Configure RCM JBoss to only use secure communication methods

book

Article ID: 50046

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

Description:

RCM Server is being installed, by default, allowing unsecure communication over port 8080.

This document shows steps required to setup RCM Server so it will only use secure communication methods over HTTPs.

Solution:

Follow these steps to allow JBoss to communicate only over HTTPs (port 8443):

  1. Prerequisites:

    SSL Encryption
    Make sure that SSL Encryption has been implemented according to the directions in RCM installation guide Chapter 3, "SSL, Authentication and Certificates" section (For example keytool -genkey -alias name -keyalg RSA -keystore server.keystore)

    URL
    Make sure all references to url specify 8443. (As an exception: You may want to leave "tms.workflow.url" at port 8080 until the certificate is imported into the jvm keystore {it will not work until after that step})

    Property Settings:

    <Please see attached file for image>

    Figure 1

    Common Properties:

    <Please see attached file for image>

    Figure 2

    Server.xml

    Make sure the server.xml file is pointing to the keystore file you plan to use:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true" clientAuth="false"
    sslProtocol="TLS"
    keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
    keystorePass="YOUR_PASS" />
    Validate

    Test the portal to make sure everything seems to be functional using port 8443.

    Otherwise, if things don't work after the install you cannot be certain that the changes caused the problem.

    As you click around the portal, make sure the url is always https

    https://<JBOSS_FQDN>:8443/eurekify/portal/

  2. Install the certificate into the JVM Keystore

    Export the certificate from the browser:

    <Please see attached file for image>

    Figure 3

    <Please see attached file for image>

    Figure 4

    Select "Copy to file..."

    <Please see attached file for image>

    Figure 5

    Use DER encoded x.509

    <Please see attached file for image>

    Figure 6

    Import the certificate to the jvm keystore
    keytool -import -alias rcmkey -keystore "D:\Program
    Files\Java\jdk1.5.0_22\jre\lib\security\cacerts" -file "D:\ w1pvap179_der_x509.cer"
    C:\Program Files\Java\jdk1.5.0_16\bin>keytool -import -alias RCMSP3 -keystore "C:\Program Files\Java\jdk1.5.0_16\jre\lib\security\cacerts" -file E:\rcmsp3.cer

    Enter keystore password:
    Owner: CN=RCMSP3, OU=Support, O=CA, L=London, ST=England, C=GB
    Issuer: CN=RCMSP3, OU=Support, O=CA, L=London, ST=England, C=GB
    Serial number: 4dff710b
    Valid from: Mon Jun 20 17:10:51 BST 2011 until: Sun Sep 18 17:10:51 BST 2011

    Certificate fingerprints:
    MD5: 37:99:99:2A:FC:E1:42:22:7E:36:03:C5:1E:06:6B:83
    SHA1: FD:75:04:03:E4:15:38:85:3C:3D:6D:32:82:0D:B6:CD:B4:6B:85:98
    Trust this certificate? [no]: yes
    Certificate was added to keystore

    When completed, restart jboss.

  3. Update Workpoint to use port 8443

    In the workpoint DB Administrator menu, select "Update Workpoint Processes" to use 8443 and https.

    Click "Update"

    <Please see attached file for image>

    Figure 7

    It will take about a minute to reload the workpoint processes.

    <Please see attached file for image>

    Figure 8

    At the bottom of the screen, look for the message:

    <Please see attached file for image>

    Figure 9

    Update Host and Port in Workpoint Processes" to use 8443 and https.

    <Please see attached file for image>

    Figure 10

    Open Workpoint Designer to Validate:

    <Please see attached file for image>

    Figure 11

    Open any script

    <Please see attached file for image>

    Figure 12

    You should see that http...8443 is being used in the processes.

    Run the Workpoint checkup:

    <Please see attached file for image>

    Figure 13

    Make sure the URL now uses https

    <Please see attached file for image>

    Figure 14

    <Please see attached file for image>

    Figure 15

    <Please see attached file for image>

    Figure 16

    Test the portal:

    • Create a Campaign

    • Create a new role using the Role Management menu

  4. Turn off port 8080
    Stop JBoss

    Edit the server.xml file:
    ..\CA\RCM\Server\eurekify-jboss\server\eurekify\deploy\jbossweb.deployer\server.xml

    Comment out the section defining port 8080

    Restart JBoss

    Repeat the portal testing

    Verify only ports JBoss is listening to are 8009 and 8443 (on eurekif.log)

    INFO [org.apache.coyote.http11.Http11Protocol] Initializing Coyote HTTP/1.1 on http-8443
    INFO [org.apache.coyote.ajp.AjpProtocol] Initializing Coyote AJP/1.3 on ajp-0.0.0.0- 8009

NOTE:
If Client Tools are installed on a different server than main RCM/GM Server, the relevant certificates (Server and root CA) must be imported on the Client Tools machine in order to be able to connect securely.

<Please see attached file for image>

Figure 17

Environment

Release: CAIDMB99000-12.6-Identity Manager-B to B
Component:

Attachments

1558709827473000050046_sktwi1f5rjvs16rmx.gif get_app
1558709825579000050046_sktwi1f5rjvs16rmw.gif get_app
1558709823605000050046_sktwi1f5rjvs16rmv.gif get_app
1558709821766000050046_sktwi1f5rjvs16rmu.gif get_app
1558709819916000050046_sktwi1f5rjvs16rmt.gif get_app
1558709818067000050046_sktwi1f5rjvs16rms.gif get_app
1558709815983000050046_sktwi1f5rjvs16rmr.gif get_app
1558709813929000050046_sktwi1f5rjvs16rmq.gif get_app
1558709811863000050046_sktwi1f5rjvs16rmp.gif get_app
1558709809868000050046_sktwi1f5rjvs16rmo.gif get_app
1558709807833000050046_sktwi1f5rjvs16rmn.gif get_app
1558709805920000050046_sktwi1f5rjvs16rmm.gif get_app
1558709804058000050046_sktwi1f5rjvs16rml.gif get_app
1558709802251000050046_sktwi1f5rjvs16rmk.gif get_app
1558709799337000050046_sktwi1f5rjvs16rmj.gif get_app
1558709797432000050046_sktwi1f5rjvs16rmi.gif get_app
1558709794887000050046_sktwi1f5rjvs16rmh.gif get_app