How to enable SSL on OneClick and WebApp with self-signed certificate

book

Article ID: 200602

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

This article will provide step by step walkthrough document for SSL (Secure Sockets Layer) setup on the Spectrum OneClick web server and OneClick WebApp.

Environment

Release : 20.2

Component : Spectrum OneClick

Resolution

Follow the steps outlined in this section of the Spectrum guide to generating a private self-signed certificate:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-2/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/configure-oneclick-for-secure-sockets-layer.html

1. Open a bash shell (bash -login) on the Spectrum OneClick web server machine.

2. Navigate to the $SPECROOT/Java/bin/ directory.

3. Run the following syntax to add the tomcatssl alias in the cacerts (keystore file):

$ ./keytool.exe -genkey -alias tomcatssl -keyalg RSA -keystore c:/win32app/Spectrum/custom/keystore/cacerts

OR

$ ./keytool.exe -genkey -alias tomcatssl -keyalg RSA -keystore ../../custom/keystore/cacerts

4. The default password is "changeit" without quotes.

5. In the "What is your first and last name?" field supply the OneClick FQDN (Fully Qualified Domain Name).

6. Supply the other information similar to the screenshot below:

 

Follow the steps outlined in this section of the Spectrum guide to configure the Secure Socket on the OneClick Web Server Host:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-2/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/configure-oneclick-for-secure-sockets-layer.html

7. Shutdown the OneClick web server.

cd $SPECROOT/tomcat/bin/

./stopTomcat.sh

8. Open the $SPECROOT/tomcat/conf/server.xml file in your preferred text editor. (Take a backup before modifying it)

9. Locate the following section in the server.xml file and uncomment it. And replace the <SPECROOT> variable in the value for the keystoreFile attribute with the fully qualified path to the directory where DX Spectrum is installed.

  • Remove "<!--" from the line preceding to <Connector.

  • Remove "-->" from the end of the section (after </Connector>).

  • Windows
    C:/win32app/Spectrum/custom/keystore/cacerts

  • UNIX
    /usr/Spectrum/custom/keystore/cacerts

10. Save and close the server.xml file.

11. Start the OneClick web server.

cd $SPECROOT/tomcat/bin/

./startTomcat.sh

12. Supply the following in the browser:

https://<OneClick_hostname>:<port>/spectrum
https://<OneClick_hostname>:443/spectrum

And click on "Continue to this website (not recommended)."

 

Follow the steps to install the private self-signed certificate

13. Click on the Certificate error.

14. Click on View certificates.

15. Click on Install Certificate

16. Select Local Machine and click on Next button.

17. Select "Place all certificates in the following store" and click on Browse button.

18. Select "Trusted Root Certification Authorities" and click on the OK button.

19. Click on the Next button.

20. Click on the Finish button.

21. Click on the OK button.

22. Click on the OK button.

23. Close the browser, and launch it again.

Supply the following in the browser:

https://<OneClick_hostname>:<port>/spectrum
https://<OneClick_hostname>:443/spectrum

There is no certificate error.

Click on the OneClick WebApp.

24. A new TAB will open with the following error message:

 

Follow the steps outlined in this section of the Spectrum guide to configuring the SSL support for OneClick WebApp:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-2/managing-client-applications/oneclick-webapp-beta.html

25. Navigate to the $SPECROOT/tomcat/conf/server.xml file and copy the connectors https ports-related information and paste in the $SPECROOT/webtomcat/conf/server.xml file, so that it does not conflict with the standard OneClick Tomcat SSL port.

Copy from row 11 to 37 of the $SPECROOT/tomcat/conf/server.xml file.

Paste them in row 146 of the $SPECROOT/webtomcat/conf/server.xml file. The copied section should be in between </Engine> and </Service> tags.
Change the port number from 443 to 7443. Avoid using port 9443, as this port number is should be already in use.

26. Save and close the server.xml file.

27. Stop/Start the SpectrumWebTomcat service.

28. Launch the OneClick WebApp again. At this time it should open successfully.

 

 

Additional Information

What logs and configuration files to review:

  • $SPECROOT/webtomcat/bin/logs/webswing.log
  • $SPECROOT/webtomcat/logs/catalina.out (Linux) or stdout.log (Windows)
  • $SPECROOT/webtomcat/conf/server.xml
  • $SPECROOT/tomcat/logs/catalina.out (Linux) or stdout.log (Windows)
  • $SPECROOT/tomcat/conf/server.xml

 

How to check the certificate installed on the browser:

 

How to list the tomcatssl alias in the cacerts file:

$ ./keytool.exe -v -list -keystore ../../custom/keystore/cacerts -alias tomcatssl

 

How to delete the tomcatssl alias in the cacerts file:

$ ./keytool.exe -delete -alias tomcatssl -keyalg RSA -keystore ../../custom/keystore/cacerts

 

How to recover the original cacerts file if it gets corrupted.

1. Rename cacerts file under $SPECROOT\custom\keystore to cacerts.orig
2. Copy cacerts file from $SPECROOT\Java\jre\lib\security to $SPECROOT\custom\keystore
3. Rerun keytool command 

 

If the cacerts file has only one entry, follow the below KB article to recover the original cacerts file and then add the tomcatssl alias.

https://knowledge.broadcom.com/external/article?articleId=129913

Ensure the OOB cacerts ($SPECROOT/Java/jre/lib/security/cacerts) file is not empty.

 

How to remove the certificate from the browser:

 

 

Attachments