This document describes how to copy the public key of a self-signed CA certificate from the ElectricFlow server and install it into a Compuware ISPW server so that ISPW can make secure HTPPS callbacks to the ElectricFlow server. The ElectricFlow server uses the EC-ISPW plugin to trigger ISPW operations by calling the REST interface of an ISPW server. Several of the available operations are asynchronous: The REST call returns as soon as the operation initiates successfully, and then the ISPW server makes a callback when the operation finishes.
By default, the ElectricFlow EC-ISPW plugin configures these web callbacks to call back to the
setProperty REST interface of the ElectricFlow server. When a callback occurs, the ISPW server acts as a REST client to the ElectricFlow server, which means that it needs to supply credentials to log in to ElectricFlow. So that these credentials travel securely across an untrusted network, the ISPW-to-ElectricFlow web requests are made via HTTPS to port 8443 (by default) of the ElectricFlow server.
By default, the ElectricFlow server uses a self-signed certificate for HTTPS on port 8443. So that the ISPW server can open the HTTPS connection to this port, it must have the ElectricFlow server self-signed certificate’s public key installed as a trusted certificate authority.
For this procedure, you will need the password for your ElectricFlow keystore. The default password is
Go to your ElectricFlow server’s configuration folder.
(Windows) By default, this folder is:
(UNIX) By default, this folder is:
Query the contents of the Java keystore file by entering one of the following commands.
"C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" -list -v -keystore keystore -keypass passkey
/opt/electriccloud/electriccommander/jre/bin/keytool -list -v -keystore keystore -keypass passkey
Examine the output for lines similar to the following:
Alias name: jetty Creation date: ??? ??, ???? Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate: Owner: CN=???.??.??.??, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=???.??.??.??, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
- Confirm that the certificate chain length is 1 and that all entries on the
If both are not the case, then your ElectricFlow server is not configured in the standard way with a self-signed certificate. Instead, you must follow the certificate issuer chain to the public root certificate of your certificate authority and export or otherwise obtain it (unless it is a commercial certificate authority that is already trusted by the ISPW server).
CNvalue from the
Owner:line (shown as ???.??.??.?? above) is a valid IP address, hostname, or fully-qualified domain name that the ISPW server can use to reach the ElectricFlow server.
If this is not the case, you must either provide the ElectricFlow server with a new certificate (see http://docs.electric-cloud.com/eflow_doc/6_2/Install/Mobile/Advanced/Content/Install%20Guide/troubleshooting/5ecCertificates.htm) or modify your network setup to match the value.
CNvalue from the
Owner:line matches the ElectricFlow Administration server setting named Server IP address (which could be either an IP address, a hostname, or a fully-qualified domain name).
If this is not the case, change the value of Server IP address to match. You can view or change this setting by opening the Automating Platform at https:///commander and clicking Administration > Server > Settings.
For this procedure, you will need the password for your ElectricFlow keystore again.
Export the ElectricFlow server certificate by entering one of the following commands.
"C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" -keystore keystore -keypass passkey -alias jetty -export -rfc -file electricflow.crt -v
/opt/electriccloud/electriccommander/jre/bin/keytool -keystore keystore -keypass passkey -alias jetty -export -rfc -file electricflow.crt –v
electricflow.crtfile to your ISPW server.
Compuware’s ISPW makes its web callbacks via Compuware Enterprise Services (CES). For outbound HTTPS traffic, CES uses the Java keystore determined by the
$JAVA_HOME is defined with the other environment variables on the
STDENV DD statement of the Job Control Language (JCL).
The keystore (cacerts) is in the
$JAVA_HOME/lib/security directory, and the default password is
- On the ISPW server, set your path so you can run the
keytoolcommands by entering:
- Import the certificate public key that you copied from the ElectricFlow server by entering:
keytool -import -alias electricflow -file electricflow.crt -keystore cacerts -storepass changeit
For example, enter:
UVWXYZ0:/Z21F/usr/lpp/java/J8.0_64/lib/security: >keytool -import -alias electricflow -file electricflow.crt -keystore cacerts -storepass changeit
Output similar to the following appears:
Owner: CN=220.127.116.11, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=18.104.22.168, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 2111e237 Valid from: 10/10/17 6:52 PM until: 10/8/27 6:52 PM Certificate fingerprints: MD5: 55:7D:E6:1C:1F:91:8A:CB:99:A8:C3:76:94:66:BB:E4 SHA1: 71:D9:F9:AE:41:59:36:81:88:89:95:E4:F2:26:61:16:AC:4B:23:2A SHA256: C1:97:4E:A4:9E:FD:43:9A:EA:01:05:D7:9A:4E:71:67:C8:CE:23:A0:BC:18:30:B1:70:CB:FB:44:04:2A:F8:FF Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 22.214.171.124 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: f6 45 fe 47 f7 cc 9f e7 81 b9 ce 6c 37 c7 d9 db .E.G.......l7... 0010: 6b dd 9b 62 k..b ] ] Trust this certificate? [no]: yes
- When you are prompted whether to trust the certificate, reply with