Skip to main content
Language Selector

  1. Other Languages

    (machine translation)

Planview Customer Success Center

SSL Certificate Installation

  1. Last updated
  2. Save as PDF
You are viewing content for Planview Hub version .

This page is not applicable to Planview Hub Cloud.

 

SSL Certificate Installation 

The Planview Hub application is available via HTTPS on port 8443. A default SSL certificate is provided for testing purposes and should be replaced after installation.

Replacing the default SSL certificate used by Planview Hub involves the following:

  1. Preparing a Java keystore file with all keys and certificates
    1. The Hub and Keycloak SSL configuration require a JKS format keystore.
      1. If your corporate CA provides a JKS keystore file, you can skip to the Configure Hub to use the keystore section and follow the steps using the JKS keystore file from your CA.
      2. If your CA requires you to provide a CSR and returns a certificate response to you, use the following steps to generate your own keystore file and CSR:
        1. Create a Java keystore file and generate a new key pair
        2. Generate a certificate request file
        3. Submit the file to a Certificate Authority (CA) and obtain the certificate and CA certificate trust chain
        4. Import the certificates to the keystore file
  2. Configuring Hub to use the keystore (i.e., new key and certificate)

The SSL certificate should contain DNS names where the Hub server is accessible. The user's browser will verify that the name in the address bar matches the names listed in the certificate. Certificate Authority may be your internal corporate service, or you may use a public CA (e.g., Comodo, Let’s Encrypt). If you are planning to use a certificate from a public CA, your Planview Hub instance must have a publicly recognizable DNS name that is owned by your organization.

Running Portecle for SSL certificate installation

To run Portecle for SSL certificate installation, see the instructions below:

  1. Download and unzip Portecle.
  2. Open the command prompt.
    1. For Windows, navigate to C:\Program Files\Tasktop\jre\bin\
    2. For Linux, navigate to <tasktop-install>/jre/bin/
  3. Run the following command (changing /path/to/portecle/ to the location where you unzipped Portecle): 
    1. java -jar /path/to/portecle/portecle.jar

Prepare a Java keystore file with all the keys and certificates 

To replace Hub's default SSL certificate using Portecle, follow the instructions below:

Tip: Details on accessing Portecle can be found in the section above.

  1. Create a key pair and keystore:

    1. Start Portecle and click New Keystore in the toolbar and select JKS as the keystore type. 

      1. undefined

    2. Click Generate Key Pair in the toolbar. You can leave the default settings for 2118 bit RSA key, or choose different settings if required by your company’s security policy. 

      1. undefined

    3. In the Generate Certificate pop-up, enter the Fully Qualified Domain Name (FQDN) of your Hub server in the Common Name (CN) field and enter other fields as needed.

      1. In the Subject Alternative DNS Name field, enter the alternative domain name of the server, if one exists. Your certificate should include all DNS names that your users may use to connect to Hub. For internal corporate CA you can also use “short” names (i.e., tasktop, in addition to tasktop.acme.corp). In CA, these additional DNS names are called Subject Alternative Names, or SAN. You can specify one SAN at this point, and can usually add more names later when submitting your request to the CA.

        1. undefined

    4. Enter tomcat as alias. 

      1. undefined

    5. Create a new password for the key pair.

      1. Tip: You will need this password later when configuring Tomcat.

      2. undefined

    6. You will see your newly created key pair in the list.

      1. undefined

    7. Click Save Keystore in the toolbar to save the newly created keystore file. Here, use the same password that you entered for the key pair earlier.

      1. undefined

  2. To generate a certificate request file (also known as Certificate Signing Request or CSR), right click on the tasktop key and select Generate Certification Request and save it to a file.

    1. undefined

  3. Submit your CSR to a CA to obtain a Certificate.

    Note: For some CAs you will need to provide the list of all DNS names for your Hub server separately as they will ignore the SAN values in the certificate request. See your CA's documentation for more information.

  4. Import the certificates to the keystore file.

    1. If your CA provided a separate file with the CA certificate or trust chain, import it by selecting Import Trusted Certificate in the toolbar. If your CA provided only one file in response to your CSR, skip to 4b.

