Enable SSL for Security Provider

Enabling SSL is important for protecting user identity and the tokens used for authorization. Enabling SSL for Security Provider means user must also enable SSL for any application that uses Security Provider for single sign-on (SSO).
IMPORTANT:
Skip to step 1 if the user gets a certificate from the IT department.
Perform the steps given in the following example to generate private-CA scripts:
Example:
Go to the certificates directory: cd /opt/rockwell/fta-security/.fta-ca/certs
Copy the Java keystore file (.jks) with the certificate and the truststore file (e.g. fta_truststore.jks) with the root certificate from CA to opt/rockwell/fta-security/standalone/configuration. To generate test certificates refer “Generate CA Signed Certificates”.
$ cp host1.acme-int.com.jks /opt/rockwell/fta-security/standalone/configuration
$ cp fta_truststore.jks /opt/rockwell/fta-security/standalone/configuration
NOTE:
Depending on the folder where the keystore and truststore are located, the paths may vary. If the keystore and truststore are located into a different folder other than the folder shown below, the folder/path instructions may be different for the machine. The default directory is the .fta-ca directory under the user's home directory. This can be changed by changing the CERT_ROOT_DIRECTORY setting in openssl-env.sh
  1. Edit the file opt/rockwell/fta-security/standalone/configuration/standalone.xml and replace the following:
  • keystore path, for example: host1.ace-int.com.p12
  • alias name, for example: host1.ace-int.com
  • keystore-password, for example: Rockwell@1234
  • key-password, for example: Rockwell@1234
  • truststore path, for example: fta_truststore.jks
    IMPORTANT:
    Do not use the word “password” as a password for generating keys and certificates.
 <security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
with the following:
 <security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
                        <keystore path="host1.acme-int.com.p12" relative-to="jboss.server.config.dir" alias="host1.acme-int.com" keystore-password="Rockwell@1234" key-password="Rockwell@1234"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <truststore path="fta_truststore.jks" relative-to="jboss.server.config.dir" keystore-password="Rockwell@1234"/>
                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
NOTE:
The highlighted values above will need to be changed according to how the certificates are packaged. Also, ensure that the generate-self-signed-certificate-host attribute is removed from keystore element in the standalone.xml file.
  1. Execute the following command to restart the Analytics Security Provider service:
    For CentOS and RHEL:
    $ sudo /bin/systemctl restart fta-security.service
     
  2. For SUSE:
    $ sudo systemctl restart fta-security.service
  3. Execute the following command to check the status of the Analytics Security Provider service:
    For CentOS and RHEL:
    $ sudo /bin/systemctl status fta-security.service
     
  4. For SUSE:
    $ sudo systemctl status fta-security.service
  5. Execute the following command to logout of the fta-security user:
    $ exit
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.