Start of changeIBM FileNet P8, Version 5.2.1            

Configuring SSL for Process Task Manager and Case Analyzer

You can use SSL to encrypt the communication between Process Task Manager and Case Analyzer.

Case Analyzer is part of Content Platform Engine and is deployed on the same JVM. To enable encryption of the communication between Case Analyzer and Process Task Manager, you can generate a new certificate for Case Analyzer. Alternatively, you can have Case Analyzer use the existing SSL certificate that Content Platform Engine uses. Whether your certificate is new or existing, you need to export it. The certificate for Case Analyzer can be self-signed or it can be imported as a third-party certificate from a certification authority (CA). You do not need to generate both types of certificates.

To configure SSL for Process Task Manager and Case Analyzer:

  1. If you want Case Analyzer to use the existing certificate that Content Platform Engine uses, skip this step. If you want to generate a new certificate for Case Analyzer on the Content Platform Engine server, complete this step, depending on your application server type:
    Table 1. Steps to generate a new certificate for Case Analyzer on the Content Platform Engine server
    Application server type Complete the steps in this topic
    WebSphere® Application Server Configuring an SSL server on WebSphere
    WebLogic Server Creating the keystore on WebLogic
    JBoss Application Server Creating the keystore on JBoss
  2. Export the new or existing certificate from the Content Platform Engine server by completing the following substeps, depending on your application server type:
    • WebSphere Application Server
      1. On the Content Platform Engine server, log on to the WebSphere administrative console.
      2. Navigate to Security > SSL certificates and key management.
      3. Navigate to the signer certificates page, depending on your WebSphere edition or environment:
        Table 2. Navigation to the signer certificates page
        Edition or environment Navigation
        Base or stand-alone Key stores and certificates > NodeDefaultTrustStore > Signer certificates
        Network Deployment Key stores and certificates > CellDefaultTrustStore > Signer certificates
      4. Select either the existing certificate or the new certificate that you generated on the Content Platform Engine server and click Extract.
      5. In the File Name field, type the file name and path to the new or existing certificate that you are exporting (for example, /opt/IBM/cpeKeystore/CPESelfSignedCert.p12 or /opt/IBM/cpeKeystore/CPE3rdPartyCert.p12).
      6. In the Data Type field, select Base64-encoded ASCII data.
      7. Click OK to create and save your certificate file.
    • WebLogic Server
      1. Complete the steps in one of the following topics, depending on the type of certificate you want to export:
    • JBoss Application Server
      1. Complete the steps in one of the following topics, depending on the type of certificate you want to export:
  3. Import the exported certificate into a Java trust keystore that Process Task Manager can use. The keystore can be the default one that the JDK for Process Task Manager uses; or you can create a new keystore. To create a new keystore, issue the keytool command on the Content Platform Engine server, where the captm tool runs. captm is the tool for starting Process Task Manager for Case Analyzer and runs as a stand-alone Java client. For example, to create a new keystore for a self-signed certificate, issue the following command (with a carriage return only at the end of the command line):
    keytool -genkey -alias CAPTM
    -keypass changeit -keystore CAPTMselfsignedServerStore.jks
    -storepass changeit -validity 3650
    -dname "CN=Host1,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown"
  4. Create a new truststore by issuing the JDK keytool command to import the Content Platform Engine certificate that you saved in step 2d. For example, to create a new truststore for a self-signed certificate, issue the following command (with a carriage return only at the end of the command line):
    keytool -import -file "CPESelfSignedCert.p12" -alias CPE
    -keystore CAPTMselfsignedServerStore.jks -storepass changeit
  5. Complete the following substeps to determine the JRE that Process Task Manager for Case Analyzer uses and to add two JVM arguments to your captm.bat (Windows) or captm.sh (non-Windows) file:
    1. Open the captm.bat (Windows) or captm.sh (non-Windows) file in a text editor.
    2. Add the JVM -djavax.net.ssl.trustStore and -Javax.net.ssl.trustStorePassword arguments to the file as in the following example:
      $JAVA_HOME/bin/java -cp
      /opt/IBM/FileNet/ContentEngine/lib/catoolsResources.jar:
      /opt/IBM/FileNet/ContentEngine/lib/catools.jar:
      /opt/IBM/FileNet/ContentEngine/lib/pe.jar:
      /opt/IBM/FileNet/ContentEngine/lib/peresources.jar:
      /opt/IBM/FileNet/ContentEngine/lib/petools.jar:
      /opt/IBM/FileNet/ContentEngine/lib/pe3pt.jar:
      /opt/IBM/FileNet/ContentEngine/lib/Jace.jar 
      -Djavax.net.ssl.trustStore= path_to_your_keystore_file 
      -Djavax.net.ssl.trustStorePassword= password_of_your_keystore
      -DJPEINSTALL_DIR=$JPEINSTALL_DIR -DJPEDATA_DIR=$JPEDATA_DIR
      -Djava.security.auth.login.config=$JPEINSTALL_DIR/config/jaas.conf.WSI
      -Dfilenet.wcmapiconfig=$JPEINSTALL_DIR/config/WcmApiConfig.properties
      -DTaskManager.Properties=$JPEINSTALL_DIR/taskman.properties
      -Dcom.sun.management.jmxremote
      -DPELogLevel=TRACE filenet.vw.apps.taskman.VWTaskApplication $1 $2 $3 $4


Last updated: October 2015
config_ssl_ptm_ca.htm

© Copyright IBM Corporation 2015.
End of change