Enable SSL connection from Service Manager to Operations Orchestration

The Service Manager to OO integration requires that Secure Sockets Layer (SSL) be enabled in the Operations Orchestration and Service Manager servers to ensure data security. Before using this integration, you must complete the following procedures:

1. Configure SSL in Operations Orchestration.
2. Configure SSL in Service Manager.

Configure SSL in Operations Orchestration

To configure SSL in Operations Orchestration 9.x, perform the following tasks.

Task 1: Back up keystores in Operations Orchestration

Before you start configuring SSL in Operations Orchestration, make a backup copy of existing keystores (if any) in the following directories:

• <OO_HOME>\Central\conf
• <OO_HOME>\RAS\Java\Default\webapp\conf
• <OO_HOME>\Scheduler\conf
• <OO_HOME>\Studio\conf

Task 2: Configure SSL in Operations Orchestration Central

You can use any pair of public/private certificates based on your specific certificate requirements, security policies, and so on. This section provides an example of using OpenSSL and the standard Java keytool to generate a self-signed certificate.

To configure SSL in Operations Orchestration Central:

1. Stop the RSCentral, RSScheduler and RSJRAS services.

2. Generate a private/public key pair for Root Certificate Authority.

   1. Change to the following directory: <OO_HOME>\Central\conf.

   2. Run the following command to create the private key:

      openssl genrsa -des3 -out <RSA_private_key_file> 2048

      For example: openssl genrsa -des3 -out cakey.pem 2048

   3. When prompted, enter a password phrase you want to use to protect your authority's private key file (cakey.pem). For example, CAKeyPassword.

      Note Remember this password phrase. You will be asked to enter it again later when you use the Java keytool to generate a request (see step 3).

   4. Run the following command to create the public key:

      openssl req -new -key <RSA_private_key_file> -x509 -days 1095 -out mycacert.pem

      For example, openssl req -new -key cakey.pem -x509 -days 1095 -out mycacert.pem.

   5. Enter other required information that will be incorporated into your certificate request.

      Note To create a unique .pem file, provide a unique Organization Name (for example, org1). When asked for a Common Name, enter the fully qualified domain name (FQDN) of the Operations Orchestration host.

3. Use the Java keytool to generate a request.

   1. Run the following command:

      keytool -genkey -keyalg RSA -alias sm -keystore rc_keystore -storepass <store password for rc_keystore> -keypass <key password for rc_keystore> -dname "CN=<OO_server_FQDN>, OU=<Organization Unit>, O=<Organization>, L=<Location>, ST=<State or Province>,C=<Country>"

      For example: keytool -genkey -keyalg RSA -alias sm -keystore rc_keystore -storepass bran507025 -keypass bran507025 -dname "CN=<hostname.domainname>, OU=MyOrganizationUnit, O=MyCompany, L=MyCity, ST=MyState,C=MyCountry"

      Note The default value for both <store password for rc_keystore> and <key password for rc_keystore> is: bran507025.

      Note We recommend that the keyalg parameter use a value of RSA rather than the default of DSA. Doing so allows your TLS communications to use the stronger ECDHE cipher suites which are not vulnerable to Logjam attacks (CVE-2015-4000).

   2. Run the following command:

      keytool -certreq -keystore rc_keystore -alias sm -storepass <store password for rc_keystore> -file <CRS file>

      For example: keytool -certreq -keystore rc_keystore -alias sm -storepass bran507025 -file req.crs

   3. Run the following command:

      openssl x509 -req -days 1095 -in <CRS file> -CA mycacert.pem -CAkey <RSA_private_key_file> -CAcreateserial -out smcert.pem

      For example,openssl x509 -req -days 1095 -in req.crs -CA mycacert.pem -CAkey cakey.pem -CAcreateserial -out smcert.pem

   4. When prompted, type the password phrase you entered in step 2 to protect your authority's private key file (cakey.pem). For example, CAKeyPassword.

4. Import the root CA and self-signed certificate to rc_keystore.

   1. Run the following command:

      keytool -import -v -alias rootca -keystore rc_keystore -storepass <store password for rc_keystore> -file mycacert.pem

      For example: keytool -import -v -alias rootca -keystore rc_keystore -storepass bran507025 -file mycacert.pem

      The command window prompts the certificate information, such as Owner, Issuer, Serial number, Valid period, Certificate fingerprints, and Extensions.

   2. When you are prompted to confirm that this certificate should be trusted, type: y.

      The command window prompts: "Certificate was added to keystore".

   3. Run the following command:

      keytool -import -v -alias sm -keystore rc_keystore -storepass <store password for rc_keystore> -file smcert.pem

      For example: keytool -import -v -alias sm -keystore rc_keystore -storepass bran507025 -file smcert.pem

      The command window prompts: "Certificate reply was installed in keystore".

Task 3: Configure SSL in Operations Orchestration RAS

1. Change to the following directory: <OO_HOME>\RAS\Java\Default\webapp\conf\.
2. Copy the generated root CA mycacert.pem and self-signed certificate smcert.pem from <OO_HOME>\Central\conf to the current directory.
3. Import the root CA mycacert.pem and self-signed certificate smcert.pem to ras_keystore.jks. See step 4 in Configure SSL in Operations Orchestration Central.

