This document explains procedures to use Certificate Authority signed certificates for EEM portal

Release: 12.6 and later
Component: CA EMBEDDED ENTITLEMENTS MANAGER 

Infrastructure security standards require using a Trusted Certificate Authority signed certificates for all the URLs, including EEM web portal.

EEM iGateway uses the default igateway certificates(igatewayCert) installed during the installation:

Follow the instructions below to use the CA signed certificates (custom p12 certificates): 
(Note: Contact the infrastructure security admin to get the CA signed certificates for the server in p12 bundle)

1. Copy the p12 certificate to the iTechnology directory (IGW_LOC).

*NIX:
cd $IGW_LOC
Default dir:
/opt/CA/SharedComponents/iTechnology

Windows:
cd %IGW_LOC%
Default dir:
C:\Program Files (x86)\CA\SC\iTechnology

2. Stop the CA iTechnology iGateway service.

*NIX
cd $IGW_LOC
./S99igateway stop

Windows
services.msc
stop the "CA iTechnology iGateway" service

3. Edit the IGW_LOC/igateway.conf file and update the <Connector name="defaultport"> section.
Before the changes, the section would be similar to:

<Connector name="defaultport">
<port>5250</port>
<mustlisten>true</mustlisten>
<conntype/>
<conntimeout>120</conntimeout>
<peektimeout>30</peektimeout>
<maxconnections>1000</maxconnections>
<maxrequestbytes>10000000</maxrequestbytes>
<maxpiperequests>10</maxpiperequests>
<maxAcceptRate/>
<certType/>
<certURI/>
<certPW/>
<keyURI/>
<keyPW/>
<secureProtocol/>
<cipherlist/>
</Connector>

4. Set certType to p12

<certType>p12</certType>

5. Set certURI is the  name of the certificate filename.p12 

<certURI>filename.p12</certURI>

6. Munge the certificate password using $IGW_LOC/ConfigTool.

cd /opt/CA/SharedComponents/iTechnology

Example *NIX
./ConfigTool -munge -version 4.7.6.1 -comp igateway -conf igateway.conf -tag "TransportReceiver=HTTP;Connector=defaultport;certPW;" -passwd password

Example Windows:
ConfigTool.exe -munge -version 4.7.6.1 -comp igateway -conf igateway.conf -tag "TransportReceiver=HTTP;Connector=defaultport;certPW;" -passwd <password>

( Important: The version should match the version from the file $IGW_LOC/igateway.conf ).

Example:
igateway.conf file contains:
<iGatewayConfig>
<Version>4.7.5.2</Version>

Command to run:
./ConfigTool -munge -version 4.7.6.1 -comp igateway -conf igateway.conf -tag "TransportReceiver=HTTP;Connector=defaultport;certPW;" -passwd testpass
Operation Successful!!

Result in igateway.conf file:

<certPW>EgAdHA4=</certPW>

7. Post updates, the section would look like below (with the appropriate p12 file name and munged password values):

<Connector name="defaultport">
<port>5250</port>
<mustlisten>true</mustlisten>
<conntype/>
<conntimeout>120</conntimeout>
<peektimeout>30</peektimeout>
<maxconnections>1000</maxconnections>
<maxrequestbytes>10000000</maxrequestbytes>
<maxpiperequests>10</maxpiperequests>
<maxAcceptRate/>
<certType>p12</certType>
<certURI>filename.p12</certURI>
<certPW>EgAdHA4=</certPW>
<keyURI/>
<keyPW/>
<secureProtocol/>
<cipherlist/>
</Connector>

8. Start the iTechnology service

igateway start

In some cases, one may need to run the ConfigTool password munge function first to implement the password in the igateway.conf before adding the new certificate information

See also KB Article 46312 on how to implement ciphers for EEM and which ones are supported