I have configured PPM to be able to logon securely through a Citrix NetScaler load balancer. When I logon to PPM, I get a Common Access Card (CAC) challenge (this is a government system) and prompt for my PIN. After PIN entry, I am taken to the logon page where I am able to log in using my user name and password. I can then navigate around PPM and open Work Bench without any issues. Unfortunately, when I go to logoff of PPM, I am taken to an Internet Explorer webpage that says "Internet Explorer cannot display the webpage".
I contacted HP Support and opened a ticket. Thier response is to setup PPM in accordance with page 109 of the installation manual - "Configuring Secure Web Logon (Optional)". This is where I am getting hung up. The first step is to Import the SSL certificate, but the manual does not give any explicit directions for doing this. I am running PPM on a RHEL 5.0 Enterprise platform under PPM version 9.11 with SP1. Can anyone tell me the correct method for importing my certificate so that I can move forward?
Here is a procedure on how to import your certificate.
1. Stop the PPM server.
2. Before starting to import, you should have to locate the JRE in your path. You can list the current certificates contained within a keystore using they keytool -list command. The initial password for the cacerts keystore is changeit. For example:
3. Now you have to add the previously installed certificate to this keystore. To add, begin by exporting your CA Root certificate as a DER-encoded binary file and save it as C:\root.cer. (You can view the installed certificates under Tools->'Internet Options' ->Content->Certificates. Once you open the certificates, locate the one you just installed under 'Trusted Root Certification Authorities". Select the right one and click on 'export'. You can now save it (DER encoded binary) under your c: drive.
4. Then use the keytool -import command to import the file into your cacerts keystore.
For example:-alias myprivateroot -keystore ..\lib\security\cacerts -file c:\root.cer
Thanks Utkarsh. I did finally manage to generate and import the certificates using this method. My only other question is, Do I need to have a self-signed certificate in the keystore, in order for the other imported certs to work? It seems that everyone has suggested I add a self signed cert.
It turns out that this issue is the result of configuration issues with the server.xsl configuration file. After two months of back and forth with HP Support, the issue was resolved when the configuration file was changed to include:
<xsl:attribute name="scheme">https</xsl:attribute> <xsl:attribute name="proxyName">xxxxxxxx</xsl:attribute> <!-- assuming users connect to the proxy over port 443 --> <xsl:attribute name="proxyPort">443</xsl:attribute>