    2. Import the server certificate by right clicking on the tasktop key, selecting Import CA Reply and choosing the server certificate file received from the CA.

      1. undefined

    3. To verify the certificate chain, click Tools and then click Keystore Report.

Configure Hub to use the keystore 

  1. Place your keystore file in a protected location that will not be wiped on Hub upgrade. We suggest using Hub's data directory (default C:\ProgramData\Tasktop, or the home directory of the user that Hub service is running as on Linux).
  2. Open the tasktop-hub.properties file and configure the following properties:
    1. server.ssl.key-store - Location where the keystore file exists
    2. server.ssl.key-store-password - Password of keystore file
    3. server.ssl.key-store-type - Type of keystore file (e.g., JKS, PKCS12)
  3. Restart Hub Service

To learn more about creating a tasktop-hub.properties file, please see here.

By default, the SSL configuration has been configured to disable known weak ciphers. As new security information becomes available, the list of enabled ciphers should be updated accordingly.

Configure Keycloak User Management to use and trust Hub's keystore

In Planview Hub version 20.4, both Tomcat and Keycloak share the same properties in the tasktop-hub.properties file as they share the same keystore file. See more details above.

To learn more about creating a tasktop-hub.properties file, please here.

 

SSL Certificate Installation 

The Planview Hub application is available via HTTPS on port 8443. A default SSL certificate is provided for testing purposes and should be replaced after installation.

Replacing the default SSL certificate used by Planview Hub involves the following:

  1. Preparing a Java keystore file with all keys and certificates
    1. The Hub and Keycloak SSL configuration require a JKS format keystore.
      1. If your corporate CA provides a JKS keystore file, you can skip to the Configure Hub to use the keystore section and follow the steps using the JKS keystore file from your CA.
      2. If your CA requires you to provide a CSR and returns a certificate response to you, use the following steps to generate your own keystore file and CSR:
        1. Create a Java keystore file and generate a new key pair
        2. Generate a certificate request file
        3. Submit the file to a Certificate Authority (CA) and obtain the certificate and CA certificate trust chain
        4. Import the certificates to the keystore file
  2. Configuring Hub to use the keystore (i.e., new key and certificate)

The SSL certificate should contain DNS names where the Hub server is accessible. The user's browser will verify that the name in the address bar matches the names listed in the certificate. Certificate Authority may be your internal corporate service, or you may use a public CA (e.g., Comodo, Let’s Encrypt). If you are planning to use a certificate from a public CA, your Planview Hub instance must have a publicly recognizable DNS name that is owned by your organization.

Running Portecle for SSL certificate installation

To run Portecle for SSL certificate installation, see the instructions below:

  1. Download and unzip Portecle.
  2. Open the command prompt.
    1. For Windows, navigate to C:\Program Files\Tasktop\jre\bin\
    2. For Linux, navigate to <tasktop-install>/jre/bin/
  3. Run the following command (changing /path/to/portecle/ to the location where you unzipped Portecle): 
    1. java -jar /path/to/portecle/portecle.jar

Prepare a Java keystore file with all the keys and certificates 

To replace Hub's default SSL certificate using Portecle, follow the instructions below:

Tip: Details on accessing Portecle can be found in the section above.

  1. Create a key pair and keystore:

    1. Start Portecle and click New Keystore in the toolbar and select JKS as the keystore type. 

      1. undefined

    2. Click Generate Key Pair in the toolbar. You can leave the default settings for 2118 bit RSA key, or choose different settings if required by your company’s security policy. 

      1. undefined

    3. In the Generate Certificate pop-up, enter the Fully Qualified Domain Name (FQDN) of your Hub server in the Common Name (CN) field and enter other fields as needed.

      1. In the Subject Alternative DNS Name field, enter the alternative domain name of the server, if one exists. Your certificate should include all DNS names that your users may use to connect to Hub. For internal corporate CA you can also use “short” names (i.e., tasktop, in addition to tasktop.acme.corp). In CA, these additional DNS names are called Subject Alternative Names, or SAN. You can specify one SAN at this point, and can usually add more names later when submitting your request to the CA.

