Enabling SDM to ITPAM Communications When ITPAM is SSL Enabled
Article ID: 9538
Updated On:
Products
Issue/Introduction
Accessing ITPAM from Service Desk is done via the Administrator tab and under Service Desk->Change Order->Categories and then selecting a category such as Add.it.other. One the Category, select the Workflow tab, select Edit and click on the ITPAM button.
Without enabling communication between Service Desk and SSL ITPAM, the following error is returned:
"There is a problem accessing CA IT PAM Workflow - please try again or contact the administrator. Details: ; nested exception is: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)"
In the SDM Server's jstd.log, this message may also appear:
java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
There may also be a message from SDM logging that says:
ItpamWorkflow 355 Error accessing ITPAM Service at: PKIX path building failed. sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Environment
Service Desk Manager 14.1 and 17.x and up
All Supported version of IT Process Automation (ITPAM)
Cause
This error is caused because the trust between the Service Desk and ITPAM has not been created.
Resolution
When ITPAM is configured for SSL, you must configure the primary and secondary Service Desk Manager servers to communicate with ITPAM.
To enable communications when ITPAM is SSL enabled, perform the following steps:
1. Verify that you can access and use ITPAM via a web browser, without launching Service Desk Manager. Record the ITPAM URL and use it for reference when you configure the CA IT PAM Workflow options in Service Desk Manager Options Manager.
2. Ensure both Service Desk servers and ITPAM servers alike are running the same release of Java Run time (JRE). For further details on updating JRE on the Service Desk installation, please review the documentation link under "Additional Information"
3. Log in to Service Desk Manager as an Administrator user and install or modify the CA IT PAM Workflow options in Options Manager. For each of the following options, use the syntax https://server:8443 instead of http://server:8080 for reaching the SSL enabled ITPAM application.
However, if the ITPAM installation uses another port instead of the 8443 SSL port, specify the appropriate port number.
-
- caextwf_endpoint
- caextwf_processdisplay_url
- caextwf_worklist_url
Note: If the values do not match the actual ITPAM installation values, Service Desk Manager cannot communicate with ITPAM and a runtime error occurs.
Verify that the values match the actual ITPAM installation values because the ITPAM installer might have selected a different port instead of port 8443.
4. On the ITPAM server, locate the KEYSTOREID entry in the following file:
PAM 4.3 and older releases: <ITPAM install dir>\server\c2o\.config\OasisConfig.properties
PAM 4.4: <ITPAM install dir>\wildfly\standalone\.config\OasisConfig.properties
5. Copy the KEYSTOREID for potential use later on. This is a long string of characters, format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
You will also need the keystore alias. Search for the line "itpam.web.keystorealias" to locate this value. By default, this should be: ITPAM
Note: In earlier versions of ITPAM, the default alias value was c2o-j
6. On the ITPAM server, issue the following keytool command as one line on the command line:
<JRE INSTALL DIRECTORY>\bin\keytool.exe -keystore <KEYSTORE LOCATION>\c2okeystore -export -alias <KEYSTORE ALIAS> -file itpam.cer
The above locations for JRE install directory, keystore file location, and keystore alias will vary depending on your environment.
This is an example command that may work for PAM 4.3 and older
C:\Progra~1\ca\sc\jre\1.6.0_24\bin\keytool.exe -keystore C:\Progra~1\ITPAM\server\c2o\.config\c2okeystore -export -alias ITPAM -file itpam.cer
For PAM 4.4 and later:
"C:\Program Files\Java\jre-1.8\bin\keytool.exe" -keystore "C:\Program Files\CA\PAM\wildfly\standalone\.config\c2okeystore" -export -alias ITPAM -file itpam.cer
7. The keytool utility will prompt you for a password. Copy/paste the value for KEYSTOREID in the above.
The keytool utility uses the final parameter (-file itpam.cer) to create a file named itpam.cer. The itapm.cer file contains the necessary certificate information for communication with Service Desk Manager.
8. Copy the itpam.cer file to one of the following locations on the Service Desk Manager Primary or Background server (NX_ROOT is the install directory for Service Desk Manager):
- (Windows) %NX_ROOT%\bin
- (UNIX) $NX_ROOT/bin
9. It is recommended to backup the existing NX.KEYSTORE file located in the NX_ROOT\pdmconf directory on the SDM Server(s)
10. Check the NX_ROOT\bin folder on the Service Desk server(s) for any existing ITPAM certificates since you cannot have multiple aliases with the same name. You can use the following command to list any certificates already present in the Keystore:
pdm_perl %NX_ROOT%\bin\pdm_perl pdm_keystore_mgr.pl -list
If any old ITPAM certificates exist, you will need to remove them by running the following command:
pdm_perl %NX_ROOT%\bin\pdm_perl pdm_keystore_mgr.pl -delete <ITPAM Certificate Alias>
11. Import the updated/new ITPAM certificate information into Service Desk Manager by entering the following command:
- Windows - pdm_perl %NX_ROOT%\bin\pdm_perl pdm_keystore_mgr.pl -import %NX_ROOT%\bin\itpam.cer
- UNIX- pdm_perl $NX_ROOT/bin/pdm_perl pdm_keystore_mgr.pl -import $NX_ROOT/bin itpam.cer
The pdm_keystore_mgr.pl script generates the keystore file in the following locations:
- Windows - %NX_ROOT%\pdmconf\nx.keystore
- UNIX - $NX_ROOT/pdmconf/nx.keystore
12. If your Service Desk Manager architecture includes secondary servers or is Advanced Availability, go over each app or secondary server and take a backup of the existing nx.keystore file present under NX_ROOT\pdmconf directory as well as the NX.env file. Backup these files away to a separate location. Copy in the nx.keystore from the Primary or BG Server to the secondary servers or App Servers (match the same folder location as "pdmconf" folder)
Note: Manually moving the nx.keystore across to each secondary servers or App Servers is necessary to allow the secondary servers or App Servers to be able to talk to the PAM Server.
13. Restart the CA Service Desk Manager service on the BG/Primary server, then restart services on the constituent app / secondary servers if applicable.
Service Desk Manager can now communicate with the SSL enabled ITPAM application.
Additional Information
See also:
KB Article 269938: Unable to access ITPAM workflow in ServiceDesk Manager with SSL enabled.
KB Article 103456: problems with SSL connection for SDM connecting to Maileater, PAM, or Catalog (similar maintenance instructions for nx.keystore)
Addendum
The NX.env variable NX_KEYSTORE_REF is generated in the BG or Primary server. This variable is an encrypted internal password used to read the nx.keystore. Whenever the constituent app / secondary servers are recycled, they should obtain the NX_KEYSTORE_REF entry from the BG or Primary server as well as the nx.keystore.
The itpam.cer certificate file described above should be stored LOCALLY on the SDM Server.
In some ITPAM configurations, you may also need to acquire additional certificate information. To check:
- Access PAM SSL URL via browser. When you do, on the URL bar, there should be a lock icon, which you can right-click to view the certificate
- If you see any additional certificates, you will also need to export these certs to file in BASE64 format to be imported to SDM, using the command
pdm_perl pdm_keystore_mgr.pl -import <cer file>
Feedback
