Configuring a PAS for OpenEdge instance to use TLS involves updating the default Tomcat keystore file in your PAS for OpenEdge instance with the information from an TLS certificate obtained from a Certificate Authority (CA).
Note: You will need the password that you used when you ran PKIUTIL to create a public key certificate request file ( MyCert.pk10 in the example procedure described in Obtain a certificate from a Certificate Authority).

To update a PAS for OpenEdge keystore, perform the following steps:

  1. Make a backup copy of the default Tomcat keystore file located in your PAS for OpenEdge instance-name/conf directory: 
    proenv> cd C:\MyInstance\conf
proenv> copy tomcat-keystore.p12 tomcat-keystore.p12.original
  2. In the instance-name/conf directory, use the sslc command to import the PEM file obtained from a certificate authority (CA) into the Tomcat keystore.
    Note: The sslc.exe executable is an OpenSSL (https://www.openssl.org/) command-line utility that is included in $CATALINA_HOME/bin.
    proenv> cd C:\MyInstance\conf
proenv> sslc pkcs12 -export -in C:\Progress\OpenEdge\keys\V.pem -out tomcat-keystore.p12 -name mysslprivkey
    Note: When replacing the default server certificate, ensure the keystore entry for your key alias contains the complete chain of the server (leaf) certificate followed by all intermediate CA certificates. Avoid using uppercase letters in the filename specified after the -name parameter. The sslc automatically converts the name to lower-case in the alias entry (Alias name: mysslprivkey) in the keystore. Using uppercase letters could cause a mismatch when you update the instance-name/conf/catalina.properties file. See Step 5.
  3. When prompted enter the password you used when you created the keystore (i.e. the .pk1 file). See Obtain a certificate from a Certificate Authority.
  4. Use the sslc command to verify what is now in the Tomcat keystore: 
    sslc pkcs12 -info -in ./tomcat-keystore.p12
  5. Update the instance-name/conf/catalina.properties file to specify the psc.as.https.keypass and psc.as.https.keyalias properties in the JSSE keystore section: 
    # JSSE keystore used by server.xml for its server key & certificates
psc.as.https.keypass=your_password
psc.as.https.keyalias=mysslprivkey
psc.as.https.storeType=PKCS12
    Important: The value for psc.as.https.keyalias must match the value generated by sslc which is always expressed in lowercase letters.
  6. Restart the instance and test.
    You can restart the instance using the TCMAN stop and start actions. Once the instance has restarted, test the connection and authentication configurations from a browser.
    Note: You may need to import the CA certificate to the browser.