SSL for 9.31 (596 Views)
Reply
Trusted Contributor
hpsmsupport
Posts: 289
Registered: ‎01-25-2011
Message 1 of 10 (596 Views)

SSL for 9.31

Hi Experts,

 

I am facing difficulties in implementing SSL for Service manger 9.31 using the attach document.

 

I get stuck at 'Task 2: Set up the Service Manager server - 4. Import the signed certificate into the server keystore by running the command '

 

When I execute the below command  as per the above point 

 

keytool -import -trustcacerts -alias myserver -keystore ./servercert.keystore -file smserver_cert.pem

 

Error message:

ver -keystore ./servercert.keystore -file smserver_cert.pem
Enter keystore password:
Enter key password for <myserver>
keytool error: java.lang.Exception: Failed to establish chain from reply

 

JDK 1.7

Win32OpenSSL-1_0_1e

 

Your help will be greatly appreciated.

 

Thanks in advance,

 

Regards,

Madhan

 

Please use plain text.
Honored Contributor
DimitarPeychev
Posts: 290
Registered: ‎11-01-2011
Message 2 of 10 (589 Views)

Re: SSL for 9.31

Hi,

 

 Most probably you have this issue:

 

http://support.openview.hp.com/selfsolve/document/KM1394675

So please try to delete the cacerts file from <JAVA_HOME>/lib/security folder and then execute tso_srv_svlt.bat file.  This will result in successful creation of the Service Manager (SM) server side SSL certificates.

 

i hope it is helpful

 

Best regards

Dimitar

HP Support
If you find that this or any post resolved your issue, please be sure
to mark it as an accepted solution.
Please also give kudo if you find it interesting :)
Please use plain text.
Trusted Contributor
hpsmsupport
Posts: 289
Registered: ‎01-25-2011
Message 3 of 10 (567 Views)

Re: SSL for 9.31

Thanks for you help Dimitar,

 

I replaced 'myserver' with FQDN then it got executed, but not able to achive end result.

 

When I open http://localhost:8080/sm/ess.do, I am getting an error msg as contact your administrator.

 

as per the document I installed OpenSSL from below link but that application remains untouched since no steps are mention in the document.

http://www.slproweb.com/products/Win32OpenSSL.html

 

I am not sure if I am following the right path for configuring SSL.

 

Regards,

Madhan

Please use plain text.
Valued Contributor
tomkool007
Posts: 248
Registered: ‎01-19-2012
Message 4 of 10 (549 Views)

Re: SSL for 9.31

I always follow dirty guide steps

 

Please find the dirty guide check all the steps...

 

http://h30499.www3.hp.com/t5/HP-Service-Manager-Service/SSO-Dirty-Guide/m-p/4649194/highlight/true#M...

Best Regards,
Tom
Please use plain text.
HP Expert
viprom
Posts: 321
Registered: ‎11-09-2011
Message 5 of 10 (543 Views)

Re: SSL for 9.31

Hi Madhan,

Here is some more info about:

@ Certificates generation:

Download BTO_Cert_Gen_v1.0_2012-12-18.zip to deploy the BTO_Cert_Gen_v1.0 SSL
certificates generator to create all the necessary SSL certificates for the SM server, Eclipse and
Web client, Tomcat web app server, Apache web server, etc.

Use the documentation of the BTO_Cert_Gen_v1.0 certificates generator on how to generate
all the SSL certificates.

Run the certificates generator once for the SM server.

This will create a batch of certificates for all SM server components, in folder <FQDN_SMserverA>
(SM).

@ Certificates distribution:

Once the certificates have been created, they need to be distributed to their respective program
locations so that they can be used.