Task 4: Configure SSL in Operations Orchestration Scheduler

1. Change to the following directory: <OO_HOME>\Scheduler\conf\.
2. Copy the generated root CA mycacert.pem and self-signed certificate smcert.pem from <OO_HOME>\Central\conf to the current directory.
3. Import the root CA mycacert.pem and self-signed certificate smcert.pem to rc_keystore. See step 4 in Configure SSL in Operations Orchestration Central.

Task 5: Start the Operations Orchestration services

Start the RSCentral, RSScheduler and RSJRAS services.

Task 6: Configure SSL in Operations Orchestration Studio

1. Change to the following directory: <OO_HOME>\Studio\conf\.
2. Copy the generated root CA mycacert.pem and self-signed certificate smcert.pem from <OO_HOME>\Central\conf to the current directory.
3. Import the root CA mycacert.pem and self-signed certificate smcert.pem to rc_keystore. See step 4 in Configure SSL in Operations Orchestration Central.

To configure SSL in Operations Orchestration 10.x, perform the following tasks.

Task 1: Configure Central SSL Server Certificate with FQDN

You can generate a self-signed certificate using the Keytool utility.

1. Stop Central and back up the original key.store file, located in <installation dir>/central/var/security/key.store.
2. Open a command line in <installation dir>/central/var/security.

3. Delete the existing server certificate from the Central key.store file, using the following command:

   keytool -delete -alias tomcat -keystore key.store -storepass changeit

4. Generate a self-signed certificate, using the following command:

   keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -keystore path/for/new/Keystore> -storepass changeit-storetype pkcs12 -dname "CN=<CENTRAL_FQDN>, OU=<ORGANIZATION_UNIT>, O=<ORGANIZATION>, L=<LOCALITY>, C=<COUNTRY>"

   Note If you do not enter a path for generating the new keystore, it is created in the folder where you entered the command, for example <installation dir>/central/var/security.

5. Import the self-signed certificate to the Central key.store file, using the following command:

   keytool -v -importkeystore -srckeystore new/path/created/Keystore -srcstoretype PKCS12 -srcstorepass changeit -destkeystore .key.store -deststoretype JKS -deststorepass changeit

6. Start Central.

Task 2: Configure SSL on OO Central

1. Stop the Micro Focus Operations Orchestration Central service.
2. Search for the keytool.exe file installed on your machine and append its location to the Path variable in your system environment.
3. Open a command line in <installation dir>/central/var/security.

4. Run the following command:

   keytool.exe -export -alias tomcat -file "xxx\oo10-certificate.cer" -keystore "%OO_Home%\central\var\security\key.store" –storepass changeit

   Note Later, when configuring SSL in Service Manager, you will import oo10-certificate.cer into the Service Manager trust store file.

5. Start the Micro Focus Operations Orchestration Central service.

Configure SSL in Service Manager

Once you have successfully configured SSL in Operations Orchestration, you are ready to configure SSL in Service Manager.

To configure SSL for Service Manager to connect to OO 9.x, perform the following steps.

1. Create a trust store for Service Manager.

   1. Change to the following directory: <SM_HOME>/Server/RUN.
   2. Copy the generated mycacert.pem and smcert.pem from <OO_HOME>\Central\conf to <SM_HOME>/Server/RUN.

   3. Run the following command:

      keytool -import -v -alias rootca -keystore <keystore_file> -storepass <store password for keystore_file> -file mycacert.pem

      For example: keytool -import -v -alias rootca -keystore smtrust -storepass smoointabc123 -file mycacert.pem

      The command window displays the certificate information.

   4. When the command window prompts: "Trust this certificate?", type y.

      The command window prompts: "Certificate was added to keystore".

   5. Run the following command:

      keytool -import -v -alias sm -keystore <keystore_file> -storepass <store password for keystore_file> -file smcert.pem

      For example: keytool -import -v -alias sm -keystore smtrust -storepass smoointabc123 -file smcert.pem

      Note In this example, the trust store file name is smtrust, and its store password is smoointabc123. You will add this information to sm.ini in the next step.

2. Add the following lines to sm.ini:

   #
   # Certificates
   #
   truststoreFile:<keystore_file>
   truststorePass:<store password for keystore_file>
   				

   For example:

   #
   # Certificates
   #
   truststoreFile:smtrust
   truststorePass:smoointabc123				

3. Restart the Service Manager server so that your configuration takes effect.

To configure SSL for Service Manager to connect to OO 10.x, perform the following steps.

1. Stop the Service Manager Server service.

2. Copy oo10-certificate.cer into a directory on the Service Manager server host.

   Note This is the certificate you created when configuring SSL in OO.

3. Search for the keytool.exe file and append its location to the Path variable in the system environment.
4. Open a CMD window under %SM_home%\Server\RUN.

5. Import the OO certificate into the Service Manager trust store file, using the following command:

   keytool.exe -import -alias xxx -file “xxx\oo10-certificate.cer” -keystore smtrust –storepass smoointabc123

6. Answer Y when prompted. The confirmation message Certificate was added to keystore appears.
7. Verify smtrust was created under <SM_home>\Server\RUN.

8. Append the following lines to the sm.ini file under the above location:

   # Certificates

   truststoreFile:smtrust

   truststorePass:smoointabc123

9. Start the Service Manager Server service.

Related topics

Integrations
Integration Manager
Integration Instance Information fields
Micro Focus Operations Orchestration (OO)

Add an Operations Orchestration integration
Enable or disable an integration instance
Enable LW-SSO for the Operations Orchestration integration
Configure LW-SSO in the Service Manager Web tier