Error: Invalid spaceKey on retrieving a related space config.

Configuring the REST API

The primary reason for using Secure Sockets Layer (SSL) certificates is to keep sensitive information sent across the internet encrypted so that only the intended recipient can understand it. This security is important because the information you send on the internet is passed from computer to computer to get to the recipient. Any computer between you and the destination can utilize your user name, passwords, and other sensitive information if the information is not encrypted with an SSL certificate.

In addition to encryption, a proper SSL certificate also provides authentication. With authentication, you can be sure that you are sending information to the right recipient and not to an unknown user. You can ensure authentication by using an SSL certificate from a trusted SSL provider.

The keytool utility is used to obtain a digitally signed certificate to replace the self-signed certificate. This utility is available with Oracle JDKs. The Java keytool is a key and certificate management utility. It allows users to manage their own public or private key pairs and certificates. The Java keytool stores the keys and certificates, which is called as keystore. A keytool keystore contains the private key and any certificates necessary for authentication. The keytool is located in the jre7/bin directory of your Java installation file.

Note

For more information about configuring Jetty web server, watch the video on YouTube at  Configuring Jetty.

The video is recorded using the earlier version of BMC Remedy AR System and is valid for BMC Remedy AR System 9.1.

The following topics provide information and instructions for creating new keystores:

For information on troubleshooting Jetty startup issues, see BMC Knowledge Base article ID 000134172.

To configure REST API for HTTPS connection

  1. Import the existing signed primary certificate into an existing Java keystore:

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

    If you do not have a certificate, create a new keystore by using a new password to secure the certificate:

    keytool -keystore keystore -alias jetty -genkey -keyalg RSA
    

    After the keystore has been created, you must provide six parameters that form a distinguished name for a certificate associated with the key.

    • CN—Common Name of the certificate owner (usually the name of the host)
    • OU—Organizational Unit of the certificate owner
    • O—Organization to which the certificate owner belongs
    • L—Locality name of the certificate owner
    • ST—State or province of the certificate owner
    • C—Country of the certificate owner

      Note

      The keystore file is created in the current directory of the command window.

  2. Obfuscate the SSL connector keystore password for greater security.
    For more information, see Obfuscating the password.
  3. (Version 9.1.03.001 and earlier) Update the jetty-selector.xml file with the new password for the keystore.

    <Call name="addConnector">
         <Arg>
           <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
             <Arg>
               <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                 <Set name="keyStore">c:/temp/keystore</Set>
                 <Set name="keyStorePassword">OBF:1tv71vnw1yta1zt11zsp1ytc1vn61tvv</Set>
                 <Set name="keyManagerPassword">OBF:1tv71vnw1yta1zt11zsp1ytc1vn61tvv</Set>
                 <Set name="trustStore">c:/temp/keystore</Set>
                 <Set name="trustStorePassword">OBF:1tv71vnw1yta1zt11zsp1ytc1vn61tvv</Set>
               </New>
             </Arg>
             <Set name="port">8443</Set>
             <Set name="maxIdleTime">30000</Set>
           </New>
         </Arg>
    </Call>

    (Version 9.1.04 and later) Update the jetty-http.xml file with the new password for the keystore.

    Note

    * In <Set name="KeyStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set>, remove <Property name="jetty.home" default="." />.

    * Replace /etc/keystore/ with the actual path to the keystore.


    <Call name="addConnector">
        <Arg>
          <New class="org.eclipse.jetty.server.ServerConnector">
            <Arg name="server"><Ref refid="Server" /></Arg>
    		<Arg type="java.lang.Integer" name="acceptors">2</Arg>
    		<Arg type="java.lang.Integer" name="selectors">-1</Arg>
            <Arg name="factories">
              <Array type="org.eclipse.jetty.server.ConnectionFactory">
                <Item>
                  <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                    <Arg name="config"><Ref refid="httpConfig" /></Arg>
                  </New>
                </Item>
              </Array>
            </Arg> 
            <Set name="host"><Property name="jetty.http.host" /></Set>
            <Set name="port"><Property name="jetty.http.port" default="8008" /></Set>  
    		<!--Uncomment to Enable Connector Statistics -->
    		<!--<Call name="addBean">
    			<Arg>
    				<New id="ConnectorStatistics" class="org.eclipse.jetty.server.ConnectorStatistics"/>
    			</Arg>
    		</Call> -->
           </New>
        </Arg>
      </Call>
    	 
    	
    	<!-- Uncomment this to add SSL support for REST API,
             replace the values to match your environment -->	
      <!-- <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
            <Call name="addCustomizer">
                <Arg>
                    <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
                </Arg>
            </Call>
    		<Set name="sendServerVersion">false</Set>
        </New>
    	
      <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="KeyStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set>
    	<Set name="KeyManagerPassword">OBF:1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm</Set>
        <Set name="KeyStorePassword">OBF:1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm</Set>
        <Set name="TrustStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set>
        <Set name="TrustStorePassword">OBF:1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm</Set>
    	<Set name="IncludeCipherSuites">
    	  <Array type="String">
    	      <Item>TLS_DHE_RSA.*</Item>
    	      <Item>TLS_ECDHE.*</Item>
    	  </Array>
    	</Set>
    	<Set name="ExcludeCipherSuites">
    	   <Array type="String">
    	    <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
    	    <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
    	    <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
    	    <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
    	    <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    	    <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    	    <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    	
    	    <Item>.*NULL.*</Item>
    	    <Item>.*RC4.*</Item>
    	    <Item>.*MD5.*</Item>
    	    <Item>.*DES.*</Item>
    	    <Item>.*DSS.*</Item>
    	    <Item>.*_DHE_RSA_.*</Item>
    	
    	   </Array>
    	</Set>
    	<Set name="ExcludeProtocols">
    	     <Array type="java.lang.String">
    	         <Item>SSL</Item>
    	         <Item>SSLv2</Item>
    	         <Item>SSLv2Hello</Item>
    	         <Item>SSLv3</Item>
    	     </Array>
    	</Set> 	    
      </New>
      
      <New id="sslConnectionFactory" class="org.eclipse.jetty.server.SslConnectionFactory">
            <Arg name="sslContextFactory">
                <Ref refid="sslContextFactory" />
            </Arg>
            <Arg name="next">http/1.1</Arg>
      </New>
    
      <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server"><Ref refid="Server" /></Arg>
        <Arg name="factories">
            <Array type="org.eclipse.jetty.server.ConnectionFactory">
                <Item><Ref refid="sslConnectionFactory" /></Item>
                <Item>
                    <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                      <Arg name="config"><Ref refid="httpsConfig" /></Arg>           
                    </New>
                </Item>
            </Array>
        </Arg>
    	<Set name="port">8443</Set>        
      </New> 
    	
    	<Call name="setConnectors">
            <Arg>
                <Array type="org.eclipse.jetty.server.ServerConnector">
                    <Item>
                        <Ref refid="sslConnector" />
                    </Item>
                </Array>
            </Arg>
        </Call> 
          -->
    </Configure>
  4. Restart the AR System server.

After you create a self-signed certificate, browsers and other programs issue warnings to users about an insecure certificate each time the user authenticates. You can prevent the certificate warning by adding the self-signed certificate to the Trusted Root Certification Authorities store. For more information, see Importing a certificate into the Trusted Root Certification Authorities store.

