This KB Article contains additional clarification to existing documentation to setup a 3rd party SSL certificate for use in PAM 4.4 (Wildfly implementation). Please use this article as a supplement and annotation for the existing documentation.
Release: 4.4 or higher
CA Process Automation
The following instructions assume that the PAM install location is "C:\Program Files\CA\PAM\"
The files of interest, and their default locations are:
OasisConfig.properties: Located in C:\Program Files\CA\PAM\wildfly\standalone\.config
standalone-full-ha.xml: Located in C:\Program Files\CA\PAM\wildfly\standalone\configuration
customcert.jks: This is the keystore that is housing the 3rd party SSL certficate. File should be placed in C:\Program Files\CA\PAM\wildfly\standalone\.config.
Note: This file must be a jks based keystore. Please see KB Article 372540 for reference
The above files should be backed up to a different location before performing modifications.
itpam.custom.web.keystorepath=C:/Program Files/CA/PAM/wildfly/standalone/.config/customcert.jks
Note: The PasswordEncryption.bat utility located in C:\Program Files\CA\PAM\wildfly\standalone is NOT compatible for this approach. There is no method available to encrypt the password using this approach. We recommend utilising this approach to validate your custom keystore and password if Password Vault does not work.
Configure the keystore path and keystore-password for the custom certificate in file standalone-full-ha.xml. Line to uncomment and adjust is:
<keystore path="${itpam.custom.web.keystorepath}" keystore-password="XXXX"/>
XXXX is the keystore password for customcert.jks
For this method, it is essential to read through the instructions closely as there are a number of places where one can enter user defined values. All user defined values are in brackets and highlighted; colour coding is also used to help denote where certain values are to be entered.
keytool -genseckey -alias [vaultalias] -storetype jceks -keyalg AES -keysize 128 -storepass [vault keystore password] -keypass [key password] -validity 730 -keystore vault.keystore
vault.bat --keystore "C:\Program Files\CA\PAM\wildfly\standalone\.config\vault.keystore" --keystore-password [vault keystore password] --alias [vaultalias] --vault-block vb --attribute password --sec-attr XXXX --enc-dir "C:\Program Files\CA\PAM\wildfly\standalone\.config" --iteration 120 --salt [salt value]
<vault>
<vault-option name="KEYSTORE_URL" value="C:/Program Files/CA/PAM/wildfly/standalone/.config/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-EXAMPLE"/>
<vault-option name="KEYSTORE_ALIAS" value="[vaultalias]"/>
<vault-option name="SALT" value="[salt value]"/>
<vault-option name="ITERATION_COUNT" value="120"/>
<vault-option name="ENC_FILE_DIR" value="C:/Program Files/CA/PAM/wildfly/standalone/.config/"/>
</vault>
<keystore path="${itpam.custom.web.keystorepath}" keystore-password="${VAULT::vb::password::1}"/>
After configuring the keystore and keystore password per the above, recycle PAM Services, then test if the setup works.