How to enable CA PPM to communicate via HTTPS
Please note before-hand that these instructions are for a non-clustered CA PPM setup. For a load-balanced architectural implementation, the way to enable SSL is very simple, and is provided in the "Additional Information" section.
Generating a Keystore
1. Login to the server that hosts CA PPM
2. Navigate to a directory on which you would like your private key to be placed. For example: "C:\ppm150101"
3. Run a command such as this to generate a keystore: "keytool -genkey -keystore C:\ppm15101\keystore.jks -keyalg RSA -storepass changeit"
a. Note that "Keystore.jks" is the name of the keystore, with a password "changeit". Change the password to a stronger one when you run this command, and do not forget it, for it should be used at later points
4. Several prompts will be made to fill-in the server and the Organization details. Have this information handy, before you run the command in step 3. The certification authorities can provide you with all the necessary details, so check with them, if you could not answer all the prompts in the first go. Additionally, put in the complete name of the server, when prompted for "first and last name".
a. Note that the server name should not have "http://" or "https://" mentioned in it
Generating a certificate request
5. Run a command such as this to generate a Certification Request: "keytool -certreq -keystore C:\ppm15101\keystore.jks -keyalg RSA -file myRequest0.cer"
a. This file should be sent to the Certification Authority to obtain a certificate for your server
Importing Certificates into the keystore
6. Make sure that you have these certificates ready before start of import into the keystore:
a. Server certificate
b. Intermediate certificate
c. Root certificate
(Check with the Certification Authority for Root and Intermediate certificates)
7. Run a command such as this one to import the root certificate (replacing the keystore name, path, certificate name and patch etc.): "keytool -import -keystore C:\ppm15101\keystore.jks -keyalg RSA -file root.cer -trustcacerts -alias root"
8. To import intermediate certificate: "keytool -import -keystore C:\ppm15101\keystore.jks -keyalg RSA -file intermediate.cer -trustcacerts -alias intermediate"
9. Finally import the server certificate: "keytool -import -keystore C:\ppm15101\keystore.jks -keyalg RSA file server.cer -trustcacerts -alias server"
Making Changes in the CSA
10. Navigate to "Security" tab in the CSA
11. Provide the fully qualified path of your keystore in "SSL Keystore" field
12. Provide and confirm password for the keystore in "SSL Password" and "Confirm Password" fields respectively
13. Now navigate to "Application" tab
14. Change "SSL Handling" to "Support both HTTP and HTTPS without switching"
15. Check the "HTTPS Enabled" field under section "Application Instance: app"
16. Change "HTTPS Port" to a number allotted to the CA PPM Application (this is organization dependent). For Example, the Port number could be 8043
17. Change "HTTPS Entry URL" to the exact server name that was provided during keystore generation in step 3
18. Restart the Application Service
19. Once you have successfully verified that HTTPS is working by navigating using HTTPS (use the right port number and url. For example, the URL could be "https://servername.organization.com:8043/"), change the "SSL Handling" to "Support only HTTPS". Restart the Application service again
- In a Load-balanced setup, the certificate will have to be installed on the Load Balancer and not the CA PPM Application Servers. Once that is done, change the "SSL Handling" to "SSL is used but processed externally", under the "Application" tab.
- If you imported a certificate wrongly, and want to delete it, a command such as this can be used: "keytool -keystore c:\ppm15101\keystore.jks -alias root -delete"
- Another very useful command to list all the certificates in a keystore is: "keytool -keystore c:\ppm15101\keystore.jks -list" and to turn verbose on, use "keytool -keystore c:\ppm15101\keystore.jks -list -v"
- Finally, the paths mentioned here are for a Windows operating system. Change them to the path specifying convention of Linux if the application is built on that operating system. Everything other than the paths remain the same.
Note: You may wish to take a look at our documentation too here: Manage Security, SSL, LDAP, and SSO