The Java Communication Process (JCP) is a special kind of communication process. Implemented in Java, it is used to host special services such as the AE REST web services.
JCP can connect via HTTP or HTTPS.
Please note the below steps are for unix/linux - windows should not be much different (use keytool.exe rather than /keytool). Italicized text indicates commands to be run.
Setting up the Rest service for ssl on the AutomationEngine:
(Reference: https://curl.haxx.se/docs/sslcerts.html)
Please note: The keytool command is available within the bin directory of the java installation.
1.) Initializing the jetty keystore and prepping the certificate
sudo /usr/lib/jvm/jre-1.8.0_oracle/bin/keytool -keystore ./httpsRESTKeyFile -alias jetty -genkey -keyalg RSA -sigalg SHA256withRSA
Example for key extract
/usr/bin/openssl pkcs12 -in ./wildcard_company_local.pfx -nocerts -out ./wildcard_company_local.key
Enter Import Password: <This should be the password provided for your certificate>
MAC verified OK
Enter PEM pass phrase: <For simplicity, use the password you used for your key store>
Verifying - Enter PEM pass phrase: <For simplicity, use the password you used for your key store>
Example for the crt extract
/usr/bin/openssl pkcs12 -in ./wildcard_company_local.pfx -clcerts -nokeys -out ./wildcard_company_local.crt
Enter Import Password: <This should be the password provided for your certificate>
MAC verified OK
Creating the pkcs12 cert
cd /home/srv-uc4/wild_card_cert
/usr/bin/openssl pkcs12 -inkey ./wildcard_company_local.key -in ./wildcard_company_local.crt -export -out ./wildcard_company_local.pkcs12
Enter pass phrase for ./wildcard_company_local_key: <Keep the same as your key store password>
Enter Export Password: <Keep the same as your key store password>
Verifying - Enter Export Password: <Keep the same as your key store password>
2.) Converting/migrating the Jetty keystore to pkcs12
cd /AutomationEngine/bin
sudo /usr/lib/jvm/jre-1.8.0_oracle/bin/keytool -importkeystore -srckeystore ./httpsRESTKeyFile -destkeystore ./httpsRESTKeyFile -deststoretype pkcs12
Enter source key store password: <Keep the same as your key store password>
Entry for alias jetty successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
3.) Importing the certificate into the Jetty keystore
sudo /usr/lib/jvm/jre-1.8.0_oracle/bin/keytool -importkeystore -destkeystore ./httpsRESTKeyFile -srckeystore /home/srv-uc4/wild_card_cert/wildcard_company_local.pkcs12 -srcstoretype PKCS12 -alias "1" -destalias "jetty"
Importing keystore /home/srv-uc4/wild_card_cert/wildcard_company_local.pkcs12 to ./httpsRESTKeyFile...
Enter destination keystore password: <enter keystore pwd>
Enter source keystore password: <enter keystore pwd>
Existing entry alias 1 exists, overwrite? [no]: yes
4.) Changing the password of the keystore (if you chose a different password in earlier steps)
sudo /usr/lib/jvm/jre-1.8.0_oracle/bin/keytool -keypasswd -alias "jetty" -new <default or new password> -keystore ./httpsRESTKeyFile
Enter keystore password: <This is the password you chose originally for your key store>
Enter key password for <jetty> <This should be whatever you chose instead of the key store as indicated in previous steps>
5.) List out the keystore contents to confirm
/usr/lib/jvm/jre-1.8.0_oracle/bin/keytool -list -v -keystore ./httpsRESTKeyFile
6.) Modify the ucsrv.ini
To enable ssl for the [REST] service and reference the key store and password:
host=<servername>.<company>.local
port=8088
sslEnabled=1
keystore=./httpsRESTKeyFile (or full path to RESTKeyFile)
keystorePassword=<Encrypt the password you chose for the key store earlier, using the UCYBCRYP.exe tool>
keyPassword=<Encrypt the password you chose for the key store in earlier, using the UCYBCRYP.exe tool>
Example:
7.) Restart the JCP REST service (Seen in the admin tab of the zero client with a type "A")
8.) Import the keystore certificate into the keystore used by tomcat.
If the Tomcat or web server is installed on the same machine as the AE server, please execute the command below.
sudo /usr/lib/jvm/jre-1.8.0_oracle/bin/java -jar ./ucsrvjp.jar -installcert <hostname>:8088
If the Tomcat or web server is NOT installed on the same machine as the AE server, please import the keystore certificate into the keystore/cacerts of the the Java used by the Tomcat or web server.
Ex.
keytool -importcert -file C:\Automic\AutomationEngine\cert\btabpc.broadcom.net.crt -alias bta.bpc.broadcom.net -keystore "C:\Program Files\Java\jdk1.8.0_301\jre\lib\security\cacerts"
9.) List out the contents of the keystore you just imported to for confirming the cert exists. (The alias depends on how you created you Jetty keystore and the certificate you used.)
/usr/lib/jvm/java-1.8.0-oracle-1.8.0.151-1jpp.5.el7.x86_64/jre/bin/keytool -v -list -keystore /usr/lib/jvm/java-1.8.0-oracle-1.8.0.151-1jpp.5.el7.x86_64/jre/lib/security/cacerts -alias <hostname>-1
10.) Logout/Login into AWI
Please note that any reference to java in this article needs to be the java that the processes are using