• At least one officer is required for TLS communication and signing.

• This information is needed for the vRealize Orchestrator (vRO)*:

  • Filename of the p12 file containing the vRO.

  • If the vRO is stored on a smart card or an HSM:

    • the Common Name of the vRO is required

    • Personal Desktop Client or the PKCS11 driver of the HSM must be installed

• The CA certificate of the CM server TLS certificate is needed to create the trust store on the servlet machine.

• Create the appropriate certificate- and token procedures in CM see Administration tasks in Certificate Manager.

*The vRO signs the certificate requests from CM WS to CM and sets up the TLS connection.

1. Install Java.

2. Make sure that the policy files for strong encryption (US_export_policy.jar and local_policy.jar) are installed under the jre used by Tomcat, in the lib/security folder.

3. Install the web server (Apache Tomcat) and set JAVA_HOME.

4. If the vRO is stored on a smart card, install Personal Desktop Client (if not already installed with CM-SDK).

5. Install the war file:

   1. Copy the file cmws.war, located in <client_root>/web/cmws to the webapps folder of Tomcat.

6. Start Tomcat and the war file will create the folder cmws.

7. Next step: Configure the files cmws.properties and cmsdk.properties, located in cmws/WEB-INF/config.

In the file cmws.properties on the web server, do the following settings:

1. Set the token procedure to the appropriate token procedure in CM. You can also chose this procedure by sending the name of the procedure, included as a string-argument, in the enrollment request.

2. To configure the vRO for TLS communication, set the filename of the vRO p12 file in OfficerFile or the Common Name of the vRO in OfficerAttributes.

3. Point out the file pin.crt to be used when encrypting pins before sending them to CM.

4. Set the hostname of the CM server.

5. Configure parameters for error logging.

In the file cmsdk.properties on the web server, do the following settings:

1. Set the parameter ssl.rootfilename to contain the path of the trust store folder that contains the trusted CA certificates. A CA certificate can be copied to a file in the AWB.

2. If these optional values shall be used, add them to the cmsdk.properties file:

   1. cm.ssl.proxyport, the TLS proxy port (optional)

   2. cm.ssl.proxyuser, the TLS proxy user (optional)

   3. cm.ssl.proxypassword, the TLS proxy password (optional)

   4. cm.ssl.servernameindication, the host name of the CM server to contact in cases where the host of the CM server also hosts other TLS servers on the same IP and TLS port. It may also apply if the CM SDK application (CMWS) must connect to the CM server via a proxy or a load balancer (optional).

If revocation password is to be used when revoking a certificate, then this has to be configured in the file cm.conf under section Custom certificate attributes. This is an example of how it might be configured: