How-To: Use private signed SSL certificates with CA Workload Control Center

book

Article ID: 39758

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) CA Workload Automation Agent

Issue/Introduction

Introduction: 

This document describes how to use private (internally signed) certificates with WCC.

Note:
Commercial Certificate Authorities (CA) like Verisign and Comodo no longer issue signed certificates for internal networks. Therefore a prerequisite to using this procedure is to have an internal CA setup. Clients (e.g. web browsers) should have the root and any intermediate certificates imported into their certificate store.

Environment:

CA Workload Control Center 11.3.5, 11.3.6, 11.4 SP1, 11.4 SP2, and 11.4 SP3

Instructions:

This scenario walks you through the process of requesting and using a privately signed certificate from a trusted certificate authority.

1. Login to the WCC host as the WCC software owner (e.g. wcc)

2. Set the Java environment

    On UNIX:
    JAVA_HOME=$CA_WCC_INSTALL_LOCATION/jre; export JAVA_HOME
    PATH=$JAVA_HOME/bin:$PATH; export PATH
 
    On Windows:
    set JAVA_HOME=%CA_WCC_INSTALL_LOCATION%\jre
    set PATH=%JAVA_HOME%\bin;%PATH%

3. Change directory to the keystore location
   
    On UNIX:
    cd $CA_WCC_INSTALL_LOCATION/data/config
  

    On Windows:
    cd %CA_WCC_INSTALL_LOCATION%\data\config

4. Copy the existing .keystore file to a backup location.
    Example:
   
    On UNIX:
    cp .keystore /var/tmp/

    On Windows:
    copy .keystore %TEMP%

5. Delete the existing key in the keystore

    keytool -delete -alias tomcat -keystore .keystore -storepass changeit

6. Create a new key:
   
    keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -keypass changeit -keysize 2048 -dname "cn=<hostname>" -validity <days>
   
    where:
    <hostname> the WCC hostname
    <days> expiration period of the certificate in days (e.g. 5475 = 15 years)

7. Create the certificate signing request (CSR)
   
    keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -file wcc.cert.req.csr

8. Have the certificate request signed by your internal CA

    The internal CA will need to return the following in PEM format:
    a. root certificate
    b. any/all intermediate certificate(s)
    c. the private (signed) certificate generated from the CSR

9. Import the root certificate. Enter ‘yes’ to trust the certificate.

    keytool -importcert -alias RootCA -file <ca.cert.pem> -keystore .keystore -storepass changeit
   
    <ca.cert.pem> is the root certificate received from the internal CA.
   
10. (Optional) Import any/all intermediate certificate(s)
   
    keytool -importcert -alias IntermediateCA -file <intermediate.cert.pem> -keystore .keystore -storepass changeit

    <intermediate.cert.pem> is the intermediate key received from the internal CA.
   
11. Import the private (signed) certificate

    keytool -importcert -trustcacerts -file <wcc.cert.pem> -alias tomcat -keystore .keystore -storepass changeit

    <wcc.cert.pem> is the Private Key received from the internal CA.
   
12. Restart WCC services

    On UNIX:
    unisrvcntr restart CA-wcc-services
   
    On Windows:
    Restart the CA-wcc-services service from Microsoft Windows Services Console.

IMPORTANT: Ensure that the root certificate and any intermediate certificates are imported into client (e.g. web browsers) certificate stores.   

Additional Information:

CA Workload Control Center: Change the SSL Mode

Environment

Release: ATSYHA99000-11.3.6-Workload Automation AE-High Availability Option
Component: