(Optional) Configure SSL for a Service Manager supplier

If your Service Manager Server is configured to require client certificate validation, you need to configure two-way SSL between the Service Manager Server and Service Manager Service Portal.

Note Third-party or corporate CA-signed certificates should be used in production systems; however, self-signed certificates generated by Service Manager Service Portal can be used in non-production systems.

Prerequisites

The two-way SSL configuration steps in this section are based on the assumption that the following prerequisites are met.

Service Manager

Two-way SSL is set up in Service Manager:

  • Signed certificates and supporting keys are installed in the Service Manager Server's RUN directory:

    • server.keystore – This keystore file contains the Service Manager server's signed certificate and private key
    • cacerts – This keystore file contains the certificate of the certificate authority that signed the server's certificate
    • trustedclients.keystore – This keystore contains the signed certificates of your Service Manager server's trusted clients
  • The sm.ini file in the Service Manager Server's RUN directory contains the following settings:

    ssl:1
    ssl_reqClientAuth:2
    keystoreFile:<server.keystore>
    keystorePass:<password of server.keystore>
    ssl_trustedClientsJKS:<trustedclients.keystore>
    ssl_trustedClientsPwd:<password of trustedclients.keystore>
    truststoreFile:cacerts
    truststorePass:<password of cacerts, which is changeit by default>

Service Manager Service Portal

You have replaced the Service Manager Service Portal generated SSL certificates with third-party or corporate CA-signed certificates, including a keystore with a private key to be used for the client validation (this keystore is /opt/hp/propel/security/propel_host.pfx by default). For details, see Replace the Service Manager Service Portal generated SSL certificates.

Important In a non-production system, you can use the default Service Manager Service Portal keystore (propel_host.pfx). For a production system, do not change the file name (propel_host.pfx) when replacing this default keystore with your own one.

Configure two-way SSL for the supplier

To configure two-way SSL for the Service Manager supplier, perform the following steps:

Tip If your Service Manager Server and Service Manager Service Portal use the same certificate authority (CA), you only need to perform step 2 below.

  1. Import the Service Manager Service Portal host’s CA-signed certificate into the Service Manager Server's keystore. The general steps to do this are:

    1. Copy the Service Manager Service Portal host’s /opt/hp/propel/security/CA.crt file to a temporary directory (<temporary_directory>) on the supplier host.
    2. On the Service Manager system, import the CA-signed certificate:

      # keytool –importcert –file <temporary_directory>/CA.crt –alias Propel_CA –trustcacerts –keystore <SUPPLIER-KEYSTORE-PATH>/cacerts

      Where SUPPLIER-KEYSTORE-PATH is the location of the cacerts file on the supplier's system.

      The default cacerts file locations of Service Manager are:

      • HPE SM on Windows:
        C:\Program Files (x86)\HPE\Service Manager 9.xx\Server\RUN\cacerts
      • HPE SM on Linux:
        /opt/HPE/ServiceManager9.xx/Server/RUN
    3. On the Service Manager system, restart the Service Manager Server service.

  2. Import the Service Manager Service Portal host’s certificate (/opt/hp/propel/security/propel_host.crt ) into the Service Manager Server's trusted clients keystore.

    keytool -keystore <trustedclients.keystore> -importcert -alias somePropelHostAlias -file propel_host.crt
  3. Import the supplier’s CA certificate into the Service Manager Service Portal host’s truststore. The general steps to do this are:

    1. Obtain the supplier's CA certificate, and then copy it to the Service Manager Service Portal host’s /tmp directory. For an example of obtaining a supplier's CA certificate, see SSL tips. In the following step, the supplier’s CA certificate is in referred to as SMCA.crt.
    2. On the Service Manager Service Portal host, import the supplier's CA-signed certificate:

      # keytool –importcert –file /tmp/SMCA.crt –alias Supplier_CA –trustcacerts –keystore /opt/hp/propel/security/propel.truststore

      Tip The default password for the Service Manager Service Portal truststore is "propel2014".

  4. Enable Service Manager Service Portal to send the client certificate.

    1. In the sx.properties file in the /opt/hp/propel/sx/WEB-INF directory, make sure that the skipCertificateValidation property is set to false (this is the default value).

    2. Update the jetty-ssl.xml file.

      Note If you are using the default keystore (propel_host.pfx), ignore this step.

      In the /opt/hp/propel/jetty-sx/etc/jetty-ssl.xml file, set the javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword, javax.net.ssl.keyStoreType properties (by replacing the default values) as follows:

      <Call name="setProperty">
          <Arg>javax.net.ssl.keyStore</Arg>
          <Arg>/opt/hp/propel/security/propel_host.pfx</Arg>
      </Call>
      <Call name="setProperty">
          <Arg>javax.net.ssl.keyStorePassword</Arg>
          <Arg>${STORE_PASSWORD}</Arg>
      </Call>
      <Call name="setProperty">
          <Arg>javax.net.ssl.keyStoreType</Arg>
          <Arg>${STORE_TYPE}</Arg>
      </Call>

      In the above code:

      • ${STORE_PASSWORD} is the password of your own propel_host.pfx keystore.
      • ${STORE_TYPE} is the certificate type of the keystore: either jks or pkcs12.
  5. On the Service Manager Service Portal host, restart the HPE Service Exchange (HPE SX) services:

    # systemctl restart jetty-sx

  6. Launch the Suppliers application in Service Manager Service Portal, view the supplier details, and then click the Diagnostics tab. The status should indicate there are no connection issues.

SSL tips

If you do not have an SSL certificate from the supplier's system, you can manually create a certificate. The following is an example of exporting the CA certificate for the supplier's truststore.

Export the CA certificate from the supplier's truststore

Use the following command on the supplier's system to export an SSL certificate from the supplier's truststore:

# keytool -exportcert -file <CERT-OUTPUT-FILE> -keystore <SUPPLIER-KEYSTORE-PATH>/cacerts -alias <SUPPLIER-ALIAS>

Where: :

  • CERT-OUTPUT-FILE is the output file that will contain the exported certificate.
  • SUPPLIER-KEYSTORE-PATH is the location of the cacerts file on the supplier's system.
  • SUPPLIER-ALIAS is the alias used in the supplier's truststore to identify the supplier's certificate.

Tip Once the SSL configuration is complete, you are ready to add your Service Manager system as a supplier in Service Manager Service Portal. For details, see Add Service Manager as a supplier.