How do I configure Inbound Notifications via HTTPS?
searchcancel
How do I configure Inbound Notifications via HTTPS?
book
Article ID: 54198
calendar_today
Updated On: 10-09-2023
Products
CA Identity ManagerCA Identity GovernanceCA Identity PortalCA Identity Suite
Issue/Introduction
This techdoc shows how to configure Inbound Notifications via HTTPS using JBoss, WebSphere or WebLogic application servers. This functionality is available with CA Identity Manager r12 CR6 and later.
Environment
Release: Component: IDMGR
Resolution
JBoss Specific Instructions
The steps are compatible with JBoss 4.2.3. There could be minor differences in other versions. The Java keytool is used to create the certificate but it is possible to use other certificates in a similar manner if you wish.
Creating the Self-Signed Certificate:
Go to a command line and type the following (Requires JDK):
keytool -genkey -alias tomcat -keyalg RSA
Provide password
In the First and Last name provide the Host Name
For the other details you can type anything you want
Moving the Keystore:
Copy C:\Documents and Settings\User\.keystore to C:\jboss-4.2.3\server\default\conf
Change the .keystore file name to: "chap8.keystore"
Update the Configuration File:
Shut down JBoss server
Edit the file "server.xml" located in: c:\jboss-4.2.3 \server\default\deploy\jboss-web.deployer as follows:
Locate this section:
<!-- SSL/TLS Connector configuration using the admin devl guide keystore
Uncomment the entire block
Add the keystore name and password. The results should like this:
Start JBoss server. Now it should run on the https port as well. To validate try browsing to: https:<server_name>:8443
Go to the section "Configure the Provisioning Server Side for SSL Inbound Notification"
WebLogic Specific Instructions
The steps are compatible with WebLogic 9.2.x. There could be minor differences in other versions.
Weblogic provides a demo trusted CA certificate and keystore which can be used for testing purposes only and should not be used in a production environment. This demo certificate is used here for example purposes only. If you want to use a custom certificate refer to the BEA documentation.
Enable https access in the server on port 7002:
Start weblogic domain
Open the weblogic administrative console
Go to Environments -> Servers -> AdminServer (admin)
In the Configuration -> General tab enable the SSL by checking "SSL listen port enabled" check-box. Make sure the server listens on port 7002 - see below:
Go to the section "Configure the Provisioning Server Side for SSL Inbound Notification"
WebSphere Specific Instructions
The steps are compatible with WebSphere 6.1.0.x. There could be minor differences in other versions. In the steps described below, the Default certificate provided by WebSphere is used for testing purposes only and should not be used in production environment. If you want to use a custom certificate refer to the IBM WebSphere documentation.
Go to the WebSphere management console. From the left menu select Security -> SSL certificate and key management -> SSL configurations -> NodeDefaultSSLSettings
Click the Get certificate aliases button. This will put the value "default" in the 2 empty fields as seen in the image below:
Save the changes and re-start WebSphere
When the server starts up you should see the following message in the SystemOut.log:
SSLComponentI I CWPKI0003I: SSL service is starting SSLComponentI I CWPKI0004I: SSL service started successfully
Go to the section "Configure the Provisioning Server Side for SSL Inbound Notification"
Configure the Provisioning Server Side for SSL Inbound Notification
Click on the padlock icon at the lower right corner, to open the certificate.
Note: In IE 7 there is no padlock icon. Instead, there is a red "shield" sign next to the address bar. Click on it, and select "view certificate".
Go to the Certificate Path tab. If there is only a root certificate, skip to step f.
Select the Root certificate and click View Certificate.
Install the certificate
Open the certificate and go to the Details tab
Click "Copy to File"
Save the certificate in a DER encoded binary (.CER) format
Converting the Certificate to PEM format using OpenSSL (This step can be skipped if you are using jBoss, perform this step only if you get SSL errors in the Provisioning Server log):
Copy the OpenSSL tool to the Provisioning Server machine or any other computer where you have the CER certificate saved.
Configuring notification in the Provisioning Server:
Go to System -> Domain Configuration->Identity Manager Server -> Enable Notification
Change the Value to Yes. See below:
Configure the Trusted CA Bundle in the Provisioning Server:
Go to System -> Domain Configuration -> Identity Manager Server -> Trusted CA Bundle
In the Value provide the location of the CER or PEM file created in step 1.i or 2.b.
Restart the Provisioning Server Service
Inbound Validation:
Make sure Provisioning Inbound is properly configured.
Create a Global User in the Provisioning Server
Make sure the user is created in IM
Check the ProvisioningServer\logs\etanotify<date>-<time>.log file. This file should contain an entry for each test that looks something like the following (note the entry shown in bold):
===================================== 20090615:163943:TID=001320:D: Sending Payload... 20090615:163943:TID=001320:D: URL(https://<example>.forward.inc:8443/idm/ETACALLBACK/? env=forward): No need to encrypt the payload