(Optional) Configure SSL for a Service Manager supplier

If HTTPS is used for communications between Service Manager Service Portal and a Service Manager supplier, HTTPS must be configured.

To configure SSL, perform the following steps:

1. Import the Service Manager Service Portal host’s CA-signed certificate into the Service Manager Server's keystore. The general steps to do this are:

   1. Copy the Service Manager Service Portal host’s /opt/hp/propel/security/CA.crt file to the supplier’s /tmp directory.

   2. On the supplier's system, import the CA-signed certificate:

      # keytool –importcert –file /tmp/CA.crt –alias Propel_CA –trustcacerts
–keystore <SUPPLIER-KEYSTORE-PATH>/cacerts

      Where SUPPLIER-KEYSTORE-PATH is the location of the cacerts file on the supplier's system.

      The default cacerts file locations of Service Manager are:

      • HPE SM on Windows:
        C:\Program Files (x86)\HPE\Service Manager9.xx\Server\RUN\cacerts
      • HPE SM on Linux:
        /opt/HPE/ServiceManager9.xx/Server/RUN

   3. On the Service Manager system, restart the Service Manager Server service.

2. Import the supplier’s CA certificate into the Service Manager Service Portal host’s truststore. The general steps to do this are:

   1. Obtain the supplier's CA certificate, and then copy it to the Service Manager Service Portal host’s /tmp directory. For examples of obtaining a supplier's certificate, see SSL tips. In the following step, the supplier’s CA certificate is in a CA.crt file.

   2. On the Service Manager Service Portal host, import the supplier's CA-signed certificate:

      # keytool –importcert –file /tmp/CA.crt –alias Supplier_CA –trustcacerts 
      –keystore /opt/hp/propel/security/propel.truststore

      Tip The default password is "propel2014" for the Service Manager Service Portal truststore.

3. On the Service Manager Service Portal host, restart the HPE Service Exchange (HPE SX) services:

   # systemctl restart jetty-sx

4. Launch the Suppliers application in Service Manager Service Portal , view the supplier details and then click the Diagnostics tab. The status should indicate there are no connection issues.

SSL tips

If you do not have an SSL certificate from the supplier's system, you can manually create a certificate. The following are examples of creating a supplier's SSL certificate:

Export the SSL certificate from the supplier's truststore

Use the following command on the supplier's system to export an SSL certificate from the supplier's truststore:

# keytool -exportcert -file <CERT-OUTPUT-FILE> -keystore
<SUPPLIER-KEYSTORE-PATH>/cacerts -alias <SUPPLIER-ALIAS>

Where: :

• CERT-OUTPUT-FILE is the output file that will contain the exported certificate.
• SUPPLIER-KEYSTORE-PATH is the location of the cacerts file on the supplier's system.
• SUPPLIER-ALIAS is the alias used in the supplier's truststore to identify the supplier's certificate.

Create supplier's host certificate

Use the following procedure to create a supplier's host certificate:

1. On the Service Manager Service Portal VM, execute the following command:

   # openssl s_client -connect <SUPPLIER-HOST>:<PORT> > supplier.crt

2. Edit the supplier.crt file and retain only the lines beginning with
   "-----BEGIN CERTIFICATE-----" and ending with
   "-----END CERTIFICATE-----", deleting all other lines.

You can verify that the supplier's host certificate is valid with the following command:

# keytool -printcert -file supplier.crt

The output of the keytool command should identify the certificate owner and issuer.