Cloud Gateway

Cloud Gateway

Overview

For one of the following scenarios it might be required that IdentityIQ should manage remote applications that are running on computers that are in a different IP zone and hence not directly accessible to IdentityIQ:

  • IdentityIQ deployed as a service in the cloud and the IT applications are in the data center.
  • IdentityIQ deployed as a service in the cloud and the IT applications are running in the cloud.
  • IdentityIQ deployed on premise in one data center and the IT applications are running in the cloud.
  • IdentityIQ deployed on premise in one data center and having to manage application in another data center.

In such scenarios for the current solution to work, multiple ports must be opened at the perimeter allowing IdentityIQ to communicate with these applications. In most cases this is not acceptable from a security standpoint.

The IdentityIQ Cloud Gateway is useful in such scenarios. The IdentityIQ Cloud Gateway must be installed on a computer running on the same IP zone as the remote applications that are to be managed by IdentityIQ. IdentityIQ would communicate with these applications through the IdentityIQ Cloud Gateway thereby requiring only one port to be open on the perimeter.

The main purpose of the IdentityIQ Cloud Gateway is to enable IdentityIQ to securely connect to and remotely manage applications located on a different IP zone than IdentityIQ.

Supported features

SailPoint IdentityIQ Cloud Gateway supports the following features for application hosted on Cloud Gateway:

  • Supports two-way SSL Authentication
    For more information, see Configuration for two-way SSL Authentication.
  • Account Management
    • Aggregation, Partitioning Aggregation, Delta Aggregation, Refresh Account, Pass Through Authentication
    • Create, Update, Delete
    • Enable, Disable, Unlock, Change Password
    • Add/ Remove Entitlement
  • Account Group Management
    • Aggregation, Delta Aggregation, Refresh Group
    • Create, Update, Delete

NOTE: Provisioning Integration Modules are not supported through Cloud Gateway.

Architecture diagram

The following IdentityIQ Cloud Gateway architecture diagram illustrates the core components of IdentityIQ Cloud Gateway.

 

 

Installing and Configuring IdentityIQ Cloud Gateway

This section describes the procedure for installing and configuring IdentityIQ Cloud Gateway.

Recommended Platforms

  • Operating Systems
    • Windows Server 2019, 2016, and 2012
    • Red Hat Enterprise Linux 8.0, 7.6, 7.4, 7.2 and 7.1
  • Application Servers:
    • Apache Tomcat version 9.0 and onwards
    • Apache Tomcat version 8.0
    • Apache Tomcat version 7.0 (Prepackaged with this product)
  • Java Platform: Sun, Oracle JRE for Java version 7 or 8 and OpenJDK 8 and 11
    • (For Windows) AdoptOpenJDK 8 and 11
    • (For Linux) RedHatOpenJDK 8 and 11

NOTE: Following the release of IdentityIQ version 8.1, Apache Tomcat version 9.x will be prepackaged with the Cloud Gateway. However, the Windows service wrapper isn't included. If required, you can download Apache Tomcat version 9.x from here, which includes the Windows service wrapper.

Installing IdentityIQ Cloud Gateway

The IdentityIQ Cloud Gateway must be installed on a computer with network connectivity to IdentityIQ and the applications that are to be managed by IdentityIQ. The IdentityIQ Cloud Gateway must be accessible from IdentityIQ through the configured communication port (Default: 8443).

Create an installation directory (cloudGatewayInstallationDir) on the computer where IdentityIQ Cloud Gateway will run and extract the contents of the identityiq-CloudGateway-releaseVersion.zip file. Where releaseVersion is the current version of IdentityIQ Cloud Gateway.

NOTE: On Linux, execute permission must be granted for all the files in the following folders:

  • cloudGatewayInstallationDir/apache/tomcat/7.0.32/bin
  • cloudGatewayInstallationDir/apache/tomcat/7.0.32/webapps/CloudGateway/WEB-INF/bin

Start the IdentityIQ Cloud Gateway. For more information, see Starting the IdentityIQ Cloud Gateway.

NOTE: The default behavior of IdentityIQ Cloud Gateway is to use the self signed certificate and secret key shipped in the zip. For enhanced security, see Configuring IdentityIQ Cloud Gateway.

