Enable Secure Socket Layer (SSL)

To configure and enable SSL for xFlow Analyst Interface and Search Server, perform the following steps:
casm1401
To configure and enable SSL for xFlow Analyst Interface and Search Server, perform the following steps:
Create a Self-Signed Certificate from JKS for Apache Server (CA SDM with xFlow Analyst Interface)
Perform the following steps:
  1. Create a document with names that you intend to use for the java keystore - the
    client certificate alias
    , the
    client certificate request file
    , the
    server certificate alias
    , the
    server certificate request file
    , the
    server certificate name
    , the
    OpenSSL private key name
    , and the
    OpenSSL certificate name
    . Enter the following values in the document:
    • Java keystore = hostname_keystore.jks
    • Client certificate alias = hostname_clientcert
    • Client certificate request file = hostname_clientcert.crt
    • Server certificate alias = hostname_certname
    • Server certificate request file= hostname_certname.csr
    • Server certificate name = hostname_certname.crt
    • OpenSSL private key name = hostname_SSL.key
    • OpenSSL certificate = hostname_SSL.crt
  2. Navigate to <xFlowInstallation Home Dir>\jre\bin and run the following commands to generate key and certificates:
    keytool -genkeypair -v -alias hostname_clientcert -dname "CN=hostname, OU=sdm, O=ca, L=hyd, ST=ts, C=in" -keystore hostname_keystore.jks -keyalg RSA -keysize 4096 -ext KeyUsage:critical="keyCertSign" -ext BasicConstraints:critical="ca:true" -validity 9999
    keytool -export -v -alias hostname_clientcert -file hostname_clientcert.crt -keystore hostname_keystore.jks -rfc
    keytool -genkeypair -v -alias hostname_certname -dname "CN=hostname, OU=sdm, O=ca, L=hyd, ST=ts, C=in" -keystore hostname_keystore.jks -keyalg RSA -keysize 2048 -validity 385
    keytool -certreq -v -alias hostname_certname -keystore hostname_keystore.jks -file hostname_certname.csr
    keytool -gencert -v -alias hostname_clientcert -keystore hostname_keystore.jks -infile hostname_certname.csr -outfile hostname_certname.crt -ext KeyUsage:critical="digitalSignature,keyEncipherment" -ext EKU="serverAuth" -ext SAN="DNS:hostname" -rfc
    keytool -import -v -alias hostname_certnameimport -importcert -file hostname_certname.crt -keystore hostname_keystore.jks -storetype JKS
    keytool -list -v -keystore hostname_keystore.jks
  3. Copy the
    .crt
     and
    .jks
     files in one location.
    We recommend that you create a folder called
    certificates
    on the root of your drive, that is
    .
    C:\certificates
    . You can now veiw the
    C:\certificates\hostname_keystore.jks
    and
    C:\certificates\hostname_certname.crt
    at this time. This article here will refer to these paths, and if you decide to use a different path, you need to change the paths.
  4. Navigate to
    <xFlowInstallation Home Dir>\APPS\Services\
    on the command line, and run the following commands: 
    echo -Dhttps.port=9444 -Dplay.server.https.keyStore.path=C:\certificates\hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > incidentmicroservice-0.1-SNAPSHOT\INCIDENTMICROSERVICE_config.txt
    echo -Dhttps.port=9448 -Dplay.server.https.keyStore.path=C:\certificates\hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > pushmicroservice-0.1-SNAPSHOT\PUSHMICROSERVICE_config.txt
    echo -Dhttps.port=9446 -Dplay.server.https.keyStore.path=C:\certificates\hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > searchmicroservice-0.1-SNAPSHOT\SEARCHMICROSERVICE_config.txt
Enable SSL on Apache for xFlow Analyst Interface
Perform the following steps:
  1. Download the
    OpenSSL
    binary (http://downloads.sourceforge.net/gnuwin32/openssl-0.9.8h-1-setup.exe) and install it on the server where you have installed the xFlow Analyst Interface. 
  2. Navigate to the directory where OpenSSL is installed and execute the following command:
     SET OPENSSL_CONF=C:\Program Files (x86)\GnuWin32\share\openssl.cnf
  3. Generate the key and certificate:
    1. From the command prompt, execute the following command to generate the self-signed certificate:
      openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout hostname_SSL.key -out hostname_SSL.crt
    2. Define the following details:
      Country; state; city; organization name; organization unit name; common name; email address
  4. Copy
    hostname_SSL.key
    and
    hostname_SSL.crt
    to the same directory as the java certificates that you generated generated earlier in step 3  (i.e. C:\certificates\).
  5. Navigate to
    <xFlowInstallation Home Dir>\APPS\UI\Apache24
    \conf
    and edit the
    httpd.conf
    file for Apache and enable the SSL module.
  6. Uncomment the following line (remove #):
    LoadModule ssl_module modules/mod_ssl.so
  7. Add the SSL certificate and key details at the end of the file:
    Listen 9442
    <VirtualHost *:9442>
    ServerName <hostname>
    SSLEngine on
    SSLCertificateFile "C:\certificates\hostname_SSL.crt"
    SSLCertificateKeyFile "C:\certificates\hostname_SSL.key"
    </VirtualHost>
Configuring the Apache website to connect to SSL-based Micro Services
Perform the following steps:
  1. Backup files the
    casm.conf.js
    and
    casm.conf.do-not-change.js
    . The default location is:
    C:\Program Files\CA\xFlow\APPS\UI\Apache24\htdocs\conf\casm.conf.js and casm.conf.do-not-change.js
  2. Verify that SSL is enabled for Tomcat in CA Service Desk Manager. 
  3. Edit the
    casm.conf.do-not-change.js
     file and locate these lines:
    api : {server : 'http://localhost:8080'},
  4. Modify the casm.conf.do_not_change.js to look like the following:
    api : {server : 'https://localhost:8443'},
  5. Save the file.
  6. Edit the
    casm.conf.js
    file and locate the following lines:
    api : {server : 'http://<hostname>:9004'},
    search : {server : 'http://<hostname>:9006'},
    sdm : {server : 'http://<hostname>/CAisd/pdmweb.exe' // - example:http://sdmurl:8080/CAisd/pdmweb.exe},
    websocket : {server : 'ws://<hostname>:9008'},
  7. Change the above lines (step 6) in
    casm.conf.js
    to read as follows (replacing host name in each line):
    api : {server : 'https://hostname:9444'},
    search : {server : 'https://hostname:9446'},
    sdm : {server : 'https://hostname:8443/CAisd/pdmweb.exe' // - example:http://sdmurl:8443/CAisd/pdmweb.exe},
    websocket : {server : 'wss://hostname:9448'},
  8. Save the file.
  9. Navigate to IIS Manager, xFlow website, and Add a new SSL binding to the xFlow website (port: 9443) in order to use the SSL certificate that was just imported.
  10. Restart the xFlow Analyst Interface Service.
  11. Verify browser access <https://hostname:9442> to access the xflow Analyst Interface server.
Create a Self-Signed Certificate from JKS for IIS (CA SDM with xFlow Analyst Interface)
Perform the following steps:
  1. Open a command prompt and change directory, say for example:
    cd "C:\Program Files (x86)\CA\SC\JRE\1.7.0_10\bin"
  2.  Enter the following to get help on keytool
    keytool -h
  3. Create a Java Keystore:
    keytool -genkeypair -v -alias < Provide Alias for Client Certification > -dname "CN=<hostname>, OU=CA, O=COM, L=New York, ST=NY, C=US" -keystore < Provide Alias for Client Certification>.jks  
    -keyalg RSA -keysize 2048 -validity 365 -storepass "changeit"  -keypass "changeit"
  4. Export the Self Signed Certificate from the above Java keystore:
    keytool -exportcert -v -alias
    < Provide Alias for Client Certification > -file 
    < Provide Alias for Client Certification >
    .jks -rfc -storepass "changeit"
  5. Convert Java Keystore to
    PFX/PKCS12
    format for IIS usage:
    If keypassword and keystore password are different, you may encounter problems while importing or while using the keystore.
    keytool -importkeystore -srckeystore << Provide Alias for Client Certification >.jks -srcstoretype jks -srcstorepass "changeit" -destkeystore < Provide Alias for Client Certification >.pfx -deststoretype pkcs12 -deststorepass "changeit"
  6. Navigate to IIS Manager using Windows Explorer and Import the
    PFX
    into IIS Server Certificate.
  7. Add an SSL binding to use the SSL certificate that was just imported.
     Select a site in the tree view and click
    Bindings
    in the Actions pane.
    This brings up the bindings editor that lets you create, edit, and delete bindings. Click Add to add your new SSL binding.
