Description:

This document outlines the procedure to setup CA Workflow 1.1.x to use a self signed certificate for the Tomcat application server.

Solution:

This document assumes that you have already set up CA Service Desk using SSL on port 8443. Port 8444 is used in the examples in this document.

Important Note:

For a production server, you must have a certificate from a trusted Certificate Authority like VeriSign or Thawte. Your Trusted Certificate Authority should have information and documentation on importing the secure certificate into a secure Tomcat environment. This involves generating a Key Request, sending that Key Request to the Trusted Certificate Authority and then importing the returned certificate into your Tomcat installation.

In most cases, you create a test certificate using the steps below for the purpose of testing. Once SSL is working and configured properly, consult your Trusted Certificate Authority to replace your test certificate with a trusted one.

For more information on keytool and on importing certificates from a Certificate Authority, please see http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html. There is also information on the Apache Tomcat site at: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html.

Setup steps:

1. Execute the following command from a command prompt (in the JDK/JRE bin directory) to create a self-signed certificate. This creates a self signed certificate that should only be used for testing purposes:

   >keytool -genkey -alias cawftomcat -keyalg RSA

   The command will create a .keystore file in your home directory. You can tell keytool where to create the file by using the -keystore parameter and specifying the file name and path.
   
   
2. After executing the command, you will be prompted for the keystore password. The default password used by keytool is "changeit". You will need to use the password you enter here in the server.xml configuration file in a later step.

   keytool -genkey -alias cawftomcat -keyalg RSAEnter keystore password: changeitWhat is your first and last name?[Unknown]: <Hostname of Server>What is the name of your organizational unit?[Unknown]: <Your Department>What is the name of your organization?[Unknown]: <Your Company>What is the name of your City or Locality?[Unknown]: <Your City>What is the name of your State or Province?[Unknown]: <Your 2 Letter State Code>What is the two-letter country code for this unit?[Unknown]: <Your 2 Letter Country Code>Is <CN=<Hostname of Server>, OU=<Your Department>, O=<Your Company>,L=<Your City>, ST=<Your 2 Letter State Code>, C=Your 2 Letter Country Code>> correct?[no]: yes

   Finally you will be asked for the key password. Use the same password that was used for the keystore; "changeit" unless otherwise specified.
   
   
3. Next, configure your tomcat server.xml file. For CA Workflow this is located under the $NX_ROOT\bopcfg\www\CATAINA_BASE_WF\conf directory. The standard version of the server.xml contains an example configuration that is commented out:

   <!-- Define a SSL HTTP/1.1 Connector on port 8443 --><!--<Connector port="8443" maxHttpHeaderSize="8192"maxThreads="150" minSpareThreads="25"maxSpareThreads="75"enableLookups="false" disableUploadTimeout="true"acceptCount="100" scheme="https" secure="true"clientAuth="false" sslProtocol="TLS" />-->

   You will note that the Connector element itself is commented out by default (highlighted), so you will need to remove the comment tags around it.
   
   Assuming port 8443 is in use by CA Service Desk, change the connector port to 8444, or any other free port for https access greater than 1024.
   
   There are two additional attribute values that need to be added. These are "keystoreFile" which is the full path to the keystore file defined in the first two steps, and "keystorePass" which is the password used for the keystore defined in the second step.
   
   The full path to the file includes the file name itself. The default name of the file is .keystore which must be included.
   
   Important Note:
   
   If you are using the same keystore file for multiple applications (such as Service Desk) you must also specify the attribute value "keyAlias". If this element is not present the first key read in the keystore will be used.
   
   Your server.xml file entry should end up looking something like:

   <!-- Define a SSL HTTP/1.1 Connector on port 8443 --><Connector port="8444" maxHttpHeaderSize="8192"maxThreads="150" minSpareThreads="25"maxSpareThreads="75"enableLookups="false" disableUploadTimeout="true"acceptCount="100" scheme="https" secure="true"clientAuth="false" sslProtocol="TLS"keystoreFile="<full path to keystore directory>/.keystore" keyPass="keystore password" />

   Again, if necessary add the keyAlias element. Note there is a space between the last character and the close of the tag.
   
   If you changed the port from 8443, you should also change the value specified for the redirectPort attribute on the non-SSL connector.
   
   
4. Next, modify the wl.xml and pm.xml files located in $NX_ROOT/bopcfg/www/CATALINA_BASE_WF/conf/Catalina/localhost. In both files there is a single entry as:

   <Environment name="com.ca.workflow.defaultpmurl" override="true" type="java.lang.String" value="http://servername:8090/pm/"/>

   Change the protocol to https and the port number from 8090 to 8444.
   
   
5. Fully Stop the Workflow Tomcat engine:
   
   Open the task manager and manually kill all javaw.exe processes
   Open a command line and run the following:

   pdm_tomcat_nxd -d STOP -t CAWF

6. Open $NX_ROOT/bopcfg/www/CATALINA_BASE_WF/ and delete the /work/ directory - delete it completely. Do not copy or save it as this will cause problems.
   
   
7. Open $NX_ROOT/bopcfg/www/CATALINA_BASE_WF/webapps and delete the two directories there pm and wl. Do not copy or save these as again this will cause problems.
   
   
8. Open a command line and run the following commands to restart Tomcat:

   pdm_tomcat_nxd -d STARTpdm_tomcat_nxd -d START -t CAWF

   Test the connection to the IDE, this should now work using the protocol https and the port 8444. From within the IDE you must modify the USD Initializer actor. In the IDE select the Actors tab on the left and expand the JavaScript directory.
   
   Select the USD Initializer actor and in the right frame double click on "Get Global Attributes" to open the operation. In the script area change the "WFTomcatPort" value from 8090 to 8444 and click OK.
   
   
9. Finally, change the entries within Service Desk in the Options Manager for CA Workflow. These are the:

   cawf_pm_locationcawf_wl_location

   Important Note:
   
   ONLY CHANGE THE ABOVE 2 ENTRIES! - Do not modify the pm_url or wl_url as this is the connection for the web services deployed by Service Desk.
   
   For a Service Desk installation where there are secondarys installed, you will need to log in to each server separately and make sure that the entries are modified correctly for each Service Desk Server.
   
   You can also manually verify this by opening the nx.env on each secondary server.
   
   Protocols need to be changed to https and ports changed from 8090 to 8444.
   
   
10. A recycle of the Service Desk services must be done, and again perform the following after Service Desk is up and running:
    
    Open the task manager and manually kill all javaw.exe processes
    Open a command line and run the following:

    pdm_tomcat_nxd -d STOP -t CAWFpdm_tomcat_nxd -d STARTpdm_tomcat_nxd -d START -t CAWF

    At this point you should now be able to access the CA Workflow Worklist and the CA Workflow IDE via https using port 8444.