Enable Secure Socket Layer for xFlow Interface

To configure and enable SSL for xflow and Search Server, perform the following steps:
casm172
To configure and enable SSL for
xFlow Interface
and Search Server, perform the following steps:
Create a Self-Signed Certificate
Perform the following steps to manually enable SSL for xFlow Interface and Search Server:
CA Service Management provides the SSL Configurator Utility to automatically enable SSL for CA Service Desk Manager (xFLow Interface/Service Point) and CA Service Catalog. For more information, see SSL Configurator Utility Wizard for CA Service Management.
  1. Create a document with names that you intend to use for the java keystore - the
    client certificate alias
    , the
    client certificate request file
    , the
    server certificate alias
    , the
    server certificate request file
    , the
    server certificate name
    , the
    OpenSSL private key name
    , and the
    OpenSSL certificate name
    . Enter the following values in the document:
    • Java keystore = hostname_keystore.jks
    • Client certificate alias = hostname_clientcert
    • Client certificate request file = hostname_clientcert.crt
    • Server certificate alias = hostname_certname
    • Server certificate request file= hostname_certname.csr
    • Server certificate name = hostname_certname.crt
    • OpenSSL private key name = hostname_SSL.key
    • OpenSSL certificate = hostname_SSL.crt
  2. Navigate to
    <xFlowInstallation Home Dir>\jre\bin
    , launch the command line interface and run the following commands to generate key and certificates:
    keytool -genkeypair -v -alias hostname_clientcert -dname "CN=<common name>, OU=<Organization Unit>, O=<Organization>, L=<Location>, ST=<State>, C=<Country>" -keystore hostname_keystore.jks -keyalg RSA -keysize 4096 -ext KeyUsage:critical="keyCertSign" -ext BasicConstraints:critical="ca:true" -validity 9999
    keytool -exportcert -v -alias hostname_clientcert -file hostname_clientcert.crt -keystore hostname_keystore.jks -rfc
    keytool -genkeypair -v -alias hostname_certname -dname "CN=<common name>, OU=<Organization Unit>, O=<Organization>, L=<Location>, ST=<State>, C=<Country>" -keystore hostname_keystore.jks -keyalg RSA -keysize 2048 -validity 385
    keytool -certreq -v -alias hostname_certname -keystore hostname_keystore.jks -file hostname_certname.csr
    keytool -gencert -v -alias hostname_clientcert -keystore hostname_keystore.jks -infile hostname_certname.csr -outfile hostname_certname.crt -ext KeyUsage:critical="digitalSignature,keyEncipherment" -ext EKU="serverAuth" -ext SAN="DNS:hostname" -rfc
    keytool -importcert -v -alias hostname_certnameimport -file hostname_certname.crt -keystore hostname_keystore.jks -storetype JKS
    keytool -list -v -keystore hostname_keystore.jks
    For example:
    keytool -genkeypair -v -alias <hostname>_clientcert -dname "<hostname>, OU=sdm, O=ca, L=hyd, ST=ts, C=in" -keystore <hostname>_keystore.jks -keyalg RSA -keysize 4096 -ext KeyUsage:critical="keyCertSign" -ext BasicConstraints:critical="ca:true" -validity 9999
    keytool -exportcert -v -alias <hostname>_clientcert -file <hostname>_clientcert.crt -keystore <hostname>_keystore.jks -rfc
    keytool -genkeypair -v -alias <hostname>_certname -dname "CN=<hostname>, OU=sdm, O=