        1. undefined

    4. Enter tomcat as alias. 

      1. undefined

    5. Create a new password for the key pair.

      1. Tip: You will need this password later when configuring Tomcat.

      2. undefined

    6. You will see your newly created key pair in the list.

      1. undefined

    7. Click Save Keystore in the toolbar to save the newly created keystore file. Here, use the same password that you entered for the key pair earlier.

      1. undefined

  2. To generate a certificate request file (also known as Certificate Signing Request or CSR), right click on the tasktop key and select Generate Certification Request and save it to a file.

    1. undefined

  3. Submit your CSR to a CA to obtain a Certificate.

    Note: For some CAs you will need to provide the list of all DNS names for your Hub server separately as they will ignore the SAN values in the certificate request. See your CA's documentation for more information.

  4. Import the certificates to the keystore file.

    1. If your CA provided a separate file with the CA certificate or trust chain, import it by selecting Import Trusted Certificate in the toolbar. If your CA provided only one file in response to your CSR, skip to 4b.

    2. Import the server certificate by right clicking on the tasktop key, selecting Import CA Reply and choosing the server certificate file received from the CA.

      1. undefined

    3. To verify the certificate chain, click Tools and then click Keystore Report.

Configure Hub to use the keystore 

  1. Place your keystore file in a protected location that will not be wiped on Hub upgrade. We suggest using Hub's data directory (default C:\ProgramData\Tasktop, or the home directory of the user that Hub service is running as on Linux).
  2. Open the tasktop-hub.properties file and configure the following properties:
    1. server.ssl.key-store - Location where the keystore file exists
    2. server.ssl.key-store-password - Password of keystore file
    3. server.ssl.key-store-type - Type of keystore file (e.g., JKS, PKCS12)
  3. Restart Hub Service

To learn more about creating a tasktop-hub.properties file, please see here.

By default, the SSL configuration has been configured to disable known weak ciphers. As new security information becomes available, the list of enabled ciphers should be updated accordingly.

Configure Keycloak User Management to use and trust Hub's keystore

In Planview Hub version 20.4, both Tomcat and Keycloak share the same properties in the tasktop-hub.properties file as they share the same keystore file. See more details above.

To learn more about creating a tasktop-hub.properties file, please here.

SSL Certificate Installation 

The Planview Hub application is available via HTTPS on port 8443. A default SSL certificate is provided for testing purposes and should be replaced after installation.

Replacing the default SSL certificate used by Planview Hub involves the following:

  1. Preparing a Java keystore file with all keys and certificates
    1. The Hub and Keycloak SSL configuration require a JKS format keystore.
      1. If your corporate CA provides a JKS keystore file, you can skip to the Configure Hub to use the keystore section and follow the steps using the JKS keystore file from your CA.
      2. If your CA requires you to provide a CSR and returns a certificate response to you, use the following steps to generate your own keystore file and CSR:
        1. Create a Java keystore file and generate a new key pair
        2. Generate a certificate request file
        3. Submit the file to a Certificate Authority (CA) and obtain the certificate and CA certificate trust chain
        4. Import the certificates to the keystore file
  2. Configuring Hub to use the keystore (i.e., new key and certificate)

The SSL certificate should contain DNS names where the Hub server is accessible. The user's browser will verify that the name in the address bar matches the names listed in the certificate. Certificate Authority may be your internal corporate service, or you may use a public CA (e.g., Comodo, Let’s Encrypt). If you are planning to use a certificate from a public CA, your Planview Hub instance must have a publicly recognizable DNS name that is owned by your organization.

Running Portecle for SSL certificate installation

To run Portecle for SSL certificate installation, see the instructions below:

  1. Download and unzip Portecle.
  2. Open the command prompt.
    1. For Windows, navigate to C:\Program Files\Tasktop\jre\bin\
    2. For Linux, navigate to <tasktop-install>/jre/bin/
  3. Run the following command (changing /path/to/portecle/ to the location where you unzipped Portecle): 
    1. java -jar /path/to/portecle/portecle.jar

Prepare a Java keystore file with all the keys and certificates 

To replace Hub's default SSL certificate using Portecle, follow the instructions below:

Tip: Details on accessing Portecle can be found in the section above.

