Previous Topic: Enable HTTPS with Certificates Stored in USS FilesNext Topic: Configure HTTPS to Override HTTP


Enable HTTPS with Certificates Stored in an External Security Manager

You can configure CA CSM to use HTTPS instead of HTTP for user access manually using an external security manager, for example, CA Top Secret for z/OS, CA ACF2 for z/OS, or IBM RACF to store digital certificates.

Follow these steps:

  1. Generate a digital certificate for Apache Tomcat, and attach it to a SAF key ring using the appropriate procedure for your external security manager.

    We recommend you generate the certificate using the RSA algorithm. The recommended certificate alias is tomcat.

  2. Configure Apache Tomcat:
    1. Stop the Apache Tomcat server.
    2. Go to tomcat/conf and open the server.xml file.
    3. Uncomment or replace the part with the SSL connector, as follows:
      <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
         <Connector port="30308" maxHttpHeaderSize="8192"
                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                enableLookups="false" disableUploadTimeout="true"
                SSLEnabled="true"
                algorithm="IbmX509"
                acceptCount="100" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS" 
                sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
                keystoreType="JCERACFKS"
                keystoreFile="safkeyring://KEY_RING_OWNER/KEY_RING_NAME"
                sslImplementationName="com.ca.sslsocket.CASSLImplementation" />
      
    4. Change the port parameter to fit your needs.
    5. Change the keystoreFile parameter so that it describes the SAF key ring containing the certificate:
      1. Replace KEY_RING_OWNER with the ID of the user that will run the Apache Tomcat server. The user must have READ authority for that key ring.
      2. Replace KEY_RING_NAME with the name of the key ring.

      Example: keystoreFile="safkeyring://MSMSERV/CSMKEYRING"

    6. If your site uses the IBM Integrated Cryptographic Services Facility (ICSF) to manage digital certificates in the external security manager, change the keystoreType parameter to a value of JCECCARACFKS.
    7. If you want to force Apache Tomcat to always use HTTPS for incoming connections, configure HTTPS to override HTTP.
  3. Start the Apache Tomcat server.

    Note: When the Apache Tomcat server is starting up, the following message may appear in the output:

    WARNING: configured file: ./path/safkeyring://KEY_RING_OWNER/KEY_RING_NAME. does not exist.
    

    You can ignore this message.

  4. Enable your browser to use TLS encryption, and restart the browser.
  5. Access the HTTPS URL.

    Note: When you access the HTTPS URL from your browser for the first time, you may be prompted to confirm that you trust the certificate.

  6. Click Yes to add this certificate to your trusted certificates.

Note: For more information, see documentation for the Apache Tomcat 7.0 Servlet/JSP Container.