Starting the IdentityIQ Cloud Gateway

From the command prompt, navigate to cloudGatewayInstallationDir/apache/tomcat/7.0.32/bin and execute the following command:

  • (For Windows) startup.bat
  • (For Linux) ./startup.sh

Stopping the IdentityIQ Cloud Gateway

From the command prompt, navigate to cloudGatewayInstallationDir/apache/tomcat/7.0.32/bin and execute the following command:

  • (For Windows) shutdown.bat
  • (For Linux) ./shutdown.sh

Configuring IdentityIQ Cloud Gateway

This section describes the configuration procedure for IdentityIQ Cloud Gateway.

Stop the IdentityIQ Cloud Gateway before performing the configurations described in the following sections. For more information, see Stopping the IdentityIQ Cloud Gateway.

Apache Tomcat configuration

The Apache Tomcat server is embedded with the IdentityIQ Cloud Gateway. To configure the Apache Tomcat server, perform the procedures described in this section.

Mitigating log4j vulnerability  ( CVE-2021-44228 )

NOTE: This step is applicable only for IdentityIQ Cloud Gateway version 8.0 and later. 

To prevent this vulnerability from being exploited, introduce a JVM system property to the Apache Tomcat server environment that is hosting IdentityIQ Cloud Gateway. Set the following property in catalina.sh or catalina.bat on the Cloud Gateway instance:

set CATALINA_OPTS=%CATALINA_OPTS% -Dlog4j2.formatMsgNoLookups=true

Setting up Https communication

The communication between the IdentityIQ Cloud Gateway and IdentityIQ is through HTTPS. A self signed Certificate is created in the keystore that is shipped along with the IdentityIQ Cloud Gateway. This self signed Certificate is used for setting up the HTTPS communication.

NOTE: Users are advised to replace the self signed certificate shipped with IdentityIQ Cloud Gateway with either a CA signed certificate or a self signed certificate that is created specifically for their environment.

  • Creating a new Self Signed Certificate: This section describes how to replace the self signed certificate shipped with IdentityIQ Cloud Gateway with a self signed certificate created specifically for the customer environment. The following command will create a new keystore and a self signed certificate:

keytool -keystore keystoreName -storetype jks -genkey -alias aliasName -keyalg RSA -keysize 2048

In the above command line the variables are as follows:

    • keystoreName is the name of the keystore the user wants to use
    • aliasName is the name of the certificate that is created while creating a new keystore

Enter the appropriate values when prompted for setting the keystore password and other details required for creating the keystore certificate.

NOTE: If the JRE's bin folder is not set in the PATH environment variable then you would need to prefix keytool with the path up to the bin folder.

  • Configuring Apache Tomcat to use the new Self Signed Certificate: Perform the following:
    1. Open the server.xml file present in the cloudGatewayInstallationDir/apache-tomcat-7.0.32/conf directory and locate keystoreFile and keystorePass.
    2. Replace the values of keystoreFile with the complete path of the newly created keystore and keystorePass with the password provided while creating the new keystore as described above (Creating a new Self Signed Certificate).

For instance, if we created a new keystore by the name cibkeystore.keystore and used the password 123456 then the server.xml configuration would be as follows:

keystoreFile="/keystore/ cibkeystore.keystore" keystorePass="123456"

NOTE: If the user has not created any keystore and is using the default keystore provided in the packaged apache, the user has to still provide the full path of the keystoreName on Linux platform.

Changing the HTTPS Communication port

NOTE: Stop Apache Tomcat server before changing the Https communication port and start the Apache Tomcat server after changing the Https communication port.

By default the HTTPS communication port used is 8443. To change this port, perform the following:

  1. Open the server.xml file present in cloudGatewayInstallationDir/apache-tomcat-7.0.32/conf folder.
  2. Locate the https configuration by searching for 8443.
  3. Replace all 8443 with the port that should be used for HTTPS communication.

NOTE: Ensure that the port configured is free and is not used by any other application.

To identify if a port is currently being used, run the following command:

    • (For Windows): netstat –an | find “portNumber”
    • (For UNIX): netstat –an | grep “portNumber”

The port is free, if no value is returned.

Provisioning request for an attribute having backslash

To provision a distinguished name with a backslash to an application (like Active Directory) through the Cloud Gateway, set the following properties in catalina.sh or catalina.bat on the Cloud Gateway instance:

  • set CATALINA_OPTS=%CATALINA_OPTS% -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
  • set CATALINA_OPTS=%CATALINA_OPTS% -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true

NOTE: If Apache Tomcat is installed as a service, then the above parameters must be set in Apache service using the Tomcat editor.

IdentityIQ Cloud Gateway configuration

A secret key shipped with the IdentityIQ Cloud Gateway is used to encrypt all sensitive data processed by IdentityIQ Cloud Gateway. Users are advised to replace the secret key shipped with IdentityIQ Cloud Gateway with a secret key that is created for their environment.

Perform the following procedure to setup the encryption key:

  1. Creating the IdentityIQ Cloud Gateway Secret Key: The following command will create a new keystore and a secret key:
    keytool -keystore keystoreName -storetype jceks -genseckey -alias alias -keysize 128 -keyAlg AES
    where alias should be a number greater than 1.
    Enter the appropriate values when prompted for setting the keystore password and other details required for creating the keystore.
    For example, keytool -keystore cibkeystore.jck -storetype jceks -genseckey -alias 2 -keysize 128 -keyAlg AES

    NOTE: When asked to provide two passwords, enter the first password for keystore and the second for alias. The keystore and alias password must be the same. If different passwords are provided, the following error message appears:
    Given final block not properly padded
  2. Encrypt the Keystore password using the default secret key: The keystore password is required by IdentityIQ Cloud Gateway to access the secret key. To protect the password, encrypt the keystore password.
    Navigate to cloudGatewayInstallationDir/apache-tomcat-7.0.32/webapps/CloudGateway/WEB-INF/bin and execute the following command:
    cib encrypt keystorePassword
    The above command displays the encrypted value of the keystore password.
  3. Configuring IdentityIQ Cloud Gateway to use the new Secret Key: Edit the iiq.properties file present in cloudGatewayInstallationDir/apache/tomcat/7.0.32/webapps/CloudGateway/WEB‐INF/classes directory.
    Uncomment the following lines by deleting the # symbol:
    #keyStore.file=/example/path/filename
    #keyStore.password=/example/path/filename
    Replace the values of KeyStore.file and keyStore.password with the full path of the IdentityIQ Cloud Gateway keystore (created in step 1 above) and the encrypted keystore password (created in step 2 above).

    NOTE: On Windows platform, the full file path of the keystore should be escaped with '\'
    For example, keyStore.file=E:\\identityiqCloudGateway\\keystore\\keyfilename.jck

  4. Encrypt the password that is used to authenticate each request that the IdentityIQ Cloud Gateway should process. This password should be encrypted using the newly created secret key referenced by its alias. Navigate to cloudGatewayInstallationDir/apache-tomcat-7.0.32/webapps/CloudGateway/WEB-INF/bin and execute the following command:
    cib encrypt RequestPassword alias
    where alias is the number specified at the time of creating the secret key
    The above command displays the encrypted value of the Request password.

    NOTE: Every request that is sent from IdentityIQ to the IdentityIQ Cloud Gateway is first authenticated. The request Username and request password to be used for this is defined in the iiq.properties file. The default values for the request username is cibadmin and request password is admin. Users are advised to change this. For more information, see the IdentityIQ Cloud Gateway Administrative operations.

  5. Replace the value of cib.password in iiq.properties file with the encrypted value obtained in step 4 above.
  6. If you want to change the Cloud Gateway administrator name, change the cib.username in iiq.properties file. By default, it is cibadmin. This request username and request password need to be specified while defining the CloudGateway Application in IdentityIQ.

NOTE: If the secret key is created after running the IdentityIQ Cloud Gateway Synchronization Task (as described in Run the IdentityIQ Cloud Gateway Synchronization task), then the IdentityIQ Cloud Gateway Synchronization Task must be run again after completing the above step 6.

Start the IdentityIQ Cloud Gateway. For more information, see Starting the IdentityIQ Cloud Gateway.

Upgrading IdentityIQ Cloud Gateway

  1. Stop Apache Tomcat Server.
  2. Take a backup of the lib and lib-connectors (if present) directories present in cloudGatewayInstallationDir/apache/tomcat/7.0.32/webapps/CloudGateway/WEB-INF/ directory.
  3. To mitigate log4j vulnerability  ( CVE-2021-44228 )

    NOTE: This step is applicable only for IdentityIQ Cloud Gateway 8.0 version and later. 