  1. Create a key pair and keystore:

    1. Start Portecle and click New Keystore in the toolbar and select JKS as the keystore type. 

      1. undefined

    2. Click Generate Key Pair in the toolbar. You can leave the default settings for 2118 bit RSA key, or choose different settings if required by your company’s security policy. 

      1. undefined

    3. In the Generate Certificate pop-up, enter the Fully Qualified Domain Name (FQDN) of your Hub server in the Common Name (CN) field and enter other fields as needed.

      1. In the Subject Alternative DNS Name field, enter the alternative domain name of the server, if one exists. Your certificate should include all DNS names that your users may use to connect to Hub. For internal corporate CA you can also use “short” names (i.e., tasktop, in addition to tasktop.acme.corp). In CA, these additional DNS names are called Subject Alternative Names, or SAN. You can specify one SAN at this point, and can usually add more names later when submitting your request to the CA.

        1. undefined

    4. Enter tomcat as alias. 

      1. undefined

    5. Create a new password for the key pair.

      1. Tip: You will need this password later when configuring Tomcat.

      2. undefined

    6. You will see your newly created key pair in the list.

      1. undefined

    7. Click Save Keystore in the toolbar to save the newly created keystore file. Here, use the same password that you entered for the key pair earlier.

      1. undefined

  2. To generate a certificate request file (also known as Certificate Signing Request or CSR), right click on the tasktop key and select Generate Certification Request and save it to a file.

    1. undefined

  3. Submit your CSR to a CA to obtain a Certificate.

    Note: For some CAs you will need to provide the list of all DNS names for your Hub server separately as they will ignore the SAN values in the certificate request. See your CA's documentation for more information.

  4. Import the certificates to the keystore file.

    1. If your CA provided a separate file with the CA certificate or trust chain, import it by selecting Import Trusted Certificate in the toolbar. If your CA provided only one file in response to your CSR, skip to 4b.

    2. Import the server certificate by right clicking on the tasktop key, selecting Import CA Reply and choosing the server certificate file received from the CA.

      1. undefined

    3. To verify the certificate chain, click Tools and then click Keystore Report.

Configure Hub to use the keystore 

  1. Place your keystore file in a protected location that will not be wiped on Hub upgrade. We suggest using Hub's data directory (default C:\ProgramData\Tasktop, or the home directory of the user that Hub service is running as on Linux).
  2. Open the tasktop-hub.properties file and configure the following properties:
    1. server.ssl.key-store - Location where the keystore file exists
    2. server.ssl.key-store-password - Password of keystore file
    3. server.ssl.key-store-type - Type of keystore file (e.g., JKS, PKCS12)
  3. Restart Hub Service

To learn more about creating a tasktop-hub.properties file, please see here.

By default, the SSL configuration has been configured to disable known weak ciphers. As new security information becomes available, the list of enabled ciphers should be updated accordingly.

Configure Keycloak User Management to use and trust Hub's keystore

In Planview Hub version 20.4, both Tomcat and Keycloak share the same properties in the tasktop-hub.properties file as they share the same keystore file. See more details above.

To learn more about creating a tasktop-hub.properties file, please here.

 

SSL Certificate Installation 

The Planview Hub application is available via HTTPS on port 8443. A default SSL certificate is provided for testing purposes and should be replaced after installation.

Replacing the default SSL certificate used by Planview Hub involves the following:

  1. Preparing a Java keystore file with all keys and certificates
    1. The Hub and Keycloak SSL configuration require a JKS format keystore.
      1. If your corporate CA provides a JKS keystore file, you can skip to the Configure Hub to use the keystore section and follow the steps using the JKS keystore file from your CA.
      2. If your CA requires you to provide a CSR and returns a certificate response to you, use the following steps to generate your own keystore file and CSR:
        1. Create a Java keystore file and generate a new key pair
        2. Generate a certificate request file
        3. Submit the file to a Certificate Authority (CA) and obtain the certificate and CA certificate trust chain
        4. Import the certificates to the keystore file
  2. Configuring Hub to use the keystore (i.e., new key and certificate)

The SSL certificate should contain DNS names where the Hub server is accessible. The user's browser will verify that the name in the address bar matches the names listed in the certificate. Certificate Authority may be your internal corporate service, or you may use a public CA (e.g., Comodo, Let’s Encrypt). If you are planning to use a certificate from a public CA, your Planview Hub instance must have a publicly recognizable DNS name that is owned by your organization.

