Configuring SSL for Process Task Manager and Case Analyzer

Content

Case Analyzer is part of Content Platform Engine and is deployed on the same JVM. To enable encryption of the communication between Case Analyzer and Process Task Manager, you can generate a new certificate for Case Analyzer. Alternatively, you can have Case Analyzer use the existing SSL certificate that Content Platform Engine uses. Whether your certificate is new or existing, you need to export it.

The certificate for Case Analyzer can be self-signed or it can be imported as a third-party certificate from a certification authority (CA). You do not need to generate both types of certificates.

To configure SSL for Process Task Manager and Case Analyzer:

1. If you want Case Analyzer to use the existing certificate that Content Platform Engine uses, skip this step. If you want to generate a new certificate for Case Analyzer on the Content Platform Engine server, complete this step, depending on your application server type and product environment:

   • WebSphere Application Server

     Environment	Topic
     IBM FileNet P8 Platform	Configuring an SSL server on WebSphere
     IBM Content Foundation	Configuring an SSL server on WebSphere

   • WebLogic Server

     Environment	Topic
     IBM FileNet P8 Platform	Creating the keystore on WebLogic
     IBM Content Foundation	Creating the keystore on WebLogic

   • JBoss Application Server

     Environment	Topic
     IBM FileNet P8 Platform	Creating the keystore on JBoss
     IBM Content Foundation	Creating the keystore on JBoss

2. Export the new or existing certificate from the Content Platform Engine server by completing the following substeps, depending on your application server type and product environment:

• WebSphere Application Server

1. On the Content Platform Engine server, log on to the WebSphere administrative console.

2. Navigate to Security > SSL certificates and key management.

3. Navigate to the signer certificates page, depending on your WebSphere edition or environment:

   Edition or environment	Navigation
   Base or stand-alone	Key stores and certificates > NodeDefaultTrustStore > Signer certificates
   Network Deployment	Key stores and certificates > CellDefaultTrustStore > Signer certificates

4. Select either the existing certificate or the new certificate that you generated on the Content Platform Engine server and click Extract.

5. In the File Name field, type the file name and path to the new or existing certificate that you are exporting (for example, /opt/IBM/cpeKeystore/CPESelfSignedCert.p12 or /opt/IBM/cpeKeystore/CPE3rdPartyCert.p12).

6. In the Data Type field, select Base64-encoded ASCII data.

7. Click OK to create and save your certificate file.

• WebLogic Server

  Environment	Topic
  IBM FileNet P8 Platform	Obtaining a self-signed server certificate Obtaining a certificate from a certificate authority
  IBM Content Foundation	Obtaining a self-signed server certificate Obtaining a certificate from a certificate authority

• JBoss Application Server

  Environment	Topic
  IBM FileNet P8 Platform	Obtaining a self-signed server certificate Obtaining a certificate from a certificate authority
  IBM Content Foundation	Obtaining a self-signed server certificate Obtaining a certificate from a certificate authority

3. Import the exported certificate into a Java trust keystore that Process Task Manager can use. The keystore can be the default one that the JDK for Process Task Manager uses; or you can create a new keystore.

   To create a new keystore, issue the keytool command on the Content Platform Engine server, where the captm tool runs. captm> is the tool for starting Process Task Manager for Case Analyzer and runs as a stand-alone Java client.

   For example, to create a new keystore for a self-signed certificate, issue the following command (with a carriage return only at the end of the command line):

   keytool -genkey -alias CAPTM
   -keypass changeit -keystore CAPTMselfsignedServerStore.jks
   -storepass changeit -validity 3650
   -dname "CN=Host1,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown"
   

4. Create a new truststore by issuing the JDK keytool command to import the Content Platform Engine certificate that you saved in step 2d.

   For example, to create a new truststore for a self-signed certificate, issue the following command (with a carriage return only at the end of the command line):

   keytool -import -file "CPESelfSignedCert.p12" -alias CPE
   -keystore CAPTMselfsignedServerStore.jks -storepass changeit
   

5. Complete the following substeps to determine the JRE that Process Task Manager for Case Analyzer uses and to add two JVM arguments to your captm.bat (Windows) or captm.sh (non-Windows) file:

   1. Open the captm.bat (Windows) or captm.sh (non-Windows) file in a text editor.

   2. Add the JVM -djavax.net.ssl.trustStore and -Javax.net.ssl.trustStorePassword arguments to the file as in the following example:

      $JAVA_HOME/bin/java -cp
      /opt/IBM/FileNet/ContentEngine/lib/catoolsResources.jar:/opt/IBM/FileNet/ContentEngine/lib/catools.jar:
      /opt/IBM/FileNet/ContentEngine/lib/pe.jar:/opt/IBM/FileNet/ContentEngine/lib/peresources.jar:
      /opt/IBM/FileNet/ContentEngine/lib/petools.jar:/opt/IBM/FileNet/ContentEngine/lib/pe3pt.jar:
      /opt/IBM/FileNet/ContentEngine/lib/Jace.jar 
      -Djavax.net.ssl.trustStore= path_to_your_keystore_file 
      -Djavax.net.ssl.trustStorePassword= password_of_your_keystore
      -DJPEINSTALL_DIR=$JPEINSTALL_DIR -DJPEDATA_DIR=$JPEDATA_DIR
      -Djava.security.auth.login.config=$JPEINSTALL_DIR/config/jaas.conf.WSI
      -Dfilenet.wcmapiconfig=$JPEINSTALL_DIR/config/WcmApiConfig.properties
      -DTaskManager.Properties=$JPEINSTALL_DIR/taskman.properties
      -Dcom.sun.management.jmxremote
      -DPELogLevel=TRACE filenet.vw.apps.taskman.VWTaskApplication $1 $2 $3 $4