Thursday, November 13, 2008

How to enable SSL for Agile Proxy server

Following the last post about Agile PLM - Web Proxy Server Installation, in this post I'll show how to enable SSL for Agile Proxy server to make Web access to Agile more secure.

Apply the SSL certificate

  1. Have a signed SSL certificate file (.pfx file) from a Well-known Certificate Authorities (such as VeriSign)
  2. Login to the Agile Proxy server with administrator user
  3. Navigate to: Start -> Administrative Tools -> Internet information services (IIS) Manager
  4. Right click on Agile PLM Web Site -> properties -> Select the Directory Security tab

  5. Click on Server Certificate -> next

  6. Select Import a certificate from a .pfx file -> next

  7. Enter Path and file name of the certificate file (.pfx file) -> next

  8. Enter the password for the certificate -> next

Update the iFS_External File Manager

  1. Open the Agile Java Client
  2. Select 'Admin' Tab -> expand 'Server Settings' -> open 'Locations'
  3. Select the 'File Manager' tab -> Double click on the iFS_External file manager.
  4. Update the File Manager URL from http://... to -> https://...

Now you can login to Agile through the Agile Proxy server via https://servername.domain/Agile/PLMServlet.

When you'll try to work with files (get file or add new) you might encounter the following error:

"The preferred file server : https://servername.domain/Filemgr/AttachmentServlet for user : UserName is down. Please contact the system administrator."

You'll although see the following error within OC4J~home~defaulet~island~1 (at [OASHome]/opmn/logs):

08/09/23 10:23:11 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
08/09/23 10:23:11     at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
08/09/23 10:23:11     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
08/09/23 10:23:11     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
08/09/23 10:23:11     at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
.....
.....

 

The reason for this error is the certificate for root authority that is not installed on the OAS.

The solution is to import Root CA certificate in the JDK embedded inside OAS:

  1. Open a web browser and access the Agile web client via https://...
  2. Double click on the padlock in the lower right corner of the browser window

  3. Select Details and then select the "Copy to File" button

  4. Answer the prompts using the defaults and select a filename for the .cer file.




  5. Open a command window (Start -> Run -> cmd)
  6. Navigate to the [OASHome]\jdk\bin directory
  7. Type the following command:

    keytool -import -keystore [OASHome]\jdk\jre\lib\security\cacerts -file c:\temp\AgileProxy.cer
  8. When prompted for the Certificate store password type changeit and then hit Enter

  9. When prompted to load the certificate, type yes and hit enter

  10. Restart OAS

Related: Note 569235.1 - Unable to add or get file attachments because OAS cannot recognize SSL Cert loaded on Proxy server

You are welcome to leave a comment..

Aviad