    To prevent this vulnerability from being exploited, introduce a JVM system property to the Apache Tomcat server environment that is hosting IdentityIQ Cloud Gateway. Set the following property in catalina.sh or catalina.bat on the Cloud Gateway instance:

    set CATALINA_OPTS=%CATALINA_OPTS% -Dlog4j2.formatMsgNoLookups=true

  4. Extract the contents of the identityiq-CloudGateway-releaseVersion.zip file, where releaseVersion is the current version of IdentityIQ Cloud Gateway.
  5. Replace the new lib and lib-connectors directories (extracted and copied from step 3 above) in the following respective directories:
    • (For lib): cloudGatewayInstallationDir/apache/tomcat/7.0.32/webapps/CloudGateway/WEB-INF/lib
    • (For lib-connectors): cloudGatewayInstallationDir/apache/tomcat/7.0.32/webapps/CloudGateway/WEB-INF/lib-connectors
  6. Start the Apache Tomcat Server.
  7. Run IdentityIQ Cloud Gateway Synchronization Task to synchronize all the application objects on upgraded Cloud Gateway.

Upgrade for Apache Tomcat version 9.0 and 8.0

The IdentityIQ Cloud Gateway enables IdentityIQ to securely connect to and remotely manage applications located on a different IP zone than IdentityIQ. The Cloud Gateway application shipped with IdentityIQ version 7.1 is bundled with Apache Tomcat version 7.0.32 which has some security vulnerabilities.

The following new versions of Apache Tomcat are supported:

  • Apache Tomcat version 9.0
  • Apache Tomcat version 8.0

When upgrading to latest version of IdentityIQ and for IdentityIQ Cloud Gateway to work with the new supported versions of Apache Tomcat version 9.0 and 8.0, perform the following steps:

  1. Unzip and extract the required new version of Apache Tomcat in a directory (for example, \tmp).
  2. Copy the CloudGateway directory from the previously  installed version of  IdentityIQ Cloud Gateway (that with Apache Tomcat version 7.0.32) from pathOfCloudGateway\apache-tomcat64-7.0.32\webapps directory and paste the directory to the following location:
    \tmp\apache-tomcat-x.x.xx\webapps
    In the above step,

    Variables Description
    tmp Directory where the new version of Apache Tomcat is extracted
    pathOfCloudGateway Directory of the previous version of IdentityIQ Cloud Gateway with Apache Tomcat version 7.0.32
    x.x.xx New version of Apache Tomcat


  3. Copy the keystore directory from the previously installed version of IdentityIQ Cloud Gateway (that with Apache Tomcat version 7.0.32) from pathOfCloudGateway\apache-tomcat64-7.0.32\ directory and paste the directory to the following location:
    \tmp\apache-tomcat-x.x.xx\
  4. (Server configurations) For setting up the https communication, perform the following changes in the server.xml file located in the \tmp\apachex.x\apache-tomcat-x.x.xx\conf directory.
    1. In the Connector Port configuration section, add the following entry highlighted in bold:
      <Connector port="4443" protocol="org.apache.coyote.http11.Http11NioProtocol"
      maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
      keystoreFile="keystore/mykeystore.keystore" keystorePass="trustno1"
      clientAuth="false" sslProtocol="TLS" />
  5. Following Library Configurations are applicable only when upgrading any version prior to 8.2, 8.1 Patch 1 and 8.0 Patch 3:
    (Library configurations) Perform the following steps to manually delete the StartupContextListener.class file from the identityiq.jar library located at \tmp\apache-tomcat-x.x.xx\webapps\CloudGateway\WEB-INF\lib directory:
    1. Enter the following command:
      jar -xvf identityiq.jar
    2. Navigate to sailpoint/web/ directory and delete the StartupContextListener.class file.
    3. Enter the following command:
      jar with jar -cvf identityiq.jar *
    4. Restart the Apache Tomcat server.

Back to Top

Configuring IdentityIQ to use the IdentityIQ Cloud Gateway

Configuring IdentityIQ Cloud Gateway in IdentityIQ involves defining applications in IdentityIQ, one for the IdentityIQ Cloud Gateway itself and one for each of the target applications that will be managed by the IdentityIQ Cloud Gateway.

