Enabling SDM to ITPAM Communications When ITPAM is SSL Enabled

Products

CA Service Management - Service Desk Manager CA Service Desk Manager CA Process Automation Base

Issue/Introduction

Accessing ITPAM from Service Desk is done via the Administrator tab and under Service Desk->Change Order->Categories and then selecting a category such as Add.it.other. One the Category, select the Workflow tab, select Edit and click on the ITPAM button.

Without enabling communication between Service Desk and SSL ITPAM, the following error is returned:

"There is a problem accessing CA IT PAM Workflow - please try again or contact the administrator. Details: ; nested exception is: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)"

In the SDM Server's jstd.log, this message may also appear:

java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

Environment

Service Desk Manager 14.1 and 17.x and up

All Supported version of IT Process Automation (ITPAM)

Cause

This error is caused because the trust between the Service Desk and ITPAM has not been created.

Resolution

When ITPAM is configured for SSL, you must configure the primary and secondary Service Desk Manager servers to communicate with ITPAM.

To enable communications when ITPAM is SSL enabled, perform the following steps:

1. Verify that you can access and use ITPAM via a web browser, without launching Service Desk Manager. Record the ITPAM URL and use it for reference when you configure the CA IT PAM Workflow options in Service Desk Manager Options Manager.

2. Ensure both Service Desk servers and ITPAM servers alike are running the same release of Java Run time (JRE). For further details on updating JRE on the Service Desk installation, please review the documentation link under "Additional Information"

3. Log in to Service Desk Manager as an Administrator user and install or modify the CA IT PAM Workflow options in Options Manager. For each of the following options, use the syntax https://server:8443 instead of http://server:8080 for reaching the SSL enabled ITPAM application.

However, if the ITPAM installation uses another port instead of the 8443 SSL port, specify the appropriate port number.

- caextwf_endpoint
- caextwf_processdisplay_url
- caextwf_worklist_url

Note: If the values do not match the actual ITPAM installation values, Service Desk Manager cannot communicate with ITPAM and a runtime error occurs.

Verify that the values match the actual ITPAM installation values because the ITPAM installer might have selected a different port instead of port 8443.

4. On the ITPAM server, locate the KEYSTOREID entry in the following file:

ITPAM\server\c2o\.config\OasisConfig.properties

5. Copy the KEYSTOREID for potential use later on.

6. On the ITPAM server, issue the following keytool command as one line on the command line:

C:\Progra~1\ca\sc\jre\1.6.0_24\bin\keytool.exe -keystore C:\Progra~1\ITPAM\server\c2o\.config\c2okeystore -export -alias ITPAM -file itpam.cer

itpam.web.keystorealias=
Default: ITPAM
Note: In earlier versions of ITPAM, the default was c2o-j

The keytool utility prompts you for a password.

7. Type the ITPAM certificate password that was given to you by your certificate authority.

The keytool utility uses the final parameter (-file itpam.cer) to create a file named itpam.cer. The itapm.cer file contains the necessary certificate information for communication with Service Desk Manager.

8. Copy the itpam.cer file to one of the following locations on the Service Desk Manager Primary or Background server (NX_ROOT is the install directory for Service Desk Manager):

(Windows) %NX_ROOT%\bin
(UNIX) $NX_ROOT/bin

9. It is recommended to backup the existing NX.KEYSTORE file located in the NX_ROOT\pdmconf directory on the SDM Server(s)

10. Check the NX_ROOT\bin folder on the Service Desk server(s) for any existing ITPAM certificates since you cannot have multiple aliases with the same name. You can use the following command to list any certificates already present in the Keystore:

pdm_perl %NX_ROOT%\bin\pdm_keystore_mgr.pl -list

If any old ITPAM certificates exist, you will need to remove them by running the following command:

pdm_perl %NX_ROOT%\bin\pdm_keystore_mgr.pl -delete <ITPAM Certificate Alias>

11. Import the updated/new ITPAM certificate information into Service Desk Manager by entering the following command:

Windows - pdm_perl %NX_ROOT%\bin\pdm_keystore_mgr.pl -import %NX_ROOT%\bin\itpam.cer
UNIX- pdm_perl $NX_ROOT/bin/pdm_keystore_mgr.pl -import $NX_ROOT/bin itpam.cer

The pdm_keystore_mgr.pl script generates the keystore file in the following locations:

Windows - %NX_ROOT%\pdmconf\nx.keystore
UNIX - $NX_ROOT/pdmconf/nx.keystore

12. If your Service Desk Manager architecture includes secondary servers or is Advanced Availability, go over each app or secondary server and take a backup of the existing nx.keystore file present under NX_ROOT\pdmconf directory as well as the NX.env file. Backup these files away to a separate location. Copy in the nx.keystore from the Primary or BG Server to the secondary servers or App Servers (match the same folder location as "pdmconf" folder)

Note: Manually moving the nx.keystore across to each secondary servers or App Servers is necessary to allow the secondary servers or App Servers to be able to talk to the PAM Server.

13. Restart the CA Service Desk Manager service on the BG/Primary server, then restart services on the constituent app / secondary servers if applicable.

Service Desk Manager can now communicate with the SSL enabled ITPAM application.