Copy the following files to the SM server ..\RUN folder:
- <FQDN_SMserverA> (SM)\cacerts,
- <FQDN_SMserverA> (SM)\<FQDN_SMserverA>_BTOSERVER_DSA/RSA.keystore,
- <FQDN_SMserverA> (SM)\trustedclients.keystore

Copy the following files to the SM Eclipse client ..\plugins\com.hp.ov.sm.client.common_9.3x.xxx
\certs folder (folder ..\certs needs to be created):
- <FQDN_SMserverA> (SM)\cacerts,
- <FQDN_SMserverA> (SM)\<FQDN_eclipseClientA>_BTOCLIENT_DSA/RSA.keystore,

Copy the following files to each deployed SM Web client instance's ..\WEB-INF folder:
- <FQDN_SMserverA> (SM)\cacerts,
- <FQDN_SMserverA> (SM)\<FQDN_webClientA>_BTOCLIENT_DSA/RSA.keystore,

Copy the following files to the TomcatA \conf\certs folder (folder ..\certs needs to be created):
- <FQDN_SMserverA> (SM)\<FQDN_SMserverA>_BTOSERVER_DSA/RSA.keystore,

Copy the following files to the ApacheA \conf\certs folder (folder ..\certs needs to be created):
- <FQDN_SMserverA> (SM)\<FQDN_SMserverA>_Apache_web_DSA/RSA.crt,
- <FQDN_SMserverA> (SM)\<FQDN_SMserverA>_Apache_web_DSA/RSA.key,

@ Certificates import:

Once all the certificates are in their proper place, the certificates need also to be imported into
the various appropriate Windows certificates stores so that the browsers on the SM server
and the client machines recognize the server addresses as trusted locations.

Import the following certificates into the following Windows stores:

SMserver

- Trusted Root Certification Authorities
- <FQDN_SMserverA> (SM)\mycacert_DSA/RSA.pem,

- Intermediate Certificates Authorities
- <FQDN_SMserverA> (SM)\<FQDN_SMserverA>_BTOservercert_DSA/RSA.pem,
- <FQDN_SMserverA> (SM)\<FQDN_SMserverA>_Apache_web_DSA/RSA.crt
 
@ SSL configuration:

Set the following values in the sm.ini in the ..\RUN folder to enable the server SSL configuration
part:

## SSL General parameters
#all ssl, ssl_ClientAuth and trustedsignon moved to the sm.cfg !!
## SSL Servlet parameters
keystoreFile:<FQDN_SMserver>_BTOSERVER_DSA/RSA.keystore,
keystorePass:serverkeystore
ssl_trustedClientsJKS:trustedclients.keystore
ssl_trustedClientsPwd:trustedclients
truststoreFile:cacerts
truststorePass:changeit

@ LW-SSO configuration:

set the following values in the lwssofmconf.xml in the ..\RUN folder to enable the server LW-SSO
configuration part:

LWSSO enableLWSSOFramework="true"
enableCookieCreation="true" cookieCreationType="LWSSO" />

<domain>DomainA</domain>

<crypto cipherType="symmetricBlockCipher" engineName="AES"
paddingModeName="CBC" keySize="256" encodingMode="Base64Url"
initString="BTOSecretPassString">
</crypto>
 
In addition, you may want to check the document bellow:
Enabling Service Manager Clients to Use a Shared Certificate for Trusted Sign-On
http://support.openview.hp.com/selfsolve/document/KM00352631
 
Hope this helps.

-----
If you find this or other posts helpful, please do not forget to click the Kudo Star or to mark it as a Solution if you are the owner of the thread. Thanks :)
Please use plain text.
Trusted Contributor
hpsmsupport
Posts: 289
Registered: ‎01-25-2011
Message 6 of 10 (497 Views)

Re: SSL for 9.31

Hi All,

 

Thanks for your help.

 

I am using Dirty Guide to configure SSO for SM, I sucessed in doing for WEbclient now while doing for Web I am stuck at below point

 

http://h30499.www3.hp.com/hpeb/attachments/hpeb/itrc-695/43320/1/359137.txt

 

go to the \conf directory of the Tomcat installation folder, and open the jk2.properties file in a text editor. At the end of the file add the following line :

request.tomcatAuthentication=false,

 

I do not see jk2.properties file under conf foler for Tomcat 7

 

I am using

SM 9.32.0016

Built 9.32.0016

Apachi Tomcat 7           64bit

Apache server 2.4         64bit

Window Server 8            64bit

 

Please let me know as what to do next.