The IdentityIQ Cloud Gateway application must be configured as a proxy application for each of the target applications that must be managed through the IdentityIQ Cloud Gateway.

Note: The IdentityIQ and IdentityIQ Cloud Gateway versions must be the same. From versions 8.1.4 and 8.2.2 going forward, if there is a version mismatch the connector operation will fail. After upgrading Cloud Gateway, restart the IdentityIQ server. 

Perform the following steps to find the installed version of IdentityIQ Cloud Gateway:

  1. Navigate to the directory where IdentityIQ Cloud Gateway is installed.
  2. Find and extract the IdentityIQCloudGateway.jar file under the lib directory.
  3. In the MANIFEST.MF file the Implementation-Version: displays the installed version of the IdentityIQ Cloud Gateway.

Creating a IdentityIQ Cloud Gateway application

When creating an IdentityIQ Cloud Gateway application within IdentityIQ, the following information is required:

  • Application Type: The Application Type selected should be Cloud Gateway.
  • Cloud Gateway details: The following are the details of the IdentityIQ Cloud Gateway required when defining an application:

    

IdentityIQ Cloud Gateway Settings Description
IdentityIQ Cloud Gateway Host* Hostname/IP of the computer where the IdentityIQ Cloud Gateway is installed.
IdentityIQ Cloud Gateway Port* The port on which IdentityIQ Cloud Gateway is listening.
Username* User account used for authenticating to the IdentityIQ Cloud Gateway.
Password*

Request password for the user account specified in username.

For the username and password to be used for your instance see IdentityIQ Cloud Gateway Administrative operations. The default value for username is cibadmin and password is admin.

(For IdentityIQ version 8.0)

SSL Certificate

Administrators can control the security between IdentityIQ and Cloud Gateway by selecting the appropriate SSL Certificate option in connector configuration as described below:

  • Trust All: Select this option if the administrator has configured a self-signed certificate not intended for the target machine (that is, SailPoint packaged SSL certificate which is out of the box) on which the Cloud Gateway's Server is running.
  • CA-signed Certificate: Select this option if the certificate configured on Cloud Gateway's Server is CA signed.
  • Self-signed Certificate: Select this option if the administrator has configured a self-signed certificate for the target machine on which the Cloud Gateway's Server is running.
Block Size The number of records that can be fetched from the IdentityIQ Cloud Gateway during aggregation.
Timeout in seconds The time in seconds that IdentityIQ will wait for the IdentityIQ Cloud Gateway to respond to any request.

 

Click Test Connection to check if entered values are correct.

Create an application within IdentityIQ for the Target application

The information required to create an application for the Target system managed through the IdentityIQ Cloud Gateway is the same as that required to create an application that will be managed directly by IdentityIQ.

Additionally, set the IdentityIQ Cloud Gateway application name in for the Proxy attribute for the target application.

Click Test Connection to check if entered values are correct:

 

Run the IdentityIQ Cloud Gateway Synchronization task

To enable the IdentityIQ Cloud Gateway to manage target application, information like the Application definition and Rule definition must be available on the IdentityIQ Cloud Gateway computer. You can use the IdentityIQ Cloud Gateway Synchronization Task to synchronize these information from IdentityIQ to the IdentityIQ Cloud Gateway. Below are the inputs required for running this task.

Options Description
IdentityIQ Cloud Gateway application name The information is synchronized to the selected IdentityIQ Cloud Gateway.
Applications hosted on the IdentityIQ Cloud Gateway The list of application definitions that are synchronized to the IdentityIQ Cloud Gateway.
Rules to be executed on the IdentityIQ Cloud Gateway

The list of Rule definitions that are synchronized to the IdentityIQ Cloud Gateway.

For more information on the rules that must be executed on IdentityIQ Cloud Gateway, see Rules to be executed on IdentityIQ Cloud Gateway.

 

The synchronization task must be executed whenever there is any change to the objects that must be synchronized to the IdentityIQ Cloud Gateway.

In the initial stages of configuring the applications to be managed by the IdentityIQ Cloud Gateway, the application object might be changed many times. This task must be executed every time the application is changed for these modifications to take effect. Instead, defining the following attribute on the IdentityIQ Cloud Gateway application will synchronize the application on clicking Test Connection of the modified application:

<entry key=“activeAppSync” value=”true” />

NOTE: When activeAppSync is set to true, only the application whose test Connection was clicked will be synchronized. Other Applications and Rules that are configured in the Synchronization task will not be synchronized via this mechanism.