SSL-related instructions on this page are provided as a reference only. Your Certificate Authority will have more detailed instructions on creating and importing certificates. These instructions are based on the use of a GUI tool Portecle, which can be downloaded here.

Note that Planview does not provide support for this third-party tool beyond the instructions shown below.

Tip: You can create the Java keystore file on any machine and move the file to the server running Hub software; there is no need to install Portecle on the server running Planview Hub.

If you cannot use Portecle and need to utilize standard Java command line utility keytool, please refer to Tomcat documentationUpon following the documentation, use JRE installed with Hub software in the Planview Hub installation directory (default C:\Program Files\Tasktop). Hub’s server.xml file is located in Hub's data directory (default: C:\ProgramData\Tasktop, or the location where Hub is installed on Linux) under container/conf/server.xml.

Running Portecle for SSL certificate installation

To run Portecle for SSL certificate installation, see the instructions below:

  1. Download and unzip Portecle.
  2. Open the command prompt.
    1. For Windows, navigate to C:\Program Files\Tasktop\jre\bin\
    2. For Linux, navigate to <tasktop-install>/jre/bin/
  3. Run the following command (changing /path/to/portecle/ to the location where you unzipped Portecle): 
    1. java -jar /path/to/portecle/portecle.jar

Prepare a Java keystore file with all the keys and certificates 

To replace Hub's default SSL certificate using Portecle, follow the instructions below:

Tip: Details on accessing Portecle can be found in the section above.

  1. Create a key pair and keystore:

    1. Start Portecle and click New Keystore in the toolbar and select JKS as the keystore type. 

      1. undefined

    2. Click Generate Key Pair in the toolbar. You can leave the default settings for 2118 bit RSA key, or choose different settings if required by your company’s security policy. 

      1. undefined

    3. In the Generate Certificate pop-up, enter the Fully Qualified Domain Name (FQDN) of your Hub server in the Common Name (CN) field and enter other fields as needed.

      1. In the Subject Alternative DNS Name field, enter the alternative domain name of the server, if one exists. Your certificate should include all DNS names that your users may use to connect to Hub. For internal corporate CA you can also use “short” names (i.e., tasktop, in addition to tasktop.acme.corp). In CA, these additional DNS names are called Subject Alternative Names, or SAN. You can specify one SAN at this point, and can usually add more names later when submitting your request to the CA.

        1. undefined

    4. Enter tomcat as alias. 

      1. undefined

    5. Create a new password for the key pair.

      1. Tip: You will need this password later when configuring Tomcat.

      2. undefined

    6. You will see your newly created key pair in the list.

      1. undefined

    7. Click Save Keystore in the toolbar to save the newly created keystore file. Here, use the same password that you entered for the key pair earlier.

      1. undefined

  2. To generate a certificate request file (also known as Certificate Signing Request or CSR), right click on the tasktop key and select Generate Certification Request and save it to a file.

    1. undefined

  3. Submit your CSR to a CA to obtain a Certificate.

    Note: For some CAs you will need to provide the list of all DNS names for your Hub server separately as they will ignore the SAN values in the certificate request. See your CA's documentation for more information.

  4. Import the certificates to the keystore file.

    1. If your CA provided a separate file with the CA certificate or trust chain, import it by selecting Import Trusted Certificate in the toolbar. If your CA provided only one file in response to your CSR, skip to 4b.

    2. Import the server certificate by right clicking on the tasktop key, selecting Import CA Reply and choosing the server certificate file received from the CA.

      1. undefined

    3. To verify the certificate chain, click Tools and then click Keystore Report.

Configure Hub to use the keystore 

  1. Place your keystore file in a protected location that will not be wiped on Hub upgrade. We suggest using Hub's data directory (default C:\ProgramData\Tasktop, or the home directory of the user that Hub service is running as on Linux).
  2. Open the tasktop-hub.properties file and configure the following properties:
    1. server.ssl.key-store - Location where the keystore file exists
    2. server.ssl.key-store-password - Password of keystore file
    3. server.ssl.key-store-type - Type of keystore file (e.g., JKS, PKCS12)
  3. Restart Hub Service

To learn more about creating a tasktop-hub.properties file, please see here.

By default, the SSL configuration has been configured to disable known weak ciphers. As new security information becomes available, the list of enabled ciphers should be updated accordingly.

Configure Keycloak User Management to use and trust Hub's keystore

In Planview Hub version 20.4, both Tomcat and Keycloak share the same properties in the tasktop-hub.properties file as they share the same keystore file. See more details above.

To learn more about creating a tasktop-hub.properties file, please see here.

 

SSL Certificate Installation 

The Planview Hub application is available via HTTPS on port 8443. A default SSL certificate is provided for testing purposes and should be replaced after installation.

Replacing the default SSL certificate used by Planview Hub involves the following:

  1. Preparing a Java keystore file with all keys and certificates
    1. The Hub and Keycloak SSL configuration require a JKS format keystore.
      1. If your corporate CA provides a JKS keystore file, you can skip to the Configure Hub to use the keystore section and follow the steps using the JKS keystore file from your CA.
      2. If your CA requires you to provide a CSR and returns a certificate response to you, use the following steps to generate your own keystore file and CSR:
        1. Create a Java keystore file and generate a new key pair
        2. Generate a certificate request file
        3. Submit the file to a Certificate Authority (CA) and obtain the certificate and CA certificate trust chain
        4. Import the certificates to the keystore file
  2. Configuring Hub to use the keystore (i.e., new key and certificate)

The SSL certificate should contain DNS names where the Hub server is accessible. The user's browser will verify that the name in the address bar matches the names listed in the certificate. Certificate Authority may be your internal corporate service, or you may use a public CA (e.g., Comodo, Let’s Encrypt). If you are planning to use a certificate from a public CA, your Planview Hub instance must have a publicly recognizable DNS name that is owned by your organization.

SSL-related instructions on this page are provided as a reference only. Your Certificate Authority will have more detailed instructions on creating and importing certificates. These instructions are based on the use of a GUI tool Portecle, which can be downloaded here.

Note that Planview does not provide support for this third-party tool beyond the instructions shown below.

Tip: You can create the Java keystore file on any machine and move the file to the server running Hub software; there is no need to install Portecle on the server running Planview Hub.

If you cannot use Portecle and need to utilize standard Java command line utility keytool, please refer to Tomcat documentationUpon following the documentation, use JRE installed with Hub software in the Planview Hub installation directory (default C:\Program Files\Tasktop). Hub’s server.xml file is located in Hub's data directory (default: C:\ProgramData\Tasktop, or the location where Hub is installed on Linux) under container/conf/server.xml.

Running Portecle for SSL certificate installation

To run Portecle for SSL certificate installation, see the instructions below:

  1. Download and unzip Portecle.
  2. Open the command prompt.
    1. For Windows, navigate to C:\Program Files\Tasktop\jre\bin\
    2. For Linux, navigate to <tasktop-install>/jre/bin/
  3. Run the following command (changing /path/to/portecle/ to the location where you unzipped Portecle): 
    1. java -jar /path/to/portecle/portecle.jar

Prepare a Java keystore file with all the keys and certificates 

To replace Hub's default SSL certificate using Portecle, follow the instructions below:

Tip: Details on accessing Portecle can be found in the section above.

  1. Create a key pair and keystore:

    1. Start Portecle and click New Keystore in the toolbar and select JKS as the keystore type. 

      1. undefined

    2. Click Generate Key Pair in the toolbar. You can leave the default settings for 2118 bit RSA key, or choose different settings if required by your company’s security policy. 

      1. undefined

    3. In the Generate Certificate pop-up, enter the Fully Qualified Domain Name (FQDN) of your Hub server in the Common Name (CN) field and enter other fields as needed.

      1. In the Subject Alternative DNS Name field, enter the alternative domain name of the server, if one exists. Your certificate should include all DNS names that your users may use to connect to Hub. For internal corporate CA you can also use “short” names (i.e., tasktop, in addition to tasktop.acme.corp). In CA, these additional DNS names are called Subject Alternative Names, or SAN. You can specify one SAN at this point, and can usually add more names later when submitting your request to the CA.

        1. undefined

    4. Enter tomcat as alias. 

      1. undefined

    5. Create a new password for the key pair.

      1. Tip: You will need this password later when configuring Tomcat.

      2. undefined

    6. You will see your newly created key pair in the list.

      1. undefined

    7. Click Save Keystore in the toolbar to save the newly created keystore file. Here, use the same password that you entered for the key pair earlier.

      1. undefined

  2. To generate a certificate request file (also known as Certificate Signing Request or CSR), right click on the tasktop key and select Generate Certification Request and save it to a file.

    1. undefined

  3. Submit your CSR to a CA to obtain a Certificate.

    Note: For some CAs you will need to provide the list of all DNS names for your Hub server separately as they will ignore the SAN values in the certificate request. See your CA's documentation for more information.

  4. Import the certificates to the keystore file.

    1. If your CA provided a separate file with the CA certificate or trust chain, import it by selecting Import Trusted Certificate in the toolbar. If your CA provided only one file in response to your CSR, skip to 4b.

    2. Import the server certificate by right clicking on the tasktop key, selecting Import CA Reply and choosing the server certificate file received from the CA.

      1. undefined

    3. To verify the certificate chain, click Tools and then click Keystore Report.

Configure Hub to use the keystore 

  1. Place your keystore file in a protected location that will not be wiped on Hub upgrade. We suggest using Hub's data directory (default C:\ProgramData\Tasktop, or the home directory of the user that Hub service is running as on Linux).
  2. Open the tasktop-hub.properties file and configure the following properties:
    1. server.ssl.key-store - Location where the keystore file exists
    2. server.ssl.key-store-password - Password of keystore file
    3. server.ssl.key-store-type - Type of keystore file (e.g., JKS, PKCS12)
  3. Restart Hub Service

To learn more about creating a tasktop-hub.properties file, please see here.

By default, the SSL configuration has been configured to disable known weak ciphers. As new security information becomes available, the list of enabled ciphers should be updated accordingly.

Configure Keycloak User Management to use and trust Hub's keystore

In Planview Hub version 20.4, both Tomcat and Keycloak share the same properties in the tasktop-hub.properties file as they share the same keystore file. See more details above.

To learn more about creating a tasktop-hub.properties file, please see here.

 

SSL Certificate Installation 

The Planview Hub application is available via HTTPS on port 8443. A default SSL certificate is provided for testing purposes and should be replaced after installation.

Replacing the default SSL certificate used by Planview Hub involves the following:

  1. Preparing a Java keystore file with all keys and certificates
    1. The Hub and Keycloak SSL configuration require a JKS format keystore.
      1. If your corporate CA provides a JKS keystore file, you can skip to the Configure Hub to use the keystore section and follow the steps using the JKS keystore file from your CA.
      2. If your CA requires you to provide a CSR and returns a certificate response to you, use the following steps to generate your own keystore file and CSR:
        1. Create a Java keystore file and generate a new key pair
        2. Generate a certificate request file
        3. Submit the file to a Certificate Authority (CA) and obtain the certificate and CA certificate trust chain
        4. Import the certificates to the keystore file
  2. Configuring Hub to use the keystore (i.e., new key and certificate)

The SSL certificate should contain DNS names where the Hub server is accessible. The user's browser will verify that the name in the address bar matches the names listed in the certificate. Certificate Authority may be your internal corporate service, or you may use a public CA (e.g., Comodo, Let’s Encrypt). If you are planning to use a certificate from a public CA, your Planview Hub instance must have a publicly recognizable DNS name that is owned by your organization.

SSL-related instructions on this page are provided as a reference only. Your Certificate Authority will have more detailed instructions on creating and importing certificates. These instructions are based on the use of a GUI tool Portecle, which can be downloaded here.

Note that Planview does not provide support for this third-party tool beyond the instructions shown below.

Tip: You can create the Java keystore file on any machine and move the file to the server running Hub software; there is no need to install Portecle on the server running Planview Hub.

