Accessing SM over HTTPS

Hi Experts,


Currently am accessing SM usin the URL http://<host-name>:8080/sm/


I have requirment of changing it to HTTPS like https://<host-name>:8080/sm/


Can any one please tell me how to achive this requirment


Thanks in Advance.

  • Hi,

    For this you have to deploy the SSL on web server of SM.
    It is easy but you have to buy the certificate signed by some authorized company like verisign, geo trust etc, to make it trustworthy. Otherwise https will striked out in browser.

    Check online help server and forum , you will get numerous threads with detailed description for same.

  • Hi,


    I found the related thread which is as below.


    Can anyone please tell me how to create Keystore(Please explain about point  1. Creating a Keystore file using Java:)



    To configure a secure connection between web browsers – used by end users – and HP Service Manager web tier on the web server “Apache Tomcat” using https protocol you can do the following steps in a simple way:

    1. Creating a Keystore file using Java:

     Open cmd and go to the bin folder of your JVM – you can get the path from the Tomcat configure wizard as follows:
    o Run the following command
    § Keytool –genkey –alias tomcat –keylg RSA
    § Enter a password for the keystore file – here it is "password"
    § Optionally, you can enter the following fields for org unit, org, Cite, State, Country Code then yes before finally entering the same password again.

    o Now a keystore file should be created on your user home directory. On Windows in this example, it will be on: “C:\Users\username\.keystore”

    2. Configure Apache Tomcat web server to connect using secure protocol https – Apache 7 is used in this example:

    o Open “server.xml” file from this path “C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\conf”.
    o Go to this part in the file:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" />

    • o Uncomment this part and modify it to be as follows:
      <Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
      disableUploadTimeout="true" enableLookups="false" maxThreads="25"
      port="8443" keystoreFile="C:\Users\username\.keystore" keystorePass="password"
      protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
      secure="true" sslProtocol="TLS" />
      o Note that you should change the keystore path and password
      o Save the file and exit

      3. Configure SM web tier to connect using https protocol

      o Open “web.xml” file from this path “C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\webapps\hpsm\WEB-INF”.
      o Search for “securelogin” parameter and change it from false to true.

      And now finally you can access HP Service Manaegr through https protocol in secure way using the following path yourSMAppServer:8443/.../


  • Hi,


    Use below steps, this will only enable ssl for web user not between SM and webtier.

    Download open ssl utility, this folder contains necessary files for same , no need to install.



    From one of km doc,

    As an example, the following describes how to create signed server and client certificates using the OpenSSL toolkit as a private certificate authority. This example also uses the keytool utility available with the Sun MicrosystemsTm standard Java Development Kit (version 1.4 or later).


    • You must have the following software installed on a machine (on which you will create signed certificates for the Service Manager server and clients):

    o OpenSSL: can be downloaded from

    o JDK 1.4 or later: Can be downloaded from

    • You need to add the bin folders of your JDK and OpenSSL to the PATH environment variable definition of the machine, so that you do not need to change directories to the bin folders before running openssl or keytool commands:

    o OpenSSL bin folder: <InstallDir>\OpenSSL-Win32\bin

    o JDK bin folder: <InstallDir>\Java\jdk1.x.x_xx\bin



    • The following procedures will prompt you to enter several passwords multiple times. Using the same password over and over is not best practice in production, however if you are performing the procedures for test purposes, you are recommended to enter the same password at each prompt to avoid any confusion about which password you are being asked for. Also be aware that nothing displays on the screen when you are entering pass phrases.

    • Whenever asked to confirm whether to trust the current certificate, type y and press ENTER (the default response is no). If you just press ENTER, the certificate will not be trusted and you will have to start over.


    Task 1: Create a root CA

    Note: The following steps use the JDK bin folder as the working directory, in which you will create the certificates and keystore files. If you wish, you can create your own working directory and run the commands from there.

    1. Open the operating system’s command prompt, and change directory to the JDK bin folder.

    2. Create the private key for your private certificate authority by running the command:

    openssl genrsa -des3 -out cakey.pem 2048

    When prompted, enter a pass phrase you want to use to protect your certificate authority's private key file (cakey.pem). For example, CAKeyPassword.You must use the same password phrase each time you sign a certificate request with your private certificate authority. You will be asked to enter this pass phrase later many times again.

