           scheme="https" secure="true" clientAuth="false" 

           keystoreFile="${jboss.server.home.dir}/conf/server.keystore" keystorePass="password" />

    c. Replace the password with the keystore password

5) Save and close the server.xml file

6) Locate run.conf.bat in the following folder and open it for editing:

       X:\...\RCM\Server\eurekify-jboss\bin\

7) Edit run.conf.bat 

    a. Locate the following line

       set "JAVA_OPTS=%JAVA_OPTS% -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000"

    b. Add the lines directly below and paste the following:

       set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=changeit

       set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore="X:\JDK-Path\jre\lib\security\cacerts" 

8) Save and close run.conf.bat

9) Start JBoss

You have activated SSL communication in JBoss

Additional Information:

To integrate Identity Governance and Identity Manager both with SSL

1) Copy the .cer file generated in section “Add Your Digital Certificate to the Keystore” step 3 to Identity Manager machine

2) From Identity Manager machine, run the keytool command line to import it to JDK cacerts, the same command from section “Add Your Digital Certificate to the Keystore”, step 4, but now the change to Identity Manager certificate file

      "%JAVA_HOME%\bin\keytool" -v -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts"-storepass password -file identitymanager.cer

3) Restart JBoss (IG) service

Note: Please, refers to the Tech document “How to setup SSL in IdM 12.6.x (JBoss)” TEC1237693 for details about how to import Identity Governance certificate to Identity Manager truststore.