If you cannot use Portecle and need to utilize standard Java command line utility keytool, please refer to Tomcat documentationUpon following the documentation, use JRE installed with Hub software in the Planview Hub installation directory (default C:\Program Files\Tasktop). Hub’s server.xml file is located in Hub's data directory (default: C:\ProgramData\Tasktop, or the location where Hub is installed on Linux) under container/conf/server.xml.

Running Portecle for SSL certificate installation 

To run Portecle for SSL certificate installation, see the instructions below:

  1. Download and unzip Portecle.
  2. Open the command prompt.
    1. For Windows, navigate to C:\Program Files\Tasktop\jre\bin\
    2. For Linux, navigate to <tasktop-install>/jre/bin/
  3. Run the following command (changing /path/to/portecle/ to the location where you unzipped Portecle): 
    1. java -jar /path/to/portecle/portecle.jar

Prepare a Java keystore file with all the keys and certificates 

To replace Hub's default SSL certificate using Portecle, follow the instructions below:

Tip: Details on accessing Portecle can be found in the section above.

  1. Create a key pair and keystore:

    1. Start Portecle and click New Keystore in the toolbar and select JKS as the keystore type. 

      1. undefined

    2. Click Generate Key Pair in the toolbar. You can leave the default settings for 2118 bit RSA key, or choose different settings if required by your company’s security policy. 

      1. undefined

    3. In the Generate Certificate pop-up, enter the Fully Qualified Domain Name (FQDN) of your Hub server in the Common Name (CN) field and enter other fields as needed.

      1. In the Subject Alternative DNS Name field, enter the alternative domain name of the server, if one exists. Your certificate should include all DNS names that your users may use to connect to Hub. For internal corporate CA you can also use “short” names (i.e., tasktop, in addition to tasktop.acme.corp). In CA, these additional DNS names are called Subject Alternative Names, or SAN. You can specify one SAN at this point, and can usually add more names later when submitting your request to the CA.

        1. undefined

    4. Enter tomcat as alias. 

      1. undefined

    5. Create a new password for the key pair.

      1. Tip: You will need this password later when configuring Tomcat.

      2. undefined

    6. You will see your newly created key pair in the list.

      1. undefined

    7. Click Save Keystore in the toolbar to save the newly created keystore file. Here, use the same password that you entered for the key pair earlier.

      1. undefined

  2. To generate a certificate request file (also known as Certificate Signing Request or CSR), right click on the tasktop key and select Generate Certification Request and save it to a file.

    1. undefined

  3. Submit your CSR to a CA to obtain a Certificate.

    Note: For some CAs you will need to provide the list of all DNS names for your Hub server separately as they will ignore the SAN values in the certificate request. See your CA's documentation for more information.

  4. Import the certificates to the keystore file.

    1. If your CA provided a separate file with the CA certificate or trust chain, import it by selecting Import Trusted Certificate in the toolbar. If your CA provided only one file in response to your CSR, skip to 4b.

    2. Import the server certificate by right clicking on the tasktop key, selecting Import CA Reply and choosing the server certificate file received from the CA.

      1. undefined

    3. To verify the certificate chain, click Tools and then click Keystore Report.

Configure Hub to use the keystore 

  1. Place your keystore file in a protected location that will not be wiped on Hub upgrade. We suggest using Hub's data directory (default C:\ProgramData\Tasktop, or the home directory of the user that Hub service is running as on Linux).
  2. Open the tasktop-hub.properties file and configure the following properties:
    1. server.ssl.key-store - Location where the keystore file exists
    2. server.ssl.key-store-password - Password of keystore file
    3. server.ssl.key-store-type - Type of keystore file (e.g., JKS, PKCS12)
  3. Restart Hub Service

To learn more about creating a tasktop-hub.properties file, please see here.

By default, the SSL configuration has been configured to disable known weak ciphers. As new security information becomes available, the list of enabled ciphers should be updated accordingly.

Configure Keycloak User Management to use and trust Hub's keystore

In Planview Hub version 20.4, both Tomcat and Jboss share the same properties in the tasktop-hub.properties file as they share the same keystore file. See more details above.

To learn more about creating a tasktop-hub.properties file, please see here.