    3. Export the public key as the self-signed root CA certificate by running the command:

    openssl req -new -key cakey.pem -x509 -days 1095 -out mycacert.pem

    a. When prompted, enter the pass phrase you selected for cakey.pem.



    b. Enter other required information. When asked for a Common Name, enter the fully-qualified domain name of the machine on which you are creating the root CA.

    4. Import your private certificate authority's certificate into the Java cacerts file that you will publish to the rest of your network. It is very important that the cacerts file in the <JAVA_HOME>\lib\security folder is updated to include the root CA information.

    a. Make a backup copy of the cacerts file in the <JAVA_HOME>\lib\security\ folder, and copy this file to the <JDK_home>\bin folder.

    b. Run the following command:

    keytool -import -keystore ./cacerts -trustcacerts -file mycacert.pem -storepass changeit

    When prompted, type: y to trust the root CA’s certificate.

    The root CA certificate is added to the Java cacerts file.

    c. Copy the updated Java cacerts file to the <JAVA_HOME>\lib\security\ folder.


    Task2 : Set up the Service Manager web tier

    This task is to configure the web tier to connect to the Service Manager server using the Service Manager trusted sign-on protocol.

    The following steps assume that your Service Manager web tier is deployed on Tomcat.

    1. Stop the web application server running the Service Manager web tier.

    2. Go to the <JDK_home>\bin folder, copy the CA keystore file cacerts and web tier client keystore file clientcerts.keystore to the webapps\<Service Manager web tier>\WEB-INF folder of the Tomcat installation.

    3. Edit <Tomcat>\webapps\<Service Manager web tier>\WEB-INF\web.xml.

    a Configure the Service Manager web tier to use the client certificate you have just created.

    You have to specify three parameters as shown below:

    • the location of the CA keystore file created previously

    • the location of the web tier client keystore just created

    • the password for the web tier client keystore

    <!-- Specify the CA certificate store to use in encrypted communication -->


    <!-- If this value is empty, the JDK's default jre/lib/security/cacerts file is used -->

    <!-- If this is a relative path, it will be relative to the web application's deploy directory but still needs a leading slash -->




    <!-- Specify the client's private keystore to use in encrypted communication. This is necessary for client authentication when using single sign-on, but not for a standard SSL connection. -->

    <!-- If this is a relative path, it will be relative to the web application's deploy directory but still needs a leading slash -->







    <!-- Specify the password for the client's private keystore -->



    <param-value><client keystore password></param-value>


    b Make sure the server FQDN name is placed instead of ‘localhost’.

    <!-- Specify the HP Service Manager server host and port location -->



    <param-value><Service Manager server host name (FQDN)></param-value>


    c Make sure ssl is set to true.

    <!-- Control the encryption of network communication between the application server and the HP Service Manager server -->





    d For using trusted sign on, set the value of the isCustomAuthenticationUsed parameter to false, in order for Service Manager to send the current user name in the HTTP header. If set to false without trusted sign-on, web client users will not be able to log in to the system.





    e Enable drill from BAC to Service Manager.

    Set the following in case an error message (cracking attempt) comes up while drilling to Service Manager from the EMS monitor.





    4. Restart Tomcat.

    When the configuration is complete and the Tomcat container has been restarted, the Service Manager web tier is enabled to use trusted sign-on when communicating with the Service Manager server.

    Note: If you start a web browser from your desktop and start the web client, it will still display the log-in panel.



  • the SSL certificate for our web tier server has expired and need to be renewed as the tool has stopped workking from web browser. Can some one guide me how to renew it

Reply Children
  • Ciao Rahul,
    I suggest you to contact you middleware team. You need to generate new ones (probably your company has a procedure for that) and the procedure to deploy it is not related to SM itself... it's handled by your Web Server, Apache, IIS or any other you are using. Moreover I think an auto-generate x expired certified has no difference; it's usually possible to keep accessing the tool after accept the security warn the browser gives to you..