Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Service Manager9.52

Install > Install and set up Service Portal > Install and set up a single Service Portal instance > (Optional) Configure two-way SSL between Service Portal and Service Manager

(Optional) Configure two-way SSL between Service Portal and Service Manager

If your Service Manager Server is configured to require client certificate validation, you need to configure two-way SSL between the Service Manager Server and Service Portal.

Note Third-party or corporate CA-signed certificates should be used in production systems; however, self-signed certificates generated by Service Portal can be used in non-production systems.

Prerequisites

The two-way SSL configuration steps in this section are based on the assumption that the following prerequisites are met.

Service Manager

Two-way SSL is set up in Service Manager:

Signed certificates and supporting keys are installed in the Service Manager Server's RUN directory:
- server.keystore – This keystore file contains the Service Manager server's signed certificate and private key
- cacerts – This keystore file contains the certificate of the certificate authority that signed the server's certificate
- trustedclients.keystore – This keystore contains the signed certificates of your Service Manager server's trusted clients

The sm.ini file in the Service Manager Server's RUN directory contains the following settings:

ssl:1
ssl_reqClientAuth:2
keystoreFile:<server.keystore>
keystorePass:<password of server.keystore>
ssl_trustedClientsJKS:<trustedclients.keystore>
ssl_trustedClientsPwd:<password of trustedclients.keystore>
truststoreFile:cacerts
truststorePass:<password of cacerts, which is changeit by default>

Service Portal

You have replaced the Service Portal generated SSL certificates with third-party or corporate CA-signed certificates, including a keystore with a private key to be used for the client validation (this keystore is /opt/hp/propel/security/propel_host.pfx by default). For details, see Replace the Service Portal generated SSL certificates.

Important In a non-production system, you can use the default Service Portal keystore (propel_host.pfx). For a production system, do not change the file name (propel_host.pfx) when replacing this default keystore with your own one.

Configure two-way SSL for Service Manager

To configure two-way SSL for Service Manager, perform the following steps:

Tip If your Service Manager Server and Service Portal use the same certificate authority (CA), you only need to perform step 2 below.

Import the Service Portal host’s CA-signed certificate into the Service Manager Server's keystore. The general steps to do this are:
1. Copy the Service Portal host’s /opt/hp/propel/security/CA.crt file to a temporary directory (<temporary_directory>) on the Service Manager host.
2. On the Service Manager system, import the CA-signed certificate:
```
# keytool –importcert –file <temporary_directory>/CA.crt –alias Propel_CA –trustcacerts –keystore <SUPPLIER-KEYSTORE-PATH>/cacerts
```
  Where SUPPLIER-KEYSTORE-PATH is the location of the cacerts file on the Service Manager system.
  
  The default cacerts file locations of Service Manager are:
  - HPE SM on Windows:
    C:\Program Files (x86)\HPE\Service Manager 9.xx\Server\RUN\cacerts
  - HPE SM on Linux:
    /opt/HPE/ServiceManager9.xx/Server/RUN
3. On the Service Manager system, restart the Service Manager Server service.
Import the Service Portal host’s certificate (/opt/hp/propel/security/propel_host.crt ) into the Service Manager Server's trusted clients keystore.
```
keytool -keystore <trustedclients.keystore> -importcert -alias somePropelHostAlias -file propel_host.crt
```
Import Service Manager’s CA certificate into the Service Portal host’s truststore. The general steps to do this are:
1. Obtain Service Manager's CA certificate, and then copy it to the Service Portal host’s /tmp directory. For an example of obtaining a Service Manager CA certificate, see SSL tips. In the following step, the CA certificate of Service Manager is referred to as SMCA.crt.
2. On the Service Portal host, import the CA-signed certificate of Service Manager:
```
# keytool –importcert –file /tmp/SMCA.crt –alias Supplier_CA –trustcacerts –keystore /opt/hp/propel/security/propel.truststore
```
  Tip The default password for the Service Portal truststore is "propel2014".
Enable Service Portal to send the client certificate.
1. In the sx.properties file in the /opt/hp/propel/sx/WEB-INF directory, make sure that the skipCertificateValidation property is set to false (this is the default value).
2. Update the jetty-ssl.xml file.
  
  Note If you are using the default keystore (propel_host.pfx), ignore this step.
  
  In the /opt/hp/propel/jetty-sx/etc/jetty-ssl.xml file, set the javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword, javax.net.ssl.keyStoreType properties (by replacing the default values) as follows:
```
<Call name="setProperty">
    <Arg>javax.net.ssl.keyStore</Arg>
    <Arg>/opt/hp/propel/security/propel_host.pfx</Arg>
</Call>
<Call name="setProperty">
    <Arg>javax.net.ssl.keyStorePassword</Arg>
    <Arg>${STORE_PASSWORD}</Arg>
</Call>
<Call name="setProperty">
    <Arg>javax.net.ssl.keyStoreType</Arg>
    <Arg>${STORE_TYPE}</Arg>
</Call>
```
  In the above code:
  - ${STORE_PASSWORD} is the password of your own propel_host.pfx keystore.
  - ${STORE_TYPE} is the certificate type of the keystore: either jks or pkcs12.
On the Service Portal host, restart the HPE Service Exchange (HPE SX) services:

# systemctl restart jetty-sx
Launch the Suppliers application in Service Portal, view the Service Manager supplier details, and then click the Diagnostics tab. The status should indicate there are no connection issues.

SSL tips

If you do not have an SSL certificate from the Service Manager system, you can manually create a certificate. The following is an example of exporting the CA certificate for the truststore of Service Manager.

Export the CA certificate from the truststore of Service Manager

Use the following command on the Service Manager system to export an SSL certificate from the truststore of Service Manager:

# keytool -exportcert -file <CERT-OUTPUT-FILE> -keystore <SUPPLIER-KEYSTORE-PATH>/cacerts -alias <SUPPLIER-ALIAS>

Where:

CERT-OUTPUT-FILE is the output file that will contain the exported certificate.
SUPPLIER-KEYSTORE-PATH is the location of the cacerts file on the Service Manager system.
SUPPLIER-ALIAS is the alias used in the truststore of Service Manager to identify the certificate of Service Manager.

Tip Next, you need to configure shopping, ticketing, Knowledge Management (KM), and hot news so that users can order catalog items, submit support requests, perform KM searches, and so on. For details, see Configure shopping, ticketing, Knowledge Management, hot news, Change approval, and search.

Send Help Center feedback