 

Thanks in advance,

 

Regards,

Madhan

 

Please use plain text.
Advisor
Chosavarapu
Posts: 28
Registered: ‎10-15-2008
Message 7 of 10 (491 Views)

Re: SSL for 9.31

Hello Madan,

 

I faced the same issue sometime back when I used jdk7. I downgraded my jdk to jdk6 and was successful in configuring using the dirty guide.

 

So please check downgrading your jdk6.

 

I find rest of the steps you mentioned in your posts are same as I followed.

 

Regards,

Chosavarapu.

Please use plain text.
Trusted Contributor
hpsmsupport
Posts: 289
Registered: ‎01-25-2011
Message 8 of 10 (476 Views)

Re: SSL for 9.31

HI Chosavarapu,

 

Thanks for your help,

 

HP has recomened to use JDK 7 and above for 9.32 so if I downgrade it to 6 then there wouls performance issue.

 

After getting conencted to SM windows client.

 

  5644(  3812) 09/16/2013 10:06:32 JRTE I SSL connection accepted

 

Below are the configuration setting which i have done in web server

 

1. Copy the cacerts and smclient.keystore files to the WEB-INF folder of the Service

Manager Web Application Server.

2. In web.xml, below details are provided:

<init-param>

<param-name>serverHost</param-name>

<param-value>servername.domainname.com</param-value>

</init-param>

<init-param>

<param-name>ssl</param-name>

<param-value>true</param-value>

</init-param>

<init-param>

<param-name>keystore</param-name>

<param-value>enter path to smclient.keystore here</param-value>

</init-param>

Specify the password for the client's private keystore

<init-param>

<param-name> keystorePassword</param-name>

<param-value>enter keystore password here</param-value>

</init-param>

<context-param>

<param-name>isCustomAuthenticationUsed</param-name>

<param-value>false</param-value>

</context-param>

 

getting below error:

 

HTTP Status 404 - /SMsso/index.do

--------------------------------------------------------------------------------

type Status report

message /SMsso/index.do

description The requested resource is not available.

 

I am not able to connect to 13080 port from windows client.

 

 

The requested resource is not available.

 

 

After this configuration, I should be able to open this page right?

 

Attaching sm.cfg and sm.ini file

Please use plain text.
Trusted Contributor
hpsmsupport
Posts: 289
Registered: ‎01-25-2011
Message 9 of 10 (461 Views)

Re: SSL for 9.31

Hi Experts,

 

Can you please help us on this please.

 

regards,

Madhan

Please use plain text.
Trusted Contributor
hpsmsupport
Posts: 289
Registered: ‎01-25-2011
Message 10 of 10 (383 Views)

Re: SSL for 9.31

Hi Experts,

 

I managed to configure SSO on production but still facing problem when user logs into SM with SSO.

 

When user logs through sso then menu and couple of things do now show up as mentioned in the logs but if I login with username & password to SM then everything is seen.

 

below are the error found in apachi logs

 

