(Optional) Configure two-way SSL between SMSP and Service Manager

If your Service Manager Server is configured to require client certificate validation, you need to configure two-way SSL between the Service Manager Server and Service Manager Service Portal.

Note Third-party or corporate CA-signed certificates should be used in production systems; however, self-signed certificates generated by Service Portal can be used in non-production systems.

Prerequisites

The two-way SSL configuration steps in this section are based on the assumption that the following prerequisites are met.

Service Manager

Two-way SSL is set up in Service Manager:

  • Signed certificates and supporting keys are installed in the Service Manager Server's RUN directory:

    • server.keystore – This keystore file contains the Service Manager server's signed certificate and private key
    • cacerts – This keystore file contains the certificate of the certificate authority that signed the server's certificate
    • trustedclients.keystore – This keystore contains the signed certificates of your Service Manager server's trusted clients
  • The sm.ini file in the Service Manager Server's RUN directory contains the following settings:

    ssl:1
    ssl_reqClientAuth:2
    keystoreFile:<server.keystore>
    keystorePass:<password of server.keystore>
    ssl_trustedClientsJKS:<trustedclients.keystore>
    ssl_trustedClientsPwd:<password of trustedclients.keystore>
    truststoreFile:cacerts
    truststorePass:<password of cacerts, which is changeit by default>

Service Manager Service Portal

You have replaced the Service Manager Service Portal generated SSL certificates with third-party or corporate CA-signed certificates, including a keystore with a private key to be used for the client validation (this keystore is /opt/hp/propel/security/propel_host.pfx by default). For details, see Replace the Service Manager Service Portal generated SSL certificates.

Important In a non-production system, you can use the default Service Manager Service Portal keystore (propel_host.pfx). For a production system, do not change the file name (propel_host.pfx) when replacing this default keystore with your own one.

Configure two-way SSL for Service Manager

To configure two-way SSL for Service Manager, perform the following steps:

Tip If your Service Manager Server and Service Manager Service Portal use the same certificate authority (CA), you only need to perform step 2 below.

  1. Import the Service Portal host’s CA-signed certificate into the Service Manager Server's keystore. The general steps to do this are:

    1. Copy the Service Portal host’s /opt/hp/propel/security/CA.crt file to a temporary directory (<temporary_directory>) on the Service Manager host.
    2. On the Service Manager system, import the CA-signed certificate:

      # keytool –importcert –file <temporary_directory>/CA.crt –alias Propel_CA –trustcacerts –keystore <SUPPLIER-KEYSTORE-PATH>/cacerts

      Where SUPPLIER-KEYSTORE-PATH is the location of the cacerts file on the Service Manager system.

      The default cacerts file locations of Service Manager are:

      • SM on Windows:
        C:\Program Files (x86)\Micro Focus\Service Manager 9.xx\Server\RUN\cacerts
      • SM on Linux:
        /opt/Micro Focus/ServiceManager9.xx/Server/RUN
    3. On the Service Manager system, restart the Service Manager Server service.

  2. Import the Service Portal host’s certificate (/opt/hp/propel/security/propel_host.crt ) into the Service Manager Server's trusted clients keystore.

    keytool -keystore <trustedclients.keystore> -importcert -alias somePropelHostAlias -file propel_host.crt
  3. Import Service Manager’s CA certificate into the Service Portal host’s truststore. The general steps to do this are:

    1. Obtain Service Manager's CA certificate, and then copy it to the Service Portal host’s /tmp directory. For an example of obtaining a Service Manager CA certificate, see SSL tips. In the following step, the CA certificate of Service Manager is referred to as SMCA.crt.
    2. On the Service Portal host, import the CA-signed certificate of Service Manager:

      # keytool –importcert –file /tmp/SMCA.crt –alias Supplier_CA –trustcacerts –keystore /opt/hp/propel/security/propel.truststore

      Tip The default password for the Service Portal truststore is "propel2014".

  4. Enable Service Manager Service Portal to send the client certificate.

    1. In the sx.properties file in the /opt/hp/propel/sx/WEB-INF directory, make sure that the skipCertificateValidation property is set to false (this is the default value).

    2. Update the jetty-ssl.xml file.

      Note If you are using the default keystore (propel_host.pfx), ignore this step.

      In the /opt/hp/propel/jetty-sx/etc/jetty-ssl.xml file, set the javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword, javax.net.ssl.keyStoreType properties (by replacing the default values) as follows:

      <Call name="setProperty">
          <Arg>javax.net.ssl.keyStore</Arg>
          <Arg>/opt/hp/propel/security/propel_host.pfx</Arg>
      </Call>
      <Call name="setProperty">
          <Arg>javax.net.ssl.keyStorePassword</Arg>
          <Arg>${STORE_PASSWORD}</Arg>
      </Call>
      <Call name="setProperty">
          <Arg>javax.net.ssl.keyStoreType</Arg>
          <Arg>${STORE_TYPE}</Arg>
      </Call>

      In the above code:

      • ${STORE_PASSWORD} is the password of your own propel_host.pfx keystore.
      • ${STORE_TYPE} is the certificate type of the keystore: either jks or pkcs12.
  5. On the Service Portal host, restart the Service Exchange (SX) services:

    # systemctl restart jetty-sx

  6. Launch the Suppliers application in Service Portal, view the Service Manager supplier details, and then click the Diagnostics tab. The status should indicate there are no connection issues.

SSL tips

If you do not have an SSL certificate from the Service Manager system, you can manually create a certificate. The following is an example of exporting the CA certificate for the truststore of Service Manager.

Export the CA certificate from the truststore of Service Manager

Use the following command on the Service Manager system to export an SSL certificate from the truststore of Service Manager:

# keytool -exportcert -file <CERT-OUTPUT-FILE> -keystore <SUPPLIER-KEYSTORE-PATH>/cacerts -alias <SUPPLIER-ALIAS>

Where:

  • CERT-OUTPUT-FILE is the output file that will contain the exported certificate.
  • SUPPLIER-KEYSTORE-PATH is the location of the cacerts file on the Service Manager system.
  • SUPPLIER-ALIAS is the alias used in the truststore of Service Manager to identify the certificate of Service Manager.

Tip Next, you need to configure shopping, ticketing, Knowledge Management (KM), and hot news so that users can order catalog items, submit support requests, perform KM searches, and so on. For details, see Configure shopping, ticketing, Knowledge Management, hot news, Change approval, and search.