Project and Portfolio Management Practitioners Forum
cancel

Secure Web Logoff Issue

SOLVED
Go to solution
Highlighted
EngPlan
Super Contributor.

Secure Web Logoff Issue

I have configured PPM to be able to logon securely through a Citrix NetScaler load balancer.  When I logon to PPM, I get a Common Access Card (CAC) challenge (this is a government system) and prompt for my PIN.  After PIN entry, I am taken to the logon page where I am able to log in using my user name and password.  I can then navigate around PPM and open Work Bench without any issues.  Unfortunately, when I go to logoff of PPM, I am taken to an Internet Explorer webpage that says "Internet Explorer cannot display the webpage".

 

I contacted HP Support and opened a ticket.  Thier response is to setup PPM in accordance with page 109 of the installation manual - "Configuring Secure Web Logon (Optional)".  This is where I am getting hung up.  The first step is to Import the SSL certificate, but the manual does not give any explicit directions for doing this.  I am running PPM on a RHEL 5.0 Enterprise platform under PPM version 9.11 with SP1.  Can anyone tell me the correct method for importing my certificate so that I can move forward?

6 REPLIES
dirkf
Acclaimed Contributor.

Re: Secure Web Logoff Issue

Hi Engplan,

 

Here is a procedure on how to import your certificate.

 

1. Stop the PPM server.

 

2. Before starting to import, you should have to locate the JRE in your path. You can list the current certificates contained within a keystore using they keytool -list command. The initial password for the cacerts keystore is changeit. For example:

 

C:\java\jdk1.6.0_07\jre\bin>keytool -list -keystore ..\lib\security\cacerts

Enter keystore password: changeit

 

You will then see something like this:

 

Keystore type: jks

Keystore provider: SUN

Your keystore contains 11 entries:

engweb, Wed Apr 11 16:22:49 EDT 2001, trustedCertEntry,

Certificate fingerprint (MD5): 8C:24:DA:52:7A:4A:16:4B:8E:FB:67:44:C9:D2:E4:16

thawtepersonalfreemailca, Fri Feb 12 15:12:16 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9

thawtepersonalbasicca, Fri Feb 12 15:11:01 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41

verisignclass3ca, Mon Jun 29 13:05:51 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D

thawteserverca, Fri Feb 12 15:14:33 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D

thawtepersonalpremiumca, Fri Feb 12 15:13:21 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D

verisignclass4ca, Mon Jun 29 13:06:57 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10

verisignclass1ca, Mon Jun 29 13:06:17 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20

verisignserverca, Mon Jun 29 13:07:34 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93

thawtepremiumserverca, Fri Feb 12 15:15:26 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A

verisignclass2ca, Mon Jun 29 13:06:39 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8

 

3. Now you have to add the previously installed certificate to this keystore. To add, begin by exporting your CA Root certificate as a DER-encoded binary file and save it as C:\root.cer. (You can view the installed certificates under Tools->'Internet Options' ->Content->Certificates. Once you open the certificates, locate the one you just installed under 'Trusted Root Certification Authorities". Select the right one and click on 'export'. You can now save it (DER encoded binary) under your c: drive.

 

4. Then use the keytool -import command to import the file into your cacerts keystore.

 

For example:-alias myprivateroot -keystore ..\lib\security\cacerts -file c:\root.cer

Enter keystore password: changeit

Owner: CN=Division name, OU=Department, O=Your Company, L=Anytown,

ST=NC, C=US,

EmailAddress=you@company.com

Issuer: CN=Division name, OU=Department, O=Your Company, L=Anytown,

ST=NC, C=US,

EmailAddress=you@company.com

Serial number: 79805d77eecfadb147e84f8cc2a22106

Valid from: Wed Sep 19 14:15:10 EDT 2001 until: Mon Sep 19 14:23:20 EDT 2101

Certificate fingerprints:

MD5: B6:30:03:DC:6D:73:57:9B:F4:EE:13:16:C7:68:85:09

SHA1: B5:C3:BB:CA:34:DF:54:85:2A:E9:B2:05:E0:F7:84:1E:6E:E3:E7:68

Trust this certificate? [no]: yes

Certificate was added to keystore

 

5. Now run keytool -list again to verify that your private root certificate was added:

C:\java\jdk1.6.0_07\jre\bin>keytool -list -keystore ..\lib\security\cacerts

 

You will now see a list of all the certificates including the one you just added.

This confirms that your private root certificate has been added to the my server cacerts keystore as a trusted certificate authority.

 

Hope this helps.

 

Best regards,

Dirk

EngPlan
Super Contributor.

Re: Secure Web Logoff Issue

Unfortunately I am working on a Linux server and cannot locate the path for the keystore.....

Utkarsh_Mishra
Acclaimed Contributor.

Re: Secure Web Logoff Issue

Hi Engplan,

 

You need to generate the SSL certificates, it can be done as....

 

  1. Create Private key - openssl genrsa -des3 -out itgov.key
  2. Using the above private key, generate CSR file - openssl req -new -key itgov.key -out itgov.csr
  3. Now finally generate SSL cert key - openssl x509 -req -days 365 -in itgov.csr -signkey itgov.key -out itgov.crt

 

Once this itgov.crt (SSL certifcate) is created then you need to import them into JAVA cacert using below command. (But first identify the JAVA home, in below example I am using mine)

 

/opt/java6/jre/bin/keytool -import -file /home/itgadmin/SSLCerts/itgov.cer -alias itgov -keystore /opt/java6/jre/lib/security/cacerts

 

After this, Bounce the server (Host machine).

 

 

 

 

 

 

Cheers..
Utkarsh Mishra

-- Remember to give Kudos to answers! (click the KUDOS star)
EngPlan
Super Contributor.

Re: Secure Web Logoff Issue

Thanks Utkarsh.  I did finally manage to generate and import the certificates using this method.  My only other question is, Do I need to have a self-signed certificate in the keystore, in order for the other imported certs to work?  It seems that everyone has suggested I add a self signed cert.

Utkarsh_Mishra
Acclaimed Contributor.

Re: Secure Web Logoff Issue

Yes, along with this there are 3 more certificates that you need to add/import.

 

These includes,

 

  1. Certificates signed by verisign
  2. privateca certificate
  3. publicca certificate

I hope to get this you need to contact you security support team. 

Cheers..
Utkarsh Mishra

-- Remember to give Kudos to answers! (click the KUDOS star)
EngPlan
Super Contributor.
Solution

Re: Secure Web Logoff Issue

It turns out that this issue is the result of configuration issues with the server.xsl configuration file.  After two months of back and forth with HP Support, the issue was resolved when the configuration file was changed to include:

 

<xsl:attribute name="scheme">https</xsl:attribute>
<xsl:attribute name="proxyName">xxxxxxxx</xsl:attribute>
<!-- assuming users connect to the proxy over port 443 -->
            <xsl:attribute name="proxyPort">443</xsl:attribute>