The following error appears when trying to attach files to a ticket in CA Service Desk Manager using IIS with SSL:
"Unable to connect make sure servlet server is correct and Tomcat is up and running."
The SSL certificate being used in IIS and Tomcat is different
The SSL certificate in IIS and Tomcat must be the same.
Follow the steps below to export the certificate from IIS and configure in Tomcat:
1. Export the certificate from IIS
IIS 7, 8 and 8.5
- On the Start menu click Run and then type 'mmc'
- Click File > Add/Remove Snap-in
- Click Certificates > Add
- Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
- Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
- Right-click on the certificate you want to backup and select ALL TASKS > Export.
- Choose Yes, export the private key and include all certificates in certificate path if possible.
- Warning: Do not select the delete private key option.
- Leave the default settings and then enter your password if required.
- Choose to save the file and then click Finish. You should receive an "export successful" message. The .pfx file is now saved to the location you selected.
- Open IIS Management Console
- Go to Start –> Administrative Tools –> Internet Information Services (IIS) Manager
- Navigate to the site which contains the SSL certificate you want to export
- Make a right click on the site and choose properties
- Go to the Directory Security Tab and press the Server Certificate button
- Click ‘next’ on the welcome screen
- Select the option ‘Export’ the current certificate to a .pfx file
- Select a name and location and click next
- Type in the password for the file and keep it safe
- Click OK
- Close out of the wizard.
2. Configure TOMCAT to use the exported SSL certificate:
Make a copy of the file NXROOT\bopcfg\www\CATALINA_BASE\conf\server.xml and then open the file using a text editor.
Locate the following line:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
Change it as follows:
NOTE: be sure to remove the <-- and --> tags that currently comment out the HTTPS/SSL connector for Tomcat and set the appropriate path and password for the SSL certificate.
<Connector SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC _SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" clientAuth="false" keystoreFile="C:\keystore\sdm.pfx" keystorePass="YOURPASSWORD" keystoreType="PKCS12" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>
keystoreFile="C:\keystore\sdm.pfx" - should match the location of the exported IIS SSL certificate
keystorePass="YOURPASSSWORD" - password set for the SSL certificate
ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC _SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" - this tag will prevent the error described in TEC1197111.
keystoreType=”PKCS12” - this will allow TOMCAT to understand or interpret the new SSLcertificate from IIS.
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" - this tag prevents a vulnerability described in TEC1250834.
3. Repeat the same steps on all CA SDM application/secondary servers.
4. Restart CA SDM services
5. Configure CA SDM to use the SSL server URL via ADMINSTRATION TAB->SYSTEM->SERVERS
How to configure SDM with SSL when using IIS with SSL?