CWMS 3.4 uses both RMI over TLS and HTTPS for communications. As such a server certificate and trust store must be provided. The same certificates are used for each, so the setup only needs to be completed once. This involves steps that both the district and HEC need to complete. This will need to be completed on both COOP and Primary servers.  Instructions on setting up the certificate and trust store are provided here :

Trust Store

To allow CAC authentication to work the server must have a trust store (Java KeyStore file) that contains all of the DoD Root certificates. A default has been provided in $CWMS_HOME/config/system_config/pki/rootca.jks. 

However, if you get reports from users with new CACs that they cannot login you will need to update this keystore. HEC will most likely provided this for you, but it is not difficult to do.

KeyStore

A certificate recognized by the client is required for the clients to verify this is a valid CWMS Server and for CWMS Server components on the host to communicate with each other. Generating a new certificate can be confusing, so a script generateServerCsr.sh  has been provided. Run this script and provide the resulting .csr  and .key files to HEC staff for signing. After you get the .crt file back from HEC (this is the signed certificate) create a Java Keystore file. The steps for creating the Keystore are listed below.  These steps must be conducted on both your primary and COOP servers.  HEC has created the following folders and files on your primary server.  

         /wm/xxx/xxcwpaxx/config/system_config

        /wm/xxx/xxcwpaxx/config/system_config/pki

in the pki folder HEC has provided the following files

        cwms_root_ca.pem

        rootca.jks

Please copy this folder structure and files to your COOP.  Make sure that the pki folder has permissions 700. All of the following steps must be conducted on both your primary and COOP servers.

Steps for creating KeyStore

  1. Open a Firefox web browser and go to the following URL for your district (change mvp to your office id).
    1. https://wm.mvp.ds.usace.army.mil:8243/
    2. for your coop it would be https://wm-mvpcoop.mvr.ds.usace.army.mil:8243/ (replace mvp with your office id and mvr with the office id of your coop site)
  2. Click the Lock icon.
  3. Click Connection secure.
  4. Click More Information.
  5. Under the Security tab, click View Certificate.
  6. Scroll down to subject alt names and copy the names listed. Those will be used with the generateServerCsr.sh
  7. Run generateServerCsr.sh from your pki folder. This script is included in the CWMS 3.4 server bundle to create the host.crs, host.conf, and host.key files.  You can name them something other than host.  If you do make sure to update the name in the rest of the steps.  


# HEC has provided the rootca.jks and cwms_root_ca.pem files on your primary server.  they need to be copied to your coop.
# run the following to create you .crs, .conf, and .key files

cd $CWMS_HOME/config/system_config/pki/
#run the script from the server build folder that is located in /wm/wmsoft/cwms/v3.4.0.241219.
./wm/wmsoft/cwms/v3.4.0.241219/bin/generateServerCsr.sh
# answer the prompts
Please provide a certificate name (with no extension):
host  (or any name you want to apply)

Please provide the FQDN of the server:
enter you hostname for application zone i.e:coe-hecuwa04hec.hec.usace.army.mil



Please keep adding subject all names (hostnames, ip addresses, and such) until done. Enter '.' to stop
add the IP address and addition DNS names that were obtained from the web certificate pages


#This creates the host.crs, host.conf and host.key files.
CODE

  1. Send the .crs and .conf files to HEC.  email, using an encrypted email, Mike Neilson and Eric Novotny the files.  Title the email as '3.4 server Keystore generation MVP - primary'  update primary for COOP for your coop files and update MVP to your office code.  HEC will create a signed certificate and send back a .crt file to you.  Save the .crt file from HEC into your pki directory.  (note: Signing Instructions for authorized staff are available here this is an HEC task: https://bitbucket.hecdev.net/projects/CWMS/repos/ssl-cac/browse/CwmsRoot)
  2. Once you have the .crt file run the following steps from you pki folder to create the cwms.jks file.  
#Step 1
# Create the combined PCKS 12 file, this contains the server specific public and private key
openssl pkcs12 -export -in host.crt -inkey host.key -out host.p12 -name cwms -CAfile cwms_root_ca.pem -caname root -chain -password pass:cwmspass


#Step 2
# Create the initial JKS keystore, importing the cwms_root_ca trust.
keytool -import -noprompt -alias root -keystore cwms.jks -storepass cwmspass -trustcacerts -file cwms_root_ca.pem

Step 3
# Import the server public/private key pair into the JKS keystore used to identify the server.
keytool -importkeystore -noprompt \
		-alias cwms  \
		-destkeystore cwms.jks \
		-deststorepass cwmspass \
		-srckeystore host.p12 \
		-srcstoretype PKCS12 \
		-srcstorepass cwmspass
CODE


cwms.trust.conf

Now create or update the file at $CWMS_HOME/config/system_config/cwms.trust.conf  to use these files. NOTE use the full path name here appropriate to your district. HEC's E1 testbed is used as an example.


cwms.keystore.file=/wm/hec/e1cwt019/config/system_config/pki/cwms.jks
cwms.keystore.password=cwmspass
cwms.keystore.type=JKS
cwms.truststore.file=/wm/hec/e1cwt019/config/system_config/pki/rootca.jks
cwms.truststore.password=rootca
cwms.truststore.type=JKS
CODE

Security

The folder in which the keystores reside (pki folder) MUST be `chmod 0700` (e.g. readable by user only). The code that loads this files will check the file permissions and refuse to load if they are not set correctly.

Once all of the above steps are complete you can start the CWMS servers. Make sure to update your link to CWMS 3.4.