Enable SSL for Security Provider

Enabling SSL is important for protecting user identity and the tokens used for authorization. Enabling SSL for Security Provider means user must also enable SSL for any application that uses Security Provider for single sign-on (SSO).
IMPORTANT:
Skip to step 1 if you get a certificate from your IT department.
Perform the steps given in the following example to generate private-CA scripts:
Example:
Copy the
P12
 with your certificate and the truststore file (e.g. fta_truststore.jks) with the root certificate from C:\
Users\Administrator\.fta-ca\certs
 to FTASecurity\standalone\configuration. To generate test certificate refer “Enable SSL for Security Provider”.
cd C:\Users\Administrator\.fta-ca\certs
copy host1.acme-int.com.p12 FTASecurity\standalone\configuration
copy fta_truststore.jks FTASecurity\standalone\configuration
NOTE:
Depending on the folder where the keystore and truststore are located, the paths may vary. If the keystore and truststore are located into a different folder other than the folder shown below, the folder/path instructions may be different for your machine. The default directory is the .fta-ca directory under the user's home directory. This can be changed by changing the CERT_ROOT_DIRECTORY setting in openssl-env.cmd
  1. Edit the file FTASecurity\standalone\configuration\standalone.xml and replace the following security-realm definition:
  • keystore path
    , for example:
    host1.acme-int.com.p12
  • alias
    name
    , for example:
    host1.acme-int.com
  • keystore-password
    =
    "
    <password for keystore>
    "
  • key-password
    =
    "
    <password for key>
    "
  • truststore
    path
    , for example:
    fta_truststore.jks
 <security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="<password>" alias="server" key-password="<password>" generate-self-signed-certificate-host="localhost"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
with the one like below:
 <security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
                        <keystore path="host1.acme-int.com.p12" relative-to="jboss.server.config.dir" alias="host1.acme-int.com" keystore-password="Rockwell@1234" key-password="Rockwell@1234"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <truststore path="fta_truststore.jks" relative-to="jboss.server.config.dir" keystore-password="Rockwell@1234"/>
                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
NOTE:
The highlighted values above will need to be changed according to how your certificates are packaged. Also, ensure that the
generate-self-signed-certificate-host
 attribute is removed from keystore element in the
standalone.xml
 file.
  1. Restart the FTASecurity Service.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.