KBEC-00377 - Enabling HTTPS Secure Callbacks from an ISPW Server to the ElectricFlow Server for the EC-ISPW Plugin

This document describes how to copy the public key of a self-signed CA certificate from the ElectricFlow server and install it into a Compuware ISPW server so that ISPW can make secure HTPPS callbacks to the ElectricFlow server. The ElectricFlow server uses the EC-ISPW plugin to trigger ISPW operations by calling the REST interface of an ISPW server. Several of the available operations are asynchronous: The REST call returns as soon as the operation initiates successfully, and then the ISPW server makes a callback when the operation finishes.

By default, the ElectricFlow EC-ISPW plugin configures these web callbacks to call back to the setProperty REST interface of the ElectricFlow server. When a callback occurs, the ISPW server acts as a REST client to the ElectricFlow server, which means that it needs to supply credentials to log in to ElectricFlow. So that these credentials travel securely across an untrusted network, the ISPW-to-ElectricFlow web requests are made via HTTPS to port 8443 (by default) of the ElectricFlow server.

By default, the ElectricFlow server uses a self-signed certificate for HTTPS on port 8443. So that the ISPW server can open the HTTPS connection to this port, it must have the ElectricFlow server self-signed certificate’s public key installed as a trusted certificate authority.

Checking the ElectricFlow Server Certificate

For this procedure, you will need the password for your ElectricFlow keystore. The default password is abcdef

1. Go to your ElectricFlow server’s configuration folder.

  • (Windows) By default, this folder is:

C:\ProgramData\Electric Cloud\ElectricCommander\conf

  • (UNIX) By default, this folder is:

/opt/electriccloud/electriccommander/conf

2. Query the contents of the Java keystore file by entering one of the following commands.

  • (Windows) Enter:

"C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" -list -v -keystore keystore -keypass passkey

  • (UNIX) Enter:

/opt/electriccloud/electriccommander/jre/bin/keytool -list -v -keystore keystore -keypass passkey

3. Examine the output for lines similar to the following:

Alias name: jetty
Creation date: ??? ??, ????
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=???.??.??.??, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=???.??.??.??, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown

4. Confirm that the certificate chain length is 1 and that all entries on the Owner: and Issuer: lines match.

If both are not the case, then your ElectricFlow server is not configured in the standard way with a self-signed certificate. Instead, you must follow the certificate issuer chain to the public root certificate of your certificate authority and export or otherwise obtain it (unless it is a commercial certificate authority that is already trusted by the ISPW server).

5. Confirm that:

  • The CN value from the Owner: line (shown as ???.??.??.?? above) is a valid IP address, hostname, or fully-qualified domain name that the ISPW server can use to reach the ElectricFlow server.

    If this is not the case, you must either provide the ElectricFlow server with a new certificate (see http://docs.electric-cloud.com/eflow_doc/6_2/Install/Mobile/Advanced/Content/Install%20Guide/troubleshooting/5ecCertificates.htm) or modify your network setup to match the value.

  • The CN value from the Owner: line matches the ElectricFlow Administration server setting named Server IP address (which could be either an IP address, a hostname, or a fully-qualified domain name).

    If this is not the case, change the value of Server IP address to match. You can view or change this setting by opening the Automating Platform at https://<ElectricFlow_server>/commander and clicking Administration > Server > Settings.

Exporting the ElectricFlow Server Certificate Public Key from the Keystore

For this procedure, you will need the password for your ElectricFlow keystore again.

1. Export the ElectricFlow server certificate by entering one of the following commands.

  • (Windows) Enter:

"C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" -keystore keystore -keypass passkey -alias jetty -export -rfc -file electricflow.crt -v

  • (UNIX) Enter:

/opt/electriccloud/electriccommander/jre/bin/keytool -keystore keystore -keypass passkey -alias jetty -export -rfc -file electricflow.crt –v

2. Copy the electricflow.crt file to your ISPW server.

Setting up Compuware ISPW for Outbound HTTPS

Compuware's ISPW makes its web callbacks via Compuware Enterprise Services (CES). For outbound HTTPS traffic, CES uses the Java keystore determined by the $JAVA_HOME path. $JAVA_HOME is defined with the other environment variables on the STDENV DD statement of the Job Control Language (JCL). 

The keystore (cacerts) is in the $JAVA_HOME/lib/security directory, and the default password is changeit.

1. On the ISPW server, set your path so you can run the keytool commands by entering:

export PATH=$JAVA_HOME/bin:$PATH

2. Import the certificate public key that you copied from the ElectricFlow server by entering:

keytool -import -alias electricflow -file electricflow.crt -keystore cacerts -storepass changeit

For example, enter:

UVWXYZ0:/Z21F/usr/lpp/java/J8.0_64/lib/security: >keytool -import -alias electricflow -file electricflow.crt -keystore cacerts -storepass changeit

Output similar to the following appears: 

Owner: CN=123.45.67.89, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=123.45.67.89, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 2111e237
Valid from: 10/10/17 6:52 PM until: 10/8/27 6:52 PM
Certificate fingerprints:
         MD5: 55:7D:E6:1C:1F:91:8A:CB:99:A8:C3:76:94:66:BB:E4
         SHA1: 71:D9:F9:AE:41:59:36:81:88:89:95:E4:F2:26:61:16:AC:4B:23:2A
         SHA256: C1:97:4E:A4:9E:FD:43:9A:EA:01:05:D7:9A:4E:71:67:C8:CE:23:A0:BC:18:30:B1:70:CB:FB:44:04:2A:F8:FF
         Signature algorithm name: SHA256withRSA
         Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: f6 45 fe 47 f7 cc 9f e7 81 b9 ce 6c 37 c7 d9 db .E.G.......l7...
0010: 6b dd 9b 62                                        k..b
]
]
Trust this certificate? [no]: yes

3. When you are prompted whether to trust the certificate, reply with yes.

 

Have more questions? Submit a request

Comments

Powered by Zendesk