Rules to be executed on IdentityIQ Cloud Gateway

When a target application is managed by IdentityIQ through a IdentityIQ Cloud Gateway, it is important to understand where the rules configured for the target applications would run.

  • Rules like the Correlation Rule, Creation Rule, and Manager Correlation Rule will continue to be executed on the IdentityIQ side. These rules need not be synchronized to the IdentityIQ Cloud Gateway.
  • The following rule types run on the IdentityIQ Cloud Gateway:
    • JDBCProvisioning
    • Pre-Iterate Rule
    • Post-Iterate Rule
    • Build Map Rule
    • Map to ResourceObject Rule

These Rules must be synchronized to the IdentityIQ Cloud Gateway using the Synchronization task. Additionally, all rules that are internally referenced by these Rules must be synchronized.

  • Customization Rules depending on how they are programmed would be required to run on the IdentityIQ, IdentityIQ Cloud Gateway, or both.

Customization Rules that refer to data on the target application must be synchronized to the IdentityIQ Cloud Gateway.

In addition to synchronizing the Customization Rule, the customizationRuleLocation configuration attribute must be set in the Application to control on which side of the bridge the customization rule runs. The customizationRuleLocation attribute has the following values:

    • null or local: customization rule runs only on the IdentityIQ Cloud Gateway side.
    • proxy: customization rule runs only on the IdentityIQ side
    • both: customization rule runs on both the IdentityIQ as well as the IdentityIQ Cloud Gateway side.

IdentityIQ Cloud Gateway Administrative Operations

NOTE : Stop Apache Tomcat server.

The Username and Password used to authenticate each request is configurable and is stored in the iiq.properties file located at cloudGatewayInstallationDir/apache-tomcat-7.0.32/webapps/CloudGateway/WEB-INF/classes directory.

  • Username: For changing the username, change the value of the cib.username property in the iiq.properties file.
  • Request Password: For changing the password, navigate to cloudGatewayInstallationDir/apache-tomcat-7.0.32/webapps/CloudGateway/WEB-INF/bin directory and execute the following command:
    cib encrypt RequestPassword alias

where alias should be either

The above command displays the encrypted value of the keystore password. Copy the displayed encrypted value and set it as the value of the cib.password property in the iiq.properties file.

NOTE: Start Apache Tomcat server.

 

Configuration for two-way SSL Authentication

Perform the following steps to generate Self Signed certificate for two-way SSL authentication:

  1. Modify the openssl.cnf file as follows:
    For example,

    [ req ]
    #default_bits = 2048
    #default_md = sha256
    #default_keyfile = privkey.pem
    distinguished_name = req_distinguished_name
    attributes = req_attributes

    [ req_distinguished_name ]
    countryName = IN
    countryName_min = 2
    countryName_max = 2
    stateOrProvinceName = MHA
    localityName = mumbai
    0.organizationName = SailPoint1
    organizationalUnitName = tomcat
    commonName = localhost
    commonName_max = 64
    emailAddress = iinamdar1@gmail.com
    emailAddress_max = 64

    [ req_attributes ]
    challengePassword = A challenge password
    challengePassword_min = 4
    challengePassword_max = 20

  2. On the Server (Cloud Gateway)
    1. Create your own root CA
      openssl genrsa -des3 -out im-tomcat-root-ca.key 2048
      openssl req -new -x509 -days 36520 -key im-tomcat-root-ca.key -out im-tomcat-root-ca.crt -config openssl.cnf ( filename along with the path to the configuration file)

    2. Create Tomcat Server’s Key Pair
      openssl genrsa -out tomcat-server.key 2048
      #Use common name =<Give IP address>, department = SPCSR
      openssl req -new -sha256 -key tomcat-server.key -out tomcat-server.csr -config openssl.cnf (filename along with the path to the configuration file)
      openssl x509 -req -sha256 -days 36520 -in tomcat-server.csr -signkey tomcat-server.key -CA im-tomcat-root-ca.crt -CAkey im-tomcat-
      root-ca.key -CAcreateserial -out tomcat-server.crt
      openssl pkcs12 -export -name im-tomcat-server-cert -in tomcat-server.crt -out tomcat-server.p12 -inkey tomcat-server.key -CAfile im-tomcat-root-ca.crt -caname im-root -chain

