Example: Enabling required SSL encryption and trusted clients

The following example describes the following SSL configuration.

  • Requiring SSL encryption using the HPE Service Manager server's signed certificate
  • Requiring client authentication using the Service Manager client's signed certificate
  • Requiring trusted client authentication using a list of trusted client certificates

Note This example builds on information presented in the generating a server certificate and generating a client certificate examples.

  1. Generate a signed server certificate for the Service Manager server. See Example: Generating a server certificate with OpenSSL.
  2. Generate a signed client certificate for each Service Manager client. See Example: Generating a client certificate with OpenSSL.

    Note This step involves importing each Service Manager client's signed certificate into a trusted clients keystore (trustedclients.keystore) by using the keytool import command. To enable trusted sign-on, you must do so for each client certificate you want to be part of the list of trusted clients.

  3. Install the signed certificates and supporting keys on the Service Manager server. To do so, copy the following keystore files into the RUN folder of the Service Manager server.
    • servercert.keystore – This keystore file contains the Service Manager server's signed certificate and private key
    • cacerts – This keystore file contains the certificate and private key of the certificate authority that signed the server's certificate
    • trustedclients.keystore – This keystore contains the signed certificates of your Service Manager server's trusted clients
  4. Stop the Service Manager server.
  5. Open the Service Manager initialization file (sm.ini) with a text editor.
  6. Add the following parameters to require SSL encryption using the Service Manager server's signed certificate.
    • keystoreFile:servercert.keystore – identifies the keystore file containing the Service Manager server's certificate and private key
    • keystorePass:changeit – identifies the password to the keystore file containing the Service Manager server's certificate and private key
    • ssl:1 – Requires SSL encryption using the server's signed certificate.
    • ssl_reqClientAuth:2 – Requires Service Manager clients to present signed certificates to connect to the server and also be on the list of trusted clients.
    • ssl_trustedClientsJKS: trustedclients.keystore – identifies the keystore containing the signed certificates of trusted Service Manager clients
    • ssl_trustedClientsPwd:ClientKeyPassword – identifies the password to the keystore file containing the signed certificates of trusted Service Manager clients
    • sslConnector:1 – requires Service Manager clients to use an HTTPS port when communicating with the server.
    • truststoreFile:cacerts – identifies the keystore file containing the certificate authority's certificate
    • truststorePass:changeit – identifies the password to the keystore file containing the certificate authority's certificate
  7. Save the Service Manager initialization file.
  8. Restart the Service Manager server.
  9. Copy the following keystore files to the web tier's WEB-INF folder:
    • cacerts – This keystore file contains the certificate and private key of the certificate authority that signed the server's certificate
    • <clientcerts>.keystore – This keystore contains the signed certificate of your Service Manager web tier client
  10. Copy the following keystore files to each Windows client's <Windows client installation path>\plugins\com.hp.ov.sm.client.common_x.xx folder.
    • cacerts – This keystore file contains the certificate and private key of the certificate authority that signed the server's certificate
    • <clientcerts>.keystore – This keystore contains the signed certificate of each Windows client

      Note You should have created a separate <clientcerts>.keystore for each Windows client.

  11. Configure Service Manager web clients to validate the Service Manager server's signed certificate and present signed client certificates.
    1. Stop the web application server running the web tier, open the web configuration file (web.xml) in a text editor.
    2. Set cacerts to the keystore containing your server's certificate authority, for example /WEB-INF/cacerts. You copied this keystore from the JRE\lib\security folder of your Java Run Time Environment (RTE) or Java Development Kit (JDK) to the web tier's WEB-INF folder.
    3. Set keystore to the keystore containing your web tier's signed certificate, for example /WEB-INF/<clientcerts>.keystore. You created this keystore when you created the client certificate request.
    4. Set customize-folder to a folder on the web tier host in which your webtier.properties file is located. You created a webtier.properties file in the <Customize-Folder>/config directory when you set the keystore password.
    5. Set keystorePassword to the password required to access your web tier client keystore, for example ClientKeyPassword. You created this keystore password when you created the web tier client certificate request.

      Note The keystorePassword parameter has been removed from the web tier configuration file web.xml) since Service Manager 9.34p2, and you should enter your web client keystore password in a webtier.properties file. For more information about how to set the keystorePassword parameter, see Encryption of client keystore passwords.

    6. Set ssl to true.
    7. Set serverHost to the fully-qualified domain name of the Service Manager server. For example: myserver.mydomain.com.
  12. Configure Service Manager Windows clients to validate the Service Manager server's signed certificate and present signed client certificates. Do the following on each Windows client.
    1. Click Window > Preferences > Service Manager > Security.
    2. Set CA Certificates File to the cacerts keystore you copied to the <Windows client installation path>\plugins\com.hp.ov.sm.client.common_x.xx folder.
    3. Set Keystore File to the keystore containing your Windows client's signed certificate, for example <clientcerts>.keystore. You created this keystore when you created the Windows client certificate request.
    4. Set Keystore password to the password required to access the Windows client keystore. For example, ClientKeyPassword. You created this keystore password when you created the Windows client certificate request.

    5. Update your Windows client connections by selecting Use SSL Encryption on their Advanced tab.