Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

Configure ALM Application Server to support SSL/TLS

hilale Honored Contributor.
Honored Contributor.
2 0 3,897

This post was written by Paul Adrian Utiu, from the PCLR CPE Teampaul.jpgAnd Eyal Rosner, System Architect –Performance Center RnDEyal.jpgSecuring access to an ALM Application Server (Jetty)  – Example

This procedure describes how to configure secure access to an ALM application server (Jetty) using a certificate signed by a Certificate Authority (CA). It is a best practice to avoid using self-signed certificates in production, and instead use certificates signed by trusted Certificate Authorities.

Here you can find a step by step guideline on how to achieve this.

Applies to Product Version: ALM 11.5x, 12.x

OS: Windows, Linux 

Basic Steps:

  1. Create a server certificate in Java keystore format.
  2. Change the Jetty configuration to use this keystore.
  3. Test the secure connection works (you can login to ALM using the https protocol).
  4. Obfuscate passwords in Jetty (recommended).
  5. Close any non-secure connections or redirect http to https.

 

Step 1: Create a server certificate using a Certificate Authority (CA)

Jetty expects server certificate to be in Java keystore format. 

Option 1: Convert a PKCS#12 certificate provided by your Certificate Authority

  1. Request a server certificate from your CA issued to the fully qualified domain name of your server (<myserver.mydomain>).
  2. Export a private key with a password that is at least six characters long <mypass>. You will need to provide this password in the following steps.
  3. Convert the certificate from PFX/PKCS#12 to JKS format:

        keytool.exe -importkeystore -srckeystore <mycertificate> -destkeystore <mykeystore> -srcstoretype PKCS12

        Note: When prompted for a password, enter your password <mypass> each time.

        4. Import the CA root certificate into the keystore just created, as in the following example.

- Download CA root (and any intermediate CA) certificate in BASE-64 format (<cacert>).

- Import CA root (and any intermediate CA) certificate into the keystore:

                         keytool -import -trustcacerts -keystore <mykeystore> -storepass <mypass> -alias <rootCA> -file <root CA                                    certificate>

                         keytool -import -trustcacerts -keystore <mykeystore> -storepass <mypass> -alias <IntermediateCA> -file                                      <Intermediate CA certificate>

  5. Verify that the keystore contains at least two entries: Trusted Cert Entry and Private Key Entry.

           keytool -list -keystore <mykeystore>

You now have a server certificate in <mykeystore>. Both the keystore and the private key are password protected with <mypass>. You can use a different password for the private key and the keystore (in this example we are using the same password).

 

Option 2: Manually create a keystore in JKS format

Some Certificate Authorities will sign a certificate request file that you produce manually (e.g. using keytool command). 

  1. Generate a keystore with a private key.

            keytool -genkeypair -validity 1065 -keysize 2048 -keyalg rsa -sigalg SHA256withRSA -keystore <mykeystore> -                          storepass <mypass> -alias<myserver.mydomain>

 

            c:\Program Files\\ALM\ALM\java\bin>keytool -genkeypair -validity 1065 -keysize 2048 -keyalg rsa -sigalg                              SHA256withRSA -keystore keystore -storepass mercury -alias almserver

                                What is your first and last name?

                                  [Unknown]:  alm.domain.com

                                What is the name of your organizational unit?

                                  [Unknown]:  OUName

                                What is the name of your organization?

                                  [Unknown]:  OName

                                What is the name of your City or Locality?

                                  [Unknown]:  CityName

                                What is the name of your State or Province?

                                  [Unknown]:  StateName

                                What is the two-letter country code for this unit?

                                  [Unknown]:  CountryCode

                                Is CN=alm.domain.com, OU=OuName, O=OName, L= CityName, ST= StateName, C=CountryCode correct?

                                  [no]:  yes

 

                                Enter key password for <almserver>

                                                                (RETURN if same as keystore password):

                                Re-enter new password: 

                                c:\Program Files\\ALM\ALM\java\bin>keytool -list -keystore keystore

                                Enter keystore password: 

                                Keystore type: JKS

                                Keystore provider: SUN 

                                Your keystore contains 1 entry 

                                almserver, May 20, 2016, PrivateKeyEntry,

                                Certificate fingerprint (SHA1): DD:A2:40:84:18:86:61:91:F2:36:41:52:60:54:00:37:24:A4:C5:D7

 

Note: As for today, the recommended hash is sha2 256 and the key size 2048.

 

 2. Generate a server certificate request to have it signed by your Certificate Authority.

             keytool -keystore <mykeystore> -storepass <mypass> -alias <myserver.mydomain> -certreq -file CERTREQFILE.csr 

                                c:\Program Files\\ALM\ALM\java\bin>keytool -keystore keystore -storepass mercury -alias almserver -                                    certreq -file CERTREQFILE.csr

                               

 3. Send the certificate request data to the CA which should signed it. 

 4. Once the certificate has been signed, download the <signed server certificate> from your Certificate Authority. 

 5. Obtain the root authority certificate (and any intermediate authority certificates, if applicable). 

a. Double-click on the signed certificate.

b. Go to Certification Path.

c. Select Root CA.

d. Click on View Certificate.

e. Go to Details tab.

f. Click on Copy to File.

g. Repeat the above steps for any intermediate CA in the chain.

 

 6Import the authority certificate(s) obtained in the previous step (root certificate and any intermediate authority certificates if applicable) into the keystore created earlier in this procedure (step 1).

keytool -import -trustcacerts -keystore <mykeystore> -storepass <mypass> -alias <rootCA> -file <root CA certificate>

keytool -import -trustcacerts -keystore <mykeystore> -storepass <mypass> -alias <IntermediateCA> -file <Intermediate CA certificate>

keytool -import -trustcacerts -keystore <mykeystore> -storepass <mypass> -alias <IssuingCA > -file <Issuing CA certificate>

 

NOTE: If you have not done this for each CA certificate (root and all intermediate), you will see the following error during the next step of importing the signed server certificate:

keytool error: java.lang.Exception: Failed to establish chain from reply

  

                                c:\Program Files\\ALM\ALM\java\bin>keytool -import -trustcacerts -keystore keystore -storepass                                           mercury -alias rootCA -file rootCA.cer

 

                                Owner: CN=CA, DC=security, DC=domain, DC=com

                                Issuer: CN=CA, DC=security, DC=domain, DC=com

                                Serial number: 1a4cdd86c675dfa146222023c11a8a67

                                Valid from: Thu May 19 16:16:13 BST 2016 until: Tue May 19 16:26:12 BST 2026

                                Certificate fingerprints:

                                                                 MD5:  F9:D9:2E:10:00:09:C1:9B:8F:2E:4B:F4:B9:1E:98:0B

                                                                 SHA1: D4:E2:4B:0E:E4:C6:E9:46:E6:74:50:50:08:8E:E9:C8:11:BC:6A:14

                                                                 SHA256: 1E:E4:B3:0B:67:65:01:CF:6A:E1:11:4A:DC:D6:06:75:30:8A:1F:B6:ED:88:9F:94:5F:09:BD:7A:73:DA:AC:BF

                                                                 Signature algorithm name: SHA256withRSA

                                                                 Version: 3

 

                                Extensions: 

                                #1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false

                                0000: 1E 04 00 43 00 41                                  ...C.A

 

                                 #2: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false

                                0000: 02 01 00                                           ...

  

                                #3: ObjectId: 2.5.29.19 Criticality=true

                                BasicConstraints:[

                                  CA:true

                                  PathLen:2147483647

                                ]

 

                                #4: ObjectId: 2.5.29.15 Criticality=true

                                KeyUsage [

                                  DigitalSignature

                                  Key_CertSign

                                  Crl_Sign

                                ]

 

                                #5: ObjectId: 2.5.29.14 Criticality=false

                                SubjectKeyIdentifier [

                                KeyIdentifier [

                                0000: 94 B3 1B F2 37 44 64 D0   71 9D 78 7C E1 FD 97 3B  ....7Dd.q.x....;

                                0010: BE E1 30 9E                                        ..0.

                                ]

                                ]

 

                                Trust this certificate? [no]:  yes

                                Certificate was added to keystore

           

               

                                Import any intermediate and issuing authority certificates if applicable. Here are the extra commands if the                                 CA provided these certificates “IntermediateCA” and “IssuingCA”:

                               

                                c:\Program Files\\ALM\ALM\java\bin>keytool -import -trustcacerts -keystore keystore -storepass                                           mercury -alias IntermediateCA -file IntermediateCA.cer

                                               

                                c:\Program Files\\ALM\ALM\java\bin>keytool -import -trustcacerts -keystore keystore -storepass                                           mercury -alias IssuingCA -file IssuingCA.cer

                               

                7. Import the signed certificate into your keystore under the same alias that was used when creating the private key.

keytool -import -v -alias <myserver.mydomain> -file <signed server certificate> -keystore <mykeystore> -keypass <mypass> -storepass <mypass>

 

NOTE: You should see: “certificate reply was installed in keystore”. The size of the file will be now significantly larger.

 

                                c:\Program Files\\ALM\ALM\java\bin>keytool -import -trustcacerts -keystore keystore -storepass                                           mercury -alias almserver -file SignedServerCertificate.cer

                                Certificate reply was installed in keystore

 

                               

8. Verify that the keystore contains at least two entries: Trusted Cert Entry and Private Key Entry. There might be additional entries if there are more CAs in the certificate chain.

keytool -list -keystore <mykeystore>

 

Trusted Cert Entry (root CA)

Trusted Cert Entry (Intermediate CA)

Trusted Cert Entry (Issuing CA)

Private key Entry

 

                               

                                c:\Program Files\\ALM\ALM\java\bin>keytool -list -keystore keystore

                                Enter keystore password:

 

                                Keystore type: JKS

                                Keystore provider: SUN

 

                                Your keystore contains 2 entries

 

                                rootca, May 20, 2016, trustedCertEntry,

                                Certificate fingerprint (SHA1): D4:E2:4B:0E:E4:C6:E9:46:E6:74:50:50:08:8E:E9:C7:11:BC:6B:14

                                almserver, May 20, 2016, PrivateKeyEntry,

                                Certificate fingerprint (SHA1): 9D:4D:31:3C:72:1F:BF:0C:05:55:05:10:41:FB:21:4E:33:5B:4B:CF

                               

 

9. Look at details of the PrivateKeyEntry. Issuer and Owner must now be different. The issuer should be your Certificate Authority (Issuing CA). If you see the same name for the Issuer and Owner, it means your certificate is still self-signed and you need to review the above steps for getting the certificate signed properly.

keytool -list –v -alias <myserver.mydomain> -keystore <mykeystore>

  

Step 2: Change the Jetty configuration 

  1. Navigate to the <ALM Deployment Folder>\server\conf directory and make a backup of the jetty-ssl.xml file and the keystore file located in this directory.
  2. Copy your keystore file to this directory and rename it keystore.
  3. Open the jetty-ssl.xml file, search for "password", and change every password to your private key and keystore passwords accordingly.
  4. Save jetty-ssl.xml.
  5. Edit start.ini and uncomment these lines:

                                jetty-ssl.xml

                                jetty-https.xml (only for ALM 12.20 and later)

6. Save start.ini and restart the ALM service.

7. Check the wrapper.log for errors related to keystore. If it works, you should see: 

                                INFO   | jvm 1    | 2016/05/20 10:25:52.040 | 2016-05-20 10:25:51.991:INFO:oejs.ServerConnector:WrapperSimpleAppMain: Started ServerConnector@535042d7{SSL-http/1.1}{0.0.0.0:8443}

                                INFO   | jvm 1    | 2016/05/20 10:25:52.040 | 2016-05-20 10:25:51.992:INFO:oejs.Server:WrapperSimpleAppMain: Started @90570ms

                                INFO   | jvm 1    | 2016/05/20 10:25:52.040 | Server is ready! (Boot time 88 seconds)

                                   

Step 3: Test the secure connection works 

Verify you can login to ALM through https protocol.

 

Step 4: Obfuscate passwords in Jetty (recommended)

If you have a different password for the keystore and the private key, this should be done for each password and replaced accordingly.

 

  1. For ALM/QC versions earlier than ALM 12.20:

- Run the following command:

                                <JAVA_HOME>\java \ -cp "<DEPLOYMENT_HOME>\server\lib\*" org.eclipse.jetty.http.security.Password                                       <password>

       2. For ALM versions starting with ALM 12.20:

           - Determine the version of Jetty that you are using:

a.  Locate the < DEPLOYMENT_HOME >\server\lib\jetty-util-<your-jetty-version>.jar file.

b.  <your-jetty-version> is the version of Jetty you are using.

          - Run the following commands: 

$ set JETTY_VERSION=<your-jetty-version> <JAVA_HOME>\java -cp <DEPLOYMENT_HOME>\server\lib\jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password <password>

For example:  run the following command: "C:\Program Files\\ALM\ALM\java\jre\bin\java.exe" -cp C:\ProgramData\\ALM\server\lib\jetty-util-9.1.4.v20140401.jar org.eclipse.jetty.util.security.Password changeit

3. Replace the plain text password in the jetty-ssl.xml file with the OBF prefix.

4. Restart the ALM service. 

                 c:\Program Files\\ALM\ALM\java\bin>"C:\Program Files\\ALM\ALM\java\jre\bin\java.exe" -cp                                            C:\ProgramData\\ALM\server\lib\jetty-util-9.1.4.v20140401.jar org.eclipse.jetty.util.security.Password mercury

                               

                                2016-05-20 10:07:22.850:INFO::main: Logging initialized @369ms

                                mercury

                                OBF:1ylv1vn61yt81san1yte1vnw1ymj

                                MD5:abe10f7e5afbbb3a79ce619739541149                                        

                                               

Step 5: Close any non-secure connections or redirect http to https 

To close non-secure connections, in jetty.xml comment out “addConnector” section with port 8080.

 

Hope you have found this blog beneficial, see additional related blogs:

How to configure Performance Center Server to support SSL

How to configure Performance Center Host to support SSL

 

Interested in more information about LoadRunner, Performance Center or StormRunner? Visit the LoadRunner, Performance Center or StormRunner forums to find information, submit questions and collaborate with peers.

 

Interested in more information about Performance Center, visit the  Performance Center Help Center.

 

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.