      NOTE: If Error self signed certificate getting chain error message is displayed after entering the above command, then perform the following steps: 
      1. Copy your private key and SSL certificate to a plain text file. The private key should go on top with the SSL certificate below (you have to keep that order).
      2. Run the following openssl command:
        openssl pkcs12 -export -name im-tomcat-server-cert -in <Your_filename>.txt -out <Your_filename>.p12
      3. You should be prompted for entering the password. Enter your password and verify it in next prompt.
        The new PKCS12 file would be located within the directory from where the openssl command was executed, if any location is not specified. 
        keytool -importkeystore -destkeystore tomcat-server.jks -srckeystore tomcat-server.p12 -srcstoretype pkcs12 -alias im-tomcat-server-cert
        keytool -import -alias im-root -keystore tomcat-server.jks -trustcacerts -file im-tomcat-root-ca.crt

    3. Create Client Side Key Pair
      openssl genrsa -out tomcat-client.key 2048
      Use common name = <Machine hostname or IP>, department = TomcatCSR
      openssl req -new -sha256 -key tomcat-client.key -out tomcat-client.csr -config openssl.cnf (filename along with the path to the configuration file)
      openssl x509 -req -sha256 -days 36520 -in tomcat-client.csr -signkey tomcat-client.key -CA im-tomcat-root-ca.crt -CAkey im-tomcat-root-ca.key -CAcreateserial -out tomcat-client.crt
      openssl pkcs12 -export -name im-tomcat-client-cert -in tomcat-client.crt -out tomcat-client.p12 -inkey tomcat-client.key -CAfile im-tomcat-root-ca.crt -caname im-root -chain

      NOTE: If Error self signed certificate getting chain error message is displayed after entering the above command, then perform the following steps: 
      1. Copy your private key and SSL certificate to a plain text file. The private key should go on top with the SSL certificate below (you have to keep that order).
      2. Run the following openssl command:
        openssl pkcs12 -export -name im-tomcat-server-cert -in <Your_filename>.txt -out <Your_filename>.p12
      3. You should be prompted for entering password. Enter your password and verify it in next prompt.
        The new PKCS12 file will be located within the directory from where the openssl command was executed, if any location is not specified. 
        NOTERun This once client cert is generated where we are importing the client certificate in the Server truststore/keystore.

        keytool -importkeystore -alias im-tomcat-client-cert -srckeystore tomcat-client.p12 -srcstoretype PKCS12 -destkeystore tomcat-server.jks 
        -deststoretype JKS

    4. Tomcat Changes
      1. Add the following snippet in the server.xml of Cloud Gateway server’s tomcat:
        <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
        keystoreFile="/Users/imran.inamdar/work/CertificateSSL/CA/tomcat-server.jks" keystorePass="changeit"
        keyAlias="im-tomcat-server-cert" truststoreFile="/Users/imran.inamdar/work/CertificateSSL/CA/tomcat-server.jks" truststorePass="changeit"
        clientAuth="true" sslProtocol="TLS" />
      2. Open the tomcat-client.crt and tomcat-client.key in the text editor copy the content in the Cloud Gateway Application configuration page under the text Client Certificate and Client Key respectively.
      3. Select Enable Client Certificate Authentication check box.
        • Add the Client Certificate (by copying the contents from tomcat-client.crt)
        • Add respective client private key (tomcat-client.key)
          By default, the Cloud Gateway Two-Way SSL Authentication would be disabled.
      4. For self-signed certificate users must add the server certificate in the cacerts (IdentityIQ Side) as follows:
        For example, keytool -import -alias im-tomcat-server-cert -keystore cacerts -trustcacerts -file tomcat-server.crt

Troubleshooting 

1 - Error mesage appears when using two-way SSL Authentication

The following error message is observed while using two-way SSL Authentication:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Resolution: Add the server certificate in java truststore (for example, cacerts).

For example, keytool -import -alias im-tomcat-server-cert -keystore cacerts -trustcacerts -file tomcat-server.crt

Back to Top

Labels (1)
Tags (1)
Version history
Revision #:
22 of 22
Last update:
‎Oct 03, 2022 02:46 PM
Updated by: