How to Enable Communications between Service Desk and ITPAM when ITPAM is SSL Enabled?
search cancel

How to Enable Communications between Service Desk and ITPAM when ITPAM is SSL Enabled?


Article ID: 9538


Updated On:


CA Service Management - Service Desk Manager CA Service Desk Manager CA Process Automation Base


Accessing ITPAM from Service Desk is done via the Administrator tab and under Service Desk->Change Order->Categories and then selecting a category such as One the Category, select the Workflow tab, select Edit and click on the ITPAM button.

Without enabling communication between Service Desk and SSL ITPAM, the following error is returned:

"There is a problem accessing CA IT PAM Workflow - please try again or contact the administrator. Details: ; nested exception is: Error constructing implementation (algorithm: Default, provider: SunJSSE, class:"


In the SDM Server's jstd.log, this message may also appear: Error constructing implementation (algorithm: Default, provider: SunJSSE, class:$DefaultSSLContext)



Service Desk Manager 14.1 and 17.x

All Supported version of IT Process Automation (ITPAM)


This error is caused because the trust between the Service Desk and ITPAM has not been created.


When ITPAM is configured for SSL, you must configure the primary and secondary Service Desk Manager servers to communicate with ITPAM.

To enable communications when ITPAM is SSL enabled, perform the following steps:

1.  Verify that you can access and use ITPAM via a web browser, without launching Service Desk Manager. Record the ITPAM URL and use it for reference when you configure the CA IT PAM Workflow options in Service Desk Manager Options Manager.

2.  Ensure both Service Desk servers and ITPAM servers alike are running the same release of Java Run time (JRE).  For further details on updating JRE on the Service Desk installation, please review the documentation link under "Additional Information"

3.  Log in to Service Desk Manager as an Administrator user and install or modify the CA IT PAM Workflow options in Options Manager. For each of the following options, use the syntax https://server:8443 instead of http://server:8080 for reaching the SSL enabled ITPAM application.

However, if the ITPAM installation uses another port instead of the 8443 SSL port, specify the appropriate port number.

    • caextwf_endpoint 
    • caextwf_processdisplay_url 
    • caextwf_worklist_url

Note: If the values do not match the actual ITPAM installation values, Service Desk Manager cannot communicate with ITPAM and a runtime error occurs.

Verify that the values match the actual ITPAM installation values because the ITPAM installer might have selected a different port instead of port 8443.

4.  On the ITPAM server, locate the KEYSTOREID entry in the following file:


5.  Copy the KEYSTOREID for potential use later on.

6.  On the ITPAM server, issue the following keytool command as one line on the command line:

C:\Progra~1\ca\sc\jre\1.6.0_24\bin\keytool.exe -keystore C:\Progra~1\ITPAM\server\c2o\.config\c2okeystore -export -alias ITPAM -file itpam.cer

Default: ITPAM
Note: In earlier versions of ITPAM, the default was c2o-j

The keytool utility prompts you for a password.

7.  Type the ITPAM certificate password that was given to you by your certificate authority.

The keytool utility uses the final parameter (-file itpam.cer) to create a file named itpam.cer. The itapm.cer file contains the necessary certificate information for communication with Service Desk Manager.

8.  Move the itpam.cer file to one of the following locations on the Service Desk Manager server (NX_ROOT is the install directory for Service Desk Manager):

  • (Windows) %NX_ROOT%\bin 
  • (UNIX) $NX_ROOT/bin

9.  It is recommended to backup the existing NX.KEYSTORE file located in the NX_ROOT\pdmconf directory on the SDM Server(s)

10.  Check the NX_ROOT\bin folder on the Service Desk server(s) for any existing ITPAM certificates since you cannot have multiple aliases with the same name.  You can use the following command to list any certificates already present in the Keystore:

pdm_perl %NX_ROOT%\bin\ -list

If any old ITPAM certificates exist, you will need to remove them by running the following command:

pdm_perl %NX_ROOT%\bin\ -delete <ITPAM Certificate Alias>

11.  Import the updated/new ITPAM certificate information into Service Desk Manager by entering the following command:

  • Windows - pdm_perl %NX_ROOT%\bin\ -import %NX_ROOT%\bin\itpam.cer
  • UNIX- pdm_perl $NX_ROOT/bin/ -import $NX_ROOT/bin itpam.cer

The script generates the keystore file in the following locations: 

  • Windows - %NX_ROOT%\pdmconf\nx.keystore 
  • UNIX - $NX_ROOT/pdmconf/nx.keystore 

12.  If your Service Desk Manager architecture includes secondary servers or is Advanced Availability, repeat steps #8-#11for each secondary or Application Servers in your environment.  You will also need to failover to your standby server and run the on your corresponding background/standby server as well. 

Note: Make sure that the NX_KEYSTORE_REF file is unique across each server.

13.  Restart the CA Service Desk Manager service.

Service Desk Manager can now communicate with the SSL enabled ITPAM application.

Additional Information

See also:

KB Article 269938:  Unable to access ITPAM workflow in ServiceDesk Manager with SSL enabled.


Previous versions of this document had alluded to using Service Desk version control to distribute the nx.keystore from the primary/background servers to the constituent secondary/application servers.  This is inadvisable as the NX_KEYSTORE_REF setting in the NX.env file may vary per secondary server depending on the content of the nx.keystore file.

The itpam.cer certificate file described above should be stored LOCALLY on the SDM Server.  Please do not rely on a network share to distribute the given certificate file across SDM Servers.

In some ITPAM configurations, you may also need to acquire additional certificate information.  To check:

  • Access PAM SSL URL via browser.  When you do, on the URL bar, there should be a lock icon, which you can right-click to view the certificate
  • If you see any additional certificates, you will also need to export these certs to file in BASE64 format to be imported to SDM, using the command  

pdm_perl -import <cer file>