  8. Restart IIS.
  9. Import the certificate in Windows keystore.
  10. Navigate to Microsoft Management Console (MMC),
    Add Certificates Snap-in
    ,
    Verify the Certificate
    .
  11. Verify browser access.
Configuring xFlow Analyst Interface website (IIS) to connect to SSL-based Micro Services
Perform the following steps:
  1. Backup files the casm.conf.js and casm.conf.do-not-change.js. The default location is:
    C:\Program Files\CA\xFlow\APPS\UI\IISWebsite\conf\casm.conf.js and casm.conf.do-not-change.js
  2. Edit the file: casm.conf.do-not-change.js and locate these lines:
    api : {server : 'http://localhost:8080'},
  3. Modify the casm.conf.do_not_change.js to look like the following:
    api : {server : 'https://<hostname:9444>'},
    search : {server : 'https://<hostname:9446>'},
    sdm : {server : 'https://<hostname>/CAisd/pdmweb.exe'},
    websocket : {server : 'wss://hostname:9448'},
  4. Save the file.
  5. Edit the casm.conf.js file and locate the following lines. Make changes as shown in step 3:
    api : {server : 'http://<hostname>:9004'},
    search : {server : 'http://<hostname>:9006'},
    sdm : {server : 'http://<hostname>/CAisd/pdmweb.exe' // - example:http://sdmurl:8080/CAisd/pdmweb.exe},
    websocket : {server : 'ws://<hostname>:9008'},
  6. Save the file.
  7. Navigate to IIS Manager, xFlow website, and Add a new SSL binding to the xFlow website (port: 9443) in order to use the SSL certificate that was just imported.
  8. Restart the xFlow Analyst Interface Service.
  9. Verify browser access <https://hostname:9443> to access the xflow Analyst Interface server. 
Enable SSL for EBL and Search Server
The search servers do not have SSL/TLS enabled, by default. For the search microservices and event-based load to interact with the search server securely, you can configure SSL. SSL encrypts any communication with the search server.
Step 1: Install and Configure Reverse-Proxy on the ngnix Server
This procedure explains how to configure the 
nginx-1.10.0
 server as a reverse-proxy on Windows. You can follow similar steps to configure reverse-proxy on Apache or other similar servers.
Prerequisite
  • Download and install the 
    nginx-1.10.0
     server on each search server.
: Configure nginx server as reverse-proxy on all the search servers in the cluster.
Follow these steps:
  1. Navigate to the 
    <nginx_install>\conf
     folder and define the search server details in the 
    nginx.conf
     file.
    • Locate the
      server
      section in the file and perform the following actions:
      • (Optional) Edit the
        listen
        port number, if necessary.
        For example, if you have IIS running, which listens to port 80, then change to a different port number in the
        listen
        property.
      • Edit the
        proxy_pass
        value in the 
        location
        section and define the search server port number.
        Default Port Number
        : 9012
        server {
        listen 80;
        server_name localhost;
        #charset koi8-r;
        #access_log logs/host.access.log main;
        location / {
            proxy_pass http://localhost:9012;
            proxy_read_timeout 90; 
        }
      • Save the file.
  2. Verify the configuration:
    • From the command prompt, navigate to the
      nginx
      folder and execute
      nginx.exe
      script to start the ngnix server.
    • Access the search server:
      http://<hostname>:<listen-port>/
      For example, access http://localhost:80/
      A message appears displaying the search server details, such as cluster name and version, in JSON format.
      : To troubleshoot, view the
      logs\error.log
      file.
Step 1.1: Create an SSL Certificate
Prerequisite
  • Ensure that you have installed OpenSSL 0.9.8zh.
: You can create a certificate on any system that has OpenSSL installed. However, create the SSL certificate for each search server in the cluster.
Perform the following steps:
  1. From the command prompt, execute the following command to generate the self-signed certificate: 
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout <hostname>.key -out <hostname>.crt
    : In this command, replace the <hostname> with the search server hostname.
  2. Define the following details:
    Country; state; city; organization name; organization unit name; common name; email address
    : Define the common name as the hostname of the nginx server.
    The command generates these files:  
    <hostname>.crt
    and
    <hostname>
    .key
  3. Repeat step 1 and 2 to create SSL certificates for each search server.
Step 1.2: Configure the Certificates in the ngnix Server
: Define the certificate details in the 
ngnix.conf
 file in each search server.
Follow these steps:
  1. In the search server, navigate to the 
    <nginx_install>\conf
    folder and edit the
    ngnix.conf
    file.
  2. Disable the existing listen port.
    For example, 
    #listen 80
    server {
    #listen 80;
    server_name localhost;
    #charset koi8-r;
    #access_log logs/host.access.log main;
    location / {
       proxy_pass http://localhost:9012/;
       proxy_read_timeout 90; 
    }
  3. Define the new listen port.
    For example, define the new listen port as 443.
    server {
    #listen 80;
    server_name localhost;
    #charset koi8-r;
    #access_log logs/host.access.log main;
    listen 443 ssl;
    location / {
       proxy_pass http://localhost:9012/;
       proxy_read_timeout 90; 
    }
  4. Define the search server certificate details.
    server {
    #listen 80;
    server_name localhost;
    #charset koi8-r;
    #access_log logs/host.access.log main;
    listen 443 ssl;
    ssl_certificate ./cert/<hostname>.crt; 
    ssl_certificate_key ./cert/<hostname>.key;
    location / {
       proxy_pass http://localhost:9012/;
       proxy_read_timeout 90; 
    }
  5. Navigate to the nginx folder  and execute 
    nginx.exe
    to restart the nginx server.
  6. Verify if you can access the URL: https://
    For example, access https://<hostname>:443
  7. Install the certificates when prompted.
Step 2: Configure Certificates on the xFlow Analyst Interface Server and Event-Based Load
Step 2.1: Configure the Certificates on the xFlow Analyst Interface Server
Configuring the search server certificates on the xFlow Analyst Interface server enables secure communication between the search microservices and search servers.
: Configure certificates of each search server on each xFlow Analyst Interface server. For example, if there are two search servers and two xFlow Analyst Interface servers, configure the certificates of both the search servers on each xFlow Analyst Interface server.
Follow these steps:
  1. In the xFlow Analyst Interface server, copy the 
    <hostname>.crt
    file.
  2. Navigate to the path that stores keytool.
    For example, navigate to 
    C:\Program Files\CA\SC\JRE\1.8.0_74\bin.
  3. Execute the following command:
    keytool -importcert -alias "<hostname>" -file <hostname>.crt -keystore c:\\es_new_keystore.jks -keypass <password> -storepass <password>
  4. Repeat step 1 and 2 for each search server.
    Replace the <hostname> values with the search server host names.
  5. Navigate to the <xFlow_server>\APPS\Services\
    searchmicroservice- 0.1-SNAPSHOT
    \conf\application.conf file and add the java keystore path (jks):
    #https configurations
    play.ws.ssl {  
        trustManager = {    
            stores = [      
                { path = "C:\\es_new_keystore.jks"}    
            ]  
        }
    }
Step 2.2: Configure the HTTPS NX Variables for Event-Based Load
  1. Ensure that you have the path to the java keystore file created in the procedure 
    Step 2.1: Configure the Certificates on the xFlow Analyst Interface Server.
  2. Generate an encrypted password by executing the following command: 
    $<sdm_install>\bin\pdm_pen <password>
    : Password is the same as the one you used in
    Step 2.1: Configure the Certificates on the xFlow Analyst Interface Server
    procedure.
  3. Execute the
    pdm_options_mgr
    command to configure the jks file and the encrypted password in the
    https
    NX variables.
    For more information about configuring the NX variables, see Configure Event-Based Load.
Step 2.3: Update the Search server port number and protocol Details in CA SDM.
For example, in CA SDM update the port number as 
443
 and protocol as 
https
. For more information about editing the server details, see Configure Search Servers in CA SDM.
Step 2.4: (Optional) If your search server is secure by a firewall, update the HTTP port from 9012 to 443.
Step 2.5: Restart the CA SDM services.
Step 2.6: Restart the 
CA Service Management xFlow Analyst Interface Server
 service.
Modify the Configuration file
After completing the above procedures, perform the following steps to modify the
casm.conf.js
configuration file:
  1. Navigate to
    xFlow_home/Apps/UI/Apache24/htdocs/conf
      and open the
    casm.conf.js
    file.
  2. In the casm.conf.js file modify
    http
     to
    https
     for API, search, and SDM services. Also, modify the port numbers with valid SSL port numbers.
  3. For websocket, change
    ws
     to
    wss
     and change the SSL port numbers.