How to Use private signed SSL certificates with CA Workload Control Center?

book

Article ID: 39758

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) CA Workload Automation Agent

Issue/Introduction

This document describes how to use private (internally signed) certificates with WCC.

Note:
Commercial Certificate Authorities (CA) like Verisign and Comodo no longer issue signed certificates for internal networks. Therefore a prerequisite to using this procedure is to have an internal CA setup. Clients (e.g. web browsers) should have the root and any intermediate certificates imported into their certificate store.

 

Environment

CA Workload Control Center # ALL Supported Version 

Resolution

This scenario walks you through the process of requesting and using a privately signed certificate from a trusted certificate authority.

1. Login to the WCC host as the WCC software owner (e.g. wcc)

2. Set the Java environment

    On UNIX:
    JAVA_HOME=$CA_WCC_INSTALL_LOCATION/jre; export JAVA_HOME
    PATH=$JAVA_HOME/bin:$PATH; export PATH
 
    On Windows:
    set JAVA_HOME=%CA_WCC_INSTALL_LOCATION%\jre
    set PATH=%JAVA_HOME%\bin;%PATH%

3. Change directory to the keystore location
   
    On UNIX:
    cd $CA_WCC_INSTALL_LOCATION/data/config
  

    On Windows:
    cd %CA_WCC_INSTALL_LOCATION%\data\config

4. Copy the existing .keystore file to a backup location.
    Example:
   
    On UNIX:
    cp .keystore /var/tmp/

    On Windows:
    copy .keystore %TEMP%

5. Delete the existing key in the keystore

    keytool -delete -alias tomcat -keystore .keystore -storepass changeit

6. Create a new key:
   
    keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -keypass changeit -keysize 2048 -dname "cn=<hostname>" -validity <days>
   
    where:
    <hostname> the WCC hostname
    <days> expiration period of the certificate in days (e.g. 5475 = 15 years)

 

NOTE: the dname here should have your Fully Qualified URL that your users would be using WCC URL with. example:  -ext san=dns:<CNAME>      for CNAME in DNS, you can add multiple CNAME values

 



7. Create the certificate signing request (CSR)
   
    keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -file wcc.cert.req.csr

8. Have the certificate request signed by your internal CA

    The internal CA will need to return the following in PEM format:
    a. root certificate
    b. any/all intermediate certificate(s)
    c. the private (signed) certificate generated from the CSR

 

NOTE:  During the generation of the CSR above, some certificate admins require you to provide additional stuff like  Subject Alternate names  example:    -ext san=dns:<CNAME>   for CNAME in DNS

 


9. Import the root certificate. Enter ‘yes’ to trust the certificate.

    keytool -importcert -alias RootCA -file <ca.cert.pem> -keystore .keystore -storepass changeit
   
    <ca.cert.pem> is the root certificate received from the internal CA.
   
10. (Optional) Import any/all intermediate certificate(s)
   
    keytool -importcert -alias IntermediateCA -file <intermediate.cert.pem> -keystore .keystore -storepass changeit

    <intermediate.cert.pem> is the intermediate key received from the internal CA.
   
11. Import the private (signed) certificate

    keytool -importcert -trustcacerts -file <wcc.cert.pem> -alias tomcat -keystore .keystore -storepass changeit

    <wcc.cert.pem> is the Private Key received from the internal CA.
   
12. Restart WCC services

    On UNIX:
    unisrvcntr restart CA-wcc-services
   
    On Windows:
    Restart the CA-wcc-services service from Microsoft Windows Services Console.

IMPORTANT: Ensure that the root certificate and any intermediate certificates are imported into client (e.g. web browsers) certificate stores.   

 

Additional Information

CA Workload Control Center: Change the SSL Mode