Prepare certificates

  1. Obtain standard certificate(s) from your Certificate Authority (CA). Make sure that your OpenText Application Quality Management front-end server trusts this CA. Request the following from your certificate authority:

    • The certificate authority certificate. For Apache, the certificate must be in Base-64 format. For example, name the file TrustedCA.pem.

    • The server certificate issued to the reverse proxy server, either in an FQDN form or using a wildcard.

    • The software client certificate (for non-interactive users, when a smart card is not used).

  2. Place the server certificate files in your web server configuration directory. For IIS, you can work with PFX or PKCS12 certificates. For Apache, you need to split the PFX certificate into two PEM files, the public certificate (for example, WebServerPublicCert.pem) and the private key (for example, WebServerPrivateCert.pem).

    Note: If you receive certificates in different formats, you can use openssl to convert them. To install openssl, go to the openssl site.

    • To convert from CER, use openssl x509 -in /<webserver-directory>/conf/cert.cer -outform pem -out cert.pem.

    • To convert from PFX, do the following:

      • Export the public key by using openssl pkcs12 -in /<webserver-directory>/conf/cert.pfx -clcerts -nokeys -out certPublic.pem.
      • Export the private key by using openssl pkcs12 -in /<webserver-directory>/conf/cert.pfx -nocerts -nodes -out certPrivate.pem.

  3. Create an OpenText Application Quality Management user and make sure there is a physical smart card with a certificate containing the user credentials. The user login value must be embedded in an attribute in the certificate. When you run the Smart Card Authentication Configuration Wizard you select the specific attribute.

  4. If you are using a CRL server for the certificate revocation list check, and the CRL server resides outside of the OpenText Application Quality Management server network segment, ALM may require a proxy to access the CRL server. You must modify the <ALM installation folder>\wrapper\wrapper.conf file. Add the following:

    # *** IMPORTANT ***
    # If you enable any of the options below, you MUST change <n> to the next available 
    # consecutive number (based on the number of additional properties in the current file).
    # Otherwise, Java will not parse this properties file correctly!
    wrapper.java.additional.<n>=-Dhttp.proxySet=true
    wrapper.java.additional.<n+1>=-Dhttp.proxyHost=<the proxy host>
    wrapper.java.additional.<n+2>=-Dhttp.proxyPort=<the proxy port>
    wrapper.java.additional.<n+3>=-Dhttp.proxyUser=<the proxy user name>
    wrapper.java.additional.<n+4>=-Dhttp.proxyPassword=<the proxy password>

  5. Install the client certificate for the non-interactive user.