Enabling SSL on ALM 12.21?

Question ID: 106484
1
0

I am setting up a new ALM 12.2 server (patched to 12.21) and I am having issues setting up SSL. The guides for ALM 11.5/12.0 supply info configuring Jetty 8. ALM 12.2 runs Jetty 9.1.4 and the settings are different- specifically there is a jetty-ssl.xml file to edit instead of the jetty.xml for SSL connections.

I have enabled the jetty-ssl.xml and jetty-https.xml files under the instruction of HP support and configured the keystore settings in jetty-ssl.xml. Both TCP 8080 (HTTP) and TCP 8443 (HTTPS) ports are listening after this change. HTTP pages are hosted ok. HTTPS inquiries return no data. I tried performing a SSL check with OpenSSL from another server and it reports a SSL/TLS negotiation failure; no negotiated protocols/ciphers/hashes/etc.

I have a case open with HP and have made zero progress in two weeks; HP support keeps sending me instructions for ALM 11.5 that are incompatible and requesting copies of my keystore, jetty.xml and wrapper log files.

Has anyone figured out how to enable SSL sites on ALM 12.21?

Marked as spam
Posted by (Questions: 2, Answers: 1)
Asked on October 28, 2015 4:38 pm
241 views
Answers (2)
1
Private answer

I am attaching an amended document for use with 12.2x that may assist with the configurations.

It sounds as if you may have edited the correct xml files needed. I would suspect the issue may be with what certificates are inside the keystore that you are pointing to.

Are you using a CA signed certificate or a self-signed?

If you are using a CA signed certificate, I would recommend setting up a self-signed certificate to test that the other configurations are working.

Once the self-signed is working, import the CA certificates to see if that is the point of failure (could be anything from missing intermediate certs, wrong import order, or invalid cert provided by the CA).[link text][1]

[1]: /storage/temp/372-getting-alm-122x-and-125x-working-with-ssl.zip

Marked as spam
Posted by (Questions: 3, Answers: 168)
Answered on October 29, 2015 9:37 pm
0
Private answer

thanks for the help. :)

I have tried as the attached document directs- and I appear to be unable to get SSL working with even a self-signed cert. :(

keytool -list shows a single JKS/SUN server_cert in my keystore.
i placed the keystore (named server.keystore) into d:certs and updated my jetty-ssl.xml file to reflect the new location.

After I start the ALM service and both TCP 8080 ad TCP 8443 are shown as listening with a netstat -an, but I cannot connect to 8443 with a web browser (trying ie, chrome, firefox).

I am starting to think I may have a deeper issues with Jetty and/or SSL/TLS settings on this box (running on a windows 2012 R2 server).

Marked as spam
Posted by (Questions: 2, Answers: 1)
Answered on October 29, 2015 10:56 pm
EyeOnTesting