Obfuscating the password

The Jetty passwords are stored as clear text, obfuscated, check-summed, or in encrypted form. For the keystore/ key/ truststore passwords, you must obfuscate the passwords. The class org.eclipse.jetty.util.http.security.Password is used to generate all types of secure passwords. Create password at <install directory>\lib\start\startlevel1 location. The following command is used to create a new password:

Version 9.1.03.001 and earlier:

java -cp jetty-util-8.1.15.v20140411.jar org.eclipse.jetty.util.security.Password username password

Version 9.1.04 and later:

java -cp jetty-util-9.4.8.v20171121.jar org.eclipse.jetty.util.security.Password username password

If you are using a reverse proxy, uncomment the below section from the jetty-http.xml file.

<Call name="addCustomizer">
        <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
      </Call>

To configure REST API for HTTP connection

  1. Locate the Jetty sub directory from the ARSystem installation directory.
  2. (Version 9.1.03.001 and earlier) From the jetty-selector.xml file, uncomment the following HTTP connector if you use a reverse proxy that handles HTTPS and change the default port to 8008 according to your need.

    <Call name="addConnector">                             
    	<Arg>                                              
    		<New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
            	<Set name="host"><Property name="jetty.host"/></Set>   
    			<Set name="port"><Property name="jetty.port"default="8008" /></Set>
    			<Set name="maxIdleTime">300000</Set>                   
    			<Set name="Acceptors">2</Set>                          
    			<Set name="statsOn">false</Set>                        
    			<Set name="confidentialPort">8443</Set>                
    			<Set name="lowResourcesConnections">20000</Set>        
    			<Set name="lowResourcesMaxIdleTime">5000</Set>         
    			<Set name="forwarded">true</Set>       
    		</New>                 
    	</Arg>     
    </Call>
    

    (Version 9.1.04 and later)  From the jetty-http.xml file, uncomment the following HTTP connector if you use a reverse proxy that handles HTTPS and change the default port to 8008 according to your need.

      <Call name="addConnector">
        <Arg>
          <New class="org.eclipse.jetty.server.ServerConnector">
            <Arg name="server"><Ref refid="Server" /></Arg>
    		<Arg type="java.lang.Integer" name="acceptors">2</Arg>
    		<Arg type="java.lang.Integer" name="selectors">-1</Arg>
            <Arg name="factories">
              <Array type="org.eclipse.jetty.server.ConnectionFactory">
                <Item>
                  <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                    <Arg name="config"><Ref refid="httpConfig" /></Arg>
                  </New>
                </Item>
              </Array>
            </Arg> 
            <Set name="host"><Property name="jetty.http.host" /></Set>
            <Set name="port"><Property name="jetty.http.port" default="8008" /></Set>  
    		<!--Uncomment to Enable Connector Statistics -->
    		<!--<Call name="addBean">
    			<Arg>
    				<New id="ConnectorStatistics" class="org.eclipse.jetty.server.ConnectorStatistics"/>
    			</Arg>
    		</Call> -->
           </New>
        </Arg>
      </Call>	 
  3. Restart the AR System server.

Related topics

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Renan Caldeira

    Hello,

    Does Remedy REST API have an option to set localization (language for results)?

    Jan 18, 2017 07:20
  2. Christoph Klapetke

    The knowledge base article mentioned in line For information on troubleshooting Jetty startup issues, see BMC Knowledge Base article ID 000120850. cannot be displayed

    Jun 23, 2017 04:04
    1. Anagha Deshpande

      Hello Christoph,

      Apologies for the inconvenience. I have updated the link.

      Regards,

      Anagha

       

      Jun 26, 2017 11:17
  3. David Moser

    In the section to obfuscate your password, the documentation does not indicate where you need to run the java command. This needs to be done in the following directory: C:\Program Files\BMC Software\ARSystem\lib\start\startlevel1

    Sep 01, 2017 01:12
  4. Brad Taylor

    It should be mentioned that the arguments for the jetty obfuscation command mention username, but that is optional. There is no username for java keystores, so one should only include one argument, the password, in the command execution.

    See https://wiki.eclipse.org/Jetty/Howto/Secure_Passwords

    Usage - java org.eclipse.jetty.util.security.Password [] If the password is ?, the user will be prompted for the password

    Sep 27, 2017 12:43
    1. Anagha Deshpande

      Hello Brad,

      Thank you for the inputs. I will update the topic.

      Regards,

      Anagha

      Sep 27, 2017 10:21
    1. Anagha Deshpande

      Hello Brad,

      Apologies for late response.

      I have updated the topic.

      Regards,

      Anagha

      Jun 22, 2018 01:21
  5. Andreas Mitterdorfer

    OOTB jetty-selector.xml looks like: /etc/keystore

    When you set an absolute path then the keystore cannot be found. if you remove the part then you can use an absolute path. Please can you document this accordingly?

    Nov 28, 2017 06:09
    1. Andreas Mitterdorfer

      somehow the xml part got lost, added again without < and >

      OOTB jetty-selector.xml looks like: /etc/keystore Set name="keyStore">/etc/keystore</Set When you set an absolute path then the keystore cannot be found. if you remove the part Property name="jetty.home" default="." / then you can use an absolute path. Please can you document this accordingly?

      Nov 28, 2017 06:11
      1. Anagha Deshpande

        Hello Andreas,

        I will check this with the SME and will write back to you.

        Regards,

        Anagha

        Nov 28, 2017 09:22
      1. Kamalakannan Srinivasan

        Hi Andreas,

        Thank you for your comment.

        In <Set name="KeyStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set>, remove <Property name="jetty.home" default="." />.

        Replace /etc/keystore/ with the actual path to the keystore.

        Regards,
        Kamal


        Feb 21, 2018 01:36
        1. Mohamed Atta

          which format is correct?

          />C:\Program Files\BMC Software\keystore />/C:\Program Files\BMC Software\keystore

          May 16, 2018 06:39
          1. Anagha Deshpande

            Hello Mohamed,

            I will check this with the SME and will respond back.

            Regards,

            Anagha


            May 16, 2018 12:22
            1. Anagha Deshpande

              Hello Mohamed,

              Sorry for responding late.

              The following format is correct:

              <Set name="KeyStorePath"> Absolute path to keystore </Set>


              Example:
              <Set name="KeyStorePath">C:\Program Files\BMC Software\ARSystem\jetty\etc\keystore</Set>

              Regards,

              Anagha

              Jun 22, 2018 12:41
    1. Kamalakannan Srinivasan

      Hi Andreas,

      Thank you for your comment.

      Response to this comment is combined with the response to the below comment.

      Regards,

      Kamal

      Feb 21, 2018 01:37
  6. Levi Lippincott

    Hello, We have configured our system with a reverse proxy handling the HTTPS redirection and it works properly with one exception. When I send in a Post command to say the HPD:IncidentInterface_Create form and it successfully sends back the Headers my Location result says it is HTTP rather than HTTPS. Is there a setting somewhere I need to setup? Thanks, Levi

    Mar 14, 2018 03:19
    1. Renan Caldeira

      Hi! There is a commented XML block for another connector on jetty-selector.xml for using it behind a reverse proxy.

      Mar 14, 2018 03:33
  7. Mohamed Atta

    how can i validate the above steps are configured correctly?.

    May 16, 2018 07:33
    1. Anagha Deshpande

      Hello Mohamed,

      I will confirm this with the SME and will respond back.

      Regards,

      Anagha

      May 16, 2018 12:24
      1. Anagha Deshpande

        Hello Mohamed,

        After completing the configuration, the REST API calls should be successful.

        Regards,

        Anagha

        Jun 12, 2018 11:23
  8. Vikram Tandan

    Hello

    i am on remedy 9.1.04 and i cannot find org.eclipse.jetty.util.security.Password file in the specified folder. Please help

    Jun 18, 2018 05:51
    1. Anagha Deshpande

      Hello Vikram,

      I will check this and will respond back.

      Regards,

      Anagha


      Jun 18, 2018 10:53
      1. Sri K

        Hello is there an update on org.eclipse.jetty.util.security.Password file

        Oct 26, 2018 08:22
        1. Anagha Deshpande

          Hello S S,

          The  org.eclipse.jetty.util.security.Password file version is updated to jetty-util-9.4.11.v20180605.

          You can find the information about the same here.

          Regards,

          Anagha

          Oct 29, 2018 01:25
          1. Sri K

            I have already navigated to the \lib\start\startlevel1 and ran java -cp jetty-util-9.3.7.v20160115 org.eclipse.jetty.util.security.Password as per the 9.1 documentation. Which is when I get Error: Could not find or load main class org.eclipse.jetty.util.security.Password. I am on 9.1.04 with java util 9.3.7.v20160115

            Oct 29, 2018 11:12
            1. Anagha Deshpande

              Hello S S,

              We have tried the same use case and it is working. Could you please share some more details?

              Regards,

              Anagha

              Oct 30, 2018 09:04
              1. Sri K

                Hi Anagha, I didn't find a jar file for org.eclipse.jetty.util.security.Password in \lib\start\startlevel1 folder.

                Oct 30, 2018 09:59
                1. Anagha Deshpande

                  Hello S S,

                  The jetty-util-9.3.7.v20160115.jar has the org.eclipse.jetty.util.security.Password class. Could you please confirm?

                  Regards,

                  Anagha

                  Nov 02, 2018 02:03
                  1. Sri K

                    Hi Anagha,

                    I ran this command java -cp jetty-util-9.3.7.v20160115 org.eclipse.jetty.util.security.Password and got 'Could not find or load main class org.eclipse.jetty.util.security.Password'

                    Thanks

                    Nov 02, 2018 09:14
                    1. Sri K

                      Hi Anagha,

                      I checked again and org.eclipse.jetty.util.security.Password class doesn't exist in the jetty-util-9.3.7.v20160115 version which came with installation. Please let me know how can I get the jar file for org.eclipse.jetty.util.security.Password

                      Thanks

                      Nov 05, 2018 08:08
  9. Pradnya Varadkar

    Hi Anagha,

    Facing same issue, unable to find org.eclipse.jetty.util.security.Password file in the specified folder. Please help.

    Thanks, Pradnya

    Oct 28, 2018 11:56
    1. Anagha Deshpande

      Hello Pradnya,

      The org.eclipse.jetty.util.security.Password is a class under the jetty-util-9.4.8.v20171121.jar file.
      The jar file is located at <install directory>\lib\start\startlevel1 location.

      Regards,

      Anagha

      Oct 29, 2018 01:27
  10. Roger Mull

    Just a FYI for Remedy 9.1.04 on Windows I had to run \ARSystem\lib\start\startlevel1>java -cp jetty-util -9.3.7.v20160115.jar org.eclipse.jetty.util.security.Password

    Nov 13, 2018 04:00
    1. Anagha Deshpande

      Thanks, Roger.

      Nov 13, 2018 09:12
  11. Levi Lippincott

    We are getting this error: SslConnectionFactory@341814d3{SSL->http/1.1}: java.nio.file.AccessDeniedException: D:\Program Files\BMC Software\Keystores

    May 14, 2019 11:05
    1. Anagha Deshpande

      Hello Levi,

      We are working on your query. We will respond soon.

      Regards,

      Anagha

      May 14, 2019 10:13
      1. Anagha Deshpande

        Hello Levi,

        Could you please check and confirm if the user accessing the AR System Server has adequate permissions for the folders on the AR System Server.

        Regards,

        Anagha

        May 15, 2019 03:09
    1. Alejandro Vidaurri de la cruz

      check the path on the jetty configuration probably the pat doesn't exist If I entered this /etc/jetty_keystore.jks on jetty-http.xml it translates to this path C:\Program Files\BMC Software\ARSystem\jetty\etc\jetty_keystore.jks

      May 15, 2019 09:21