Configuring HTTPS on Clarity
search cancel

Configuring HTTPS on Clarity

book

Article ID: 9783

calendar_today

Updated On:

Products

Clarity PPM On Premise

Issue/Introduction

How do you enable Clarity to communicate via HTTPS?

Resolution

Note that these instructions are for a non-clustered Clarity setup. For a load-balanced architectural implementation, the way to enable SSL is very simple and is provided in the "Additional Information" section.

Table of Contents

Step 1: Generate a Keystore

  1. Login to the server that hosts Clarity
  2. Navigate to a directory on which you would like your private key to be placed. For example: "C:\clarity16"
  3. Run a command such as the following to generate a keystore:

    keytool -genkey -keystore C:\clarity16\keystore.jks -keyalg RSA -storepass changeit 

    Note that "Keystore.jks" is the name of the keystore, with a password "changeit". Change the password to a stronger one when you run this command, and do not forget it, for it should be used at later points
  4. Several prompts will be made to fill in the server and the Organization details. Have this information handy, before you run the command in step 3. The certification authorities can provide you with all the necessary details, so check with them, if you can not answer all the prompts in the first go. Additionally, put in the complete name of the server, when prompted for "first and last name".
    Note that the server name should not have "http://" or "https://" mentioned in it.

Step 2: Generate a certificate request

Run a command such as the following to generate a Certification Request:

keytool -certreq -keystore C:\clarity16\keystore.jks -keyalg RSA -file myRequest0.cer

This file should be sent to the Certification Authority to obtain a certificate for your server

Step 3: Import Certificates into the keystore

  1. Make sure that you have these certificates ready before the start of import into the keystore:

    • Server certificate

    • Intermediate certificate

    • Root certificate

      (Check with the Certification Authority for Root and Intermediate certificates)

  2. Run a command such as the following one to import the root certificate (replacing the keystore name, path, certificate name, patch, etc.):

    keytool -import -keystore C:\clarity16\keystore.jks -keyalg RSA -file root.cer -trustcacerts -alias myroot

  3. To import an intermediate certificate:

    keytool -import -keystore C:\clarity16\keystore.jks -keyalg RSA -file intermediate.cer -trustcacerts -alias myintermediate

  4. Finally, import the server certificate:

    keytool -import -keystore C:\clarity16\keystore.jks -keyalg RSA file server.cer -trustcacerts -alias myserver

Step 4: Make Changes in the CSA

  1. Navigate to the "Security" tab in the CSA

  2. Provide the fully qualified path of your keystore in the "SSL Keystore" field

  3. Provide and confirm the password for the keystore in the "SSL Password" and "Confirm Password" fields respectively

  4. Now navigate to the "Application" tab

  5. Change "SSL Handling" to "Support both HTTP and HTTPS without switching"

  6. Check the "HTTPS Enabled" field under section "Application Instance: app"

  7. Change "HTTPS Port" to a number allotted to the Clarity Application (this is organization-dependent). For Example, the Port number could be 8043

  8. Change "HTTPS Entry URL" to the exact server name that was provided during keystore generation in step 3

  9. Restart the Application Service

  10. Once you have successfully verified that HTTPS is working by navigating using HTTPS (use the right port number and url. For example, the URL could be "https://servername.example.com:8043/"), change the "SSL Handling" to "Support only HTTPS". Restart the Application service again

How to Use Windows Certificate Manager to Export the Keystore?

  1. On windows machine ask the admin to export the certificate along with the private key.
  2. The password set for the Private Key should be the same password set for the ".pfx" file that is being exported. 
  3. Modify the extension of the exported file from ".pfx" to ".p12" as they are same. 
  4. Configure the keystore obtained in NSA/CSA under "Security" tab along with the password. 

Additional Information

  • In a Load-balanced setup, the certificate will have to be installed on the Load Balancer and not the Clarity Application Servers. Once that is done, change the "SSL Handling" to "SSL is used but processed externally", under the "Application" tab.
  • If you imported a certificate wrongly, and want to delete it, a command such as this can be used: "keytool -keystore c:\clarity16\keystore.jks -alias root -delete"
  • Another very useful command to list all the certificates in a keystore is: "keytool -keystore c:\clarity16\keystore.jks -list" and to turn verbose on, use "keytool -keystore c:\clarity16\keystore.jks -list -v"
  • Finally, the paths mentioned here are for a Windows operating system. Change them to the path specifying the convention of Linux if the application is built on that operating system. Everything other than the paths remains the same.
  • KeyStore explorer is a very useful tool for finding issues with a keystore and the imported certificates 

Note: You may wish to take a look at our documentation too here: CSA: Security, Passwords, LDAP, SSL, SSO, XSS (On-Premise Only)

Note: In some of the environment and with certificate authorities the SAN is mandatory as per X509 standards in the CSR for that case the below two command to generate keystore and generating the CSR with SAN extension

* keytool -alias “hostname” -genkey -keystore C:\clarity16\keystore.jks -keyalg RSA -storepass changeit

* keytool -certreq -alias "hostname"  -keystore C:\clarity16\keystore.jks -keyalg RSA -file myRequest0.cer -ext "SAN=DNS:hostname"
 
Powered by Wolken Software