Tue Nov 05 18:04:22 2013] [notice] Server built: Dec 10 2008 00:10:06
[Tue Nov 05 18:04:22 2013] [notice] Parent: Created child process 3172
[Tue Nov 05 18:04:23 2013] [warn] Useless use of AllowOverride in line 489 of C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/httpd.conf.
[Tue Nov 05 18:04:23 2013] [warn] Useless use of AllowOverride in line 90 of E:/Program Files/Apache Software Foundation/Tomcat 7.0/conf/mod_jk.conf.
[Tue Nov 05 18:04:23 2013] [warn] Useless use of AllowOverride in line 105 of E:/Program Files/Apache Software Foundation/Tomcat 7.0/conf/mod_jk.conf.
[Tue Nov 05 18:04:24 2013] [warn] Useless use of AllowOverride in line 489 of C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/httpd.conf.
[Tue Nov 05 18:04:24 2013] [warn] Useless use of AllowOverride in line 90 of E:/Program Files/Apache Software Foundation/Tomcat 7.0/conf/mod_jk.conf.
[Tue Nov 05 18:04:24 2013] [warn] Useless use of AllowOverride in line 105 of E:/Program Files/Apache Software Foundation/Tomcat 7.0/conf/mod_jk.conf.
[Tue Nov 05 18:04:24 2013] [notice] Child 3172: Child process is running
[Tue Nov 05 18:04:24 2013] [notice] Child 3172: Acquired the start mutex.
[Tue Nov 05 18:04:24 2013] [notice] Child 3172: Starting 64 worker threads.
[Tue Nov 05 18:04:24 2013] [notice] Child 3172: Starting thread to listen on port 80.
[Tue Nov 05 18:05:57 2013] [error] [client 10.13.10.62] File does not exist: E:/Program Files/Apache Software Foundation/Tomcat 7.0/webapps/SM/css/cwc, referer: http://mumvikhhpsm.godrejinds.com/SM/ess.do
[Tue Nov 05 18:05:57 2013] [error] [client 10.13.10.62] File does not exist: E:/Program Files/Apache Software Foundation/Tomcat 7.0/webapps/SM/css/cwc, referer: http://mumvikhhpsm.godrejinds.com/SM/ess.do
[Tue Nov 05 18:06:02 2013] [error] [client 10.13.10.62] File does not exist: E:/Program Files/Apache Software Foundation/Tomcat 7.0/webapps/SM/cwc/nav.menu, referer: http://mumvikhhpsm.godrejinds.com/SM/ess.do
[Tue Nov 05 18:10:00 2013] [error] [client 10.13.10.62] File does not exist: E:/Program Files/Apache Software Foundation/Tomcat 7.0/webapps/SM/css/cwc, referer: http://mumvikhhpsm.godrejinds.com/SM/ess.do
[Tue Nov 05 18:10:00 2013] [error] [client 10.13.10.62] File does not exist: E:/Program Files/Apache Software Foundation/Tomcat 7.0/webapps/SM/css/cwc, referer: http://mumvikhhpsm.godrejinds.com/SM/ess.do
[Tue Nov 05 18:10:09 2013] [error] [client 10.13.10.62] File does not exist: E:/Program Files/Apache Software Foundation/Tomcat 7.0/webapps/SM/cwc/nav.menu, referer: http://mumvikhhpsm.godrejinds.com/SM/ess.do
[Tue Nov 05 18:12:24 2013] [error] [client 10.13.10.210] File does not exist: C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs/favicon.ico
[Tue Nov 05 18:12:35 2013] [error] [client 10.13.10.210] File does not exist: E:/Program Files/Apache Software Foundation/Tomcat 7.0/webapps/SM/css/cwc, referer: http://mumvikhhpsm.godrejinds.com/SM/ess.do
[Tue Nov 05 18:12:35 2013] [error] [client 10.13.10.210] File does not exist: E:/Program Files/Apache Software Foundation/Tomcat 7.0/webapps/SM/css/cwc, referer: http://mumvikhhpsm.godrejinds.com/SM/ess.do
[Tue Nov 05 18:12:53 2013] [error] [client 10.13.10.210] File does not exist: E:/Program Files/Apache Software Foundation/Tomcat 7.0/webapps/SM/cwc/nav.menu, referer: http://mumvikhhpsm.godrejinds.com/SM/ess.do
[Tue Nov 05 18:16:34 2013] [error] [client 10.13.10.62] File does not exist: E:/Program Files/Apache Software Foundation/Tomcat 7.0/webapps/SM/css/cwc, referer: http://mumvikhhpsm.godrejinds.com/SM/ess.do
[Tue Nov 05 18:16:34 2013] [error] [client 10.13.10.62] File does not exist: E:/Program Files/Apache Software Foundation/Tomcat 7.0/webapps/SM/css/cwc, referer: http://mumvikhhpsm.godrejinds.com/SM/ess.do
[Tue Nov 05 18:16:43 2013] [error] [client 10.13.10.62] File does not exist: E:/Program Files/Apache Software Foundation/Tomcat 7.0/webapps/SM/cwc/nav.menu, referer: http://mumvikhhpsm.godrejinds.com/SM/ess.do

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation