Description:
This document outlines the procedure to setup CA Workflow 1.1.x to use a self signed certificate for the Tomcat application server.
Solution:
This document assumes that you have already set up CA Service Desk using SSL on port 8443. Port 8444 is used in the examples in this document.
Important Note:
For a production server, you must have a certificate from a trusted Certificate Authority like VeriSign or Thawte. Your Trusted Certificate Authority should have information and documentation on importing the secure certificate into a secure Tomcat environment. This involves generating a Key Request, sending that Key Request to the Trusted Certificate Authority and then importing the returned certificate into your Tomcat installation.
In most cases, you create a test certificate using the steps below for the purpose of testing. Once SSL is working and configured properly, consult your Trusted Certificate Authority to replace your test certificate with a trusted one.
For more information on keytool and on importing certificates from a Certificate Authority, please see http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html. There is also information on the Apache Tomcat site at: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html.
Setup steps:
>keytool -genkey -alias cawftomcat -keyalg RSAThe command will create a .keystore file in your home directory. You can tell keytool where to create the file by using the -keystore parameter and specifying the file name and path.
keytool -genkey -alias cawftomcat -keyalg RSAEnter keystore password: changeitWhat is your first and last name?[Unknown]: <Hostname of Server>What is the name of your organizational unit?[Unknown]: <Your Department>What is the name of your organization?[Unknown]: <Your Company>What is the name of your City or Locality?[Unknown]: <Your City>What is the name of your State or Province?[Unknown]: <Your 2 Letter State Code>What is the two-letter country code for this unit?[Unknown]: <Your 2 Letter Country Code>Is <CN=<Hostname of Server>, OU=<Your Department>, O=<Your Company>,L=<Your City>, ST=<Your 2 Letter State Code>, C=Your 2 Letter Country Code>> correct?[no]: yesFinally you will be asked for the key password. Use the same password that was used for the keystore; "changeit" unless otherwise specified.
<!-- Define a SSL HTTP/1.1 Connector on port 8443 --><!--<Connector port="8443" maxHttpHeaderSize="8192"maxThreads="150" minSpareThreads="25"maxSpareThreads="75"enableLookups="false" disableUploadTimeout="true"acceptCount="100" scheme="https" secure="true"clientAuth="false" sslProtocol="TLS" />-->You will note that the Connector element itself is commented out by default (highlighted), so you will need to remove the comment tags around it.
<!-- Define a SSL HTTP/1.1 Connector on port 8443 --><Connector port="8444" maxHttpHeaderSize="8192"maxThreads="150" minSpareThreads="25"maxSpareThreads="75"enableLookups="false" disableUploadTimeout="true"acceptCount="100" scheme="https" secure="true"clientAuth="false" sslProtocol="TLS"keystoreFile="<full path to keystore directory>/.keystore" keyPass="keystore password" />Again, if necessary add the keyAlias element. Note there is a space between the last character and the close of the tag.
<Environment name="com.ca.workflow.defaultpmurl" override="true" type="java.lang.String" value="http://servername:8090/pm/"/>Change the protocol to https and the port number from 8090 to 8444.
pdm_tomcat_nxd -d STOP -t CAWF
pdm_tomcat_nxd -d STARTpdm_tomcat_nxd -d START -t CAWFTest the connection to the IDE, this should now work using the protocol https and the port 8444. From within the IDE you must modify the USD Initializer actor. In the IDE select the Actors tab on the left and expand the JavaScript directory.
cawf_pm_locationcawf_wl_locationImportant Note:
pdm_tomcat_nxd -d STOP -t CAWFpdm_tomcat_nxd -d STARTpdm_tomcat_nxd -d START -t CAWFAt this point you should now be able to access the CA Workflow Worklist and the CA Workflow IDE via https using port 8444.