Configure Custom SSL Certificates and Passwords for PAM/Wildfly
search cancel

Configure Custom SSL Certificates and Passwords for PAM/Wildfly

book

Article ID: 372639

calendar_today

Updated On:

Products

CA Process Automation Base Process Automation Manager

Issue/Introduction

This KB Article contains additional clarification to existing documentation to setup a 3rd party SSL certificate for use in PAM 4.4 (Wildfly implementation).  Please use this article as a supplement and annotation for the existing documentation.

Environment

Release:  4.4 or higher

CA Process Automation

Resolution

The following instructions assume that the PAM install location is "C:\Program Files\CA\PAM\"  

The files of interest, and their default locations are:

OasisConfig.properties:  Located in C:\Program Files\CA\PAM\wildfly\standalone\.config

standalone-full-ha.xml:  Located in C:\Program Files\CA\PAM\wildfly\standalone\configuration

customcert.jks:  This is the keystore that is housing the 3rd party SSL certficate.  File should be placed in C:\Program Files\CA\PAM\wildfly\standalone\.config. 
Note:  This file must be a jks based keystore.  Please see KB Article 372540 for reference

The above files should be backed up to a different location before performing modifications.

Initial setup

  1. Copy the custom certificate (customcert.jks) to the following PAM configuration folder:  C:\Program Files\CA\PAM\wildfly\standalone\.config

  2. Update the PAM\wildfly\standalone\OasisConfig.properties to mention the path of the Keystore, as follows:

    itpam.custom.web.keystorepath=C:/Program Files/CA/PAM/wildfly/standalone/.config/customcert.jks


  3. Setup the backend password for the customcert.jks keystore.  Depending on your requirements, there are two methods one may follow to update the backend keystore password for customcert.jks.  Please use only one of the two methods below, depending on your needs


Method 1:  Clear text method:  Suitable for testing purposes

Note:  The PasswordEncryption.bat utility located in C:\Program Files\CA\PAM\wildfly\standalone is NOT compatible for this approach.  There is no method available to encrypt the password using this approach.  We recommend utilising this approach to validate your custom keystore and password if Password Vault does not work.

Configure the keystore path and keystore-password for the custom certificate in file standalone-full-ha.xml.  Line to uncomment and adjust is:

<keystore path="${itpam.custom.web.keystorepath}" keystore-password="XXXX"/>


XXXX is the keystore password for customcert.jks 

 

Method 2:  Password Vault method:  Recommended for production implementations

For this method, it is essential to read through the instructions closely as there are a number of places where one can enter user defined values.  All user defined values are in brackets and highlighted; colour coding is also used to help denote where certain values are to be entered.  

 

  1. Create the vault.keystore keystore file as follows.  In an admin command prompt on the PAM Server, cd to the "C:\Program Files\CA\PAM\wildfly\standalone\.config\" location, then run:

    keytool -genseckey -alias [vaultalias] -storetype jceks -keyalg AES -keysize 128 -storepass [vault keystore password] -keypass [key password] -validity 730 -keystore vault.keystore


    The vault.keystore is a separate keystore from the keystore that contains the 3rd party SSL certificate, customcert.jks, and the two keystores should not be consolidated.

    The vault.keystore file should be written to "C:\Program Files\CA\PAM\wildfly\standalone\.config\".  

    Note:  in the above command, the "storepass" and "keypass" parameters are NOT the same thing.  Information about these two keytool parameters is available here.


  2. Store the customcert.jks keystore password in the vault, as follows.  cd to the C:\Program Files\CA\PAM\wildfly\bin location, then run

    vault.bat --keystore "C:\Program Files\CA\PAM\wildfly\standalone\.config\vault.keystore" --keystore-password [vault keystore password] --alias [vaultalias] --vault-block vb --attribute password --sec-attr XXXX --enc-dir "C:\Program Files\CA\PAM\wildfly\standalone\.config" --iteration 120 --salt [salt value]


    XXXX is the keystore password for customcert.jks.  Information on the "salt" value and what it signifies is available here.

    In the output, locate the entry for the "KEYSTORE_PASSWORD" tag past "For domain node:" which should read as "MASK-XXXX".  This value may vary.  For purposes of example, we will use "MASK-EXAMPLE"


  3. Define the vault configuration in the file after the tag </system-properties> in the standalone-full-ha.xml file:

    <vault>
    <vault-option name="KEYSTORE_URL" value="C:/Program Files/CA/PAM/wildfly/standalone/.config/vault.keystore"/>
    <vault-option name="KEYSTORE_PASSWORD" value="MASK-EXAMPLE"/>
    <vault-option name="KEYSTORE_ALIAS" value="[vaultalias]"/>
    <vault-option name="SALT" value="[salt value]"/>
    <vault-option name="ITERATION_COUNT" value="120"/>
    <vault-option name="ENC_FILE_DIR" value="C:/Program Files/CA/PAM/wildfly/standalone/.config/"/>
    </vault>


  4. We can use the vault password (masked password) for the SSL certificate.  Configure the keystore path and keystore-password for the custom certificate in file standalone-full-ha.xml.  Line to uncomment and adjust is:

    <keystore path="${itpam.custom.web.keystorepath}" keystore-password="${VAULT::vb::password::1}"/>


    The above line is to be written to the standalone-full-ha.xml, replacing the existing line that is present exactly as shown here.

After configuring the keystore and keystore password per the above, recycle PAM Services, then test if the setup works.