How to use GRLoader when Service Desk Manager (SDM) is configured for SSL/HTTPS?

Service Desk Manager

GRLoader Utility

To Use GRLoader with SSL, follow the instruction detailed below -  it is a pre-requisite to configure Web Services to run on SSL

Configure SSL on Tomcat

1.  From the command line, change directories to the JRE install location (default directory: C:/Program Files (x86)/CA/SC/JRE/11.0.3) and enter the command:

  bin\keytool -genkey -alias tomcat -keyalg RSA

This generates a .keystore file.

2.  Answer the prompts appropriately. The default password is 'changeit'.  If you wish to enter a password other than the default one refer to Tomcat documentation for further configuration requirements.

Note: The .keystore file is created by default in the home directory of the logged-in user. You may specify a different location during .keystore file generation. Refer to Tomcat documentation for information on specifying a different .keystore file location.

3.  Edit the server.xml file located in NX_ROOT\bopcfg\www\CATALINA_BASE\conf

Uncomment the SSL section and add the location of the .keystore file generated in the previous steps.  For example:

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --><Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="100" debug="0" scheme="https" secure="true" useURIValidationHack="false" disableUploadTimeout="true"> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="C:\Documents and Settings\user\.keystore" /></Connector>'

4.  Recycle SDM Tomcat by running the following commands:

pdm_tomcat_nxd -c stop
pdm_tomcat_nxd -c start

5.  To access the SDM web interface with SSL, use https://<machinename>:8443/CAisd/pdmweb.exe. You can also derive the Web Services URL in a similar fashion.

Note: You may specify a port other than 8443 in the server.xml file. Refer to Tomcat documentation for further information.

You will be prompted to accept the certificate for this site  - view and install the SSL certificate to access SDM

Configuring GRLoader to connect to SSL Web Service (https server)

To enable GRLoader to work correctly, JAVA needs to be able to authenticate the certificate for the Web Services. This means that you will have to create a certificate, add it to the JAVA cacerts (trusted key store), then pass the URL of the HTTPS server to GRLoader.

Creating a certificate:

1.  From the command line, change directories to the JRE install location (default directory: C:/Program Files (x86)/CA/SC/JRE/11.0.3) and enter the command

  bin\keytool -export -alias <insert alias here> -keystore <storename here> -rfc   -file <insert .cer filename> -storepass <password here>

E.g.:

  bin\keytool -export -alias tomcat -keystore .keystore -rfc -file tomcat.cer -storepass changeit

2.  In order for GRloader to be able to communicate to the HTTPS server, JAVA needs to be configured to use the certificate created in the previous step.

Update JAVA Trust Store:

1.  GRLoader uses this copy of java (defined as "NX_JRE_INSTALL_DIR" in NX.env):

  C:\Program Files (x86)\CA\SC\JRE\11.0.3

2.  You will need to run the command below on the cacerts (JAVA's trusted keystore) file in this directory:

  C:\Program Files (x86)\CA\SC\JRE\11.0.3\lib\security

This means that you will have to import the .cer (tomcat.cer) file you just created into the cacerts (JAVA's trusted keystore). From the command line, change directories to the JRE install location (default directory: C:\Program Files (x86)\CA\SC\JRE\11.0.3) and enter the command

  bin\keytool -import -alias <insert alias here> -file <insert .cer filename>   -keystore <storename here> -storepass <password here>

e.g.

  bin\keytool -import -alias tomcat -file tomcat.cer -keystore C:\PROGRA~1\CA\SC\JRE\1.8.0_74\lib\security\cacerts\ -storepass

Note: For every machine you run GRLoader from, you will need to configure JAVA's trust store

GRLoader arguments:

1.  In order to be able to use GRLoader with HTTPS, you must modify the -s flag to use the HTTPS server (by default HTTP is changed to use HTTPS and the port is changed to 8443):

  grloader -u <username> -p <password> -s <https server url:port> -i <input xml>

e.g.

  grloader -u cmdbadmin -p password -s https://localhost:8443/  -i test.xml

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/reference/ca-service-desk-manager-reference-commands/cmdb-technical-reference/general-resource-loader-grloader.html