Try OpenEdge Now
skip to main content
Administration Guide
Server security : Configuring PAS for OpenEdge for SSL/TLS : Configuring a PAS for OpenEdge instance for SSL/TLS
 

Configuring a PAS for OpenEdge instance for SSL/TLS

Essentially, configuring a PAS for OpenEdge instance for SSL/TLS involves updating the default Tomcat keystore file in your PAS for OpenEdge instance with the information from an SSL/TLS certificate obtained from a Certificate Authority (CA).
Note: You will need the password that you used when you ran PKIUTIL to create a public key certificate request file (MyCert.pk10 in the example procedure described in the Obtaining a certificate from a Certificate Authority topic).
To update a PAS for OpenEdge keystore:
1. Make a backup copy of the default Tomcat keystore file located in your PAS for OpenEdge instance's /conf directory.
For example:
proenv> cd C:\MyInstance\conf
proenv> copy tomcat-keystore.p12 tomcat-keystore.p12.original
2. From the instance's /conf directory, use the sslc command to export the information from the PEM file to the Tomcat keystore.
Note: The sslc.exe executable is an OpenSSL (https://www.openssl.org/) command-line utility that is included in OpenEdge_install_dir/bin.
For example:
proenv> cd C:\MyInstance\conf
proenv> sslc pkcs12 -export C:\Progress\OpenEdge\keys\V.pem -out tomcat-keystore.p12 -name mysslprivkey
Avoid using upper-case letters in the filename specified after the -name parameter. The sslc automatically converts the name to lower-case in the alias entry (Alias name: mysslprivkey) in the keystore. Using upper-case letters could cause a mismatch when you update the /conf/catalina.properties file. See Step 5 below.
3. When prompted enter the password you used when you created the keystore (i.e. the .pk1 file). See Obtaining a certificate from a Certificate Authority.
4. Use the sslc command to verify what is now in the Tomcat keystore.
For example:
sslc pkcs12 -info -in ./tomcat-keystore.p12
5. Update the instance's /conf/catalina.properties file to update the psc.as.https.keypass and psc.as.https.keyalias properties in the JSSE keystore section.
For example:
# JSSE keystore used by server.xml for its server key & certificates
psc.as.https.keypass=your_password
psc.as.https.keyalias=mysslprivkey
psc.as.https.storeType=PKCS12
Important: The value for psc.as.https.keyalias must match the value generated by sslc, which is always expressed in lower-case letters.
6. Restart the instance and test.
You can restart the instance using the TCMAN stop and start actions. Once the instance has restarted, test the connection and authentication configurations from a browser.
Note: You may need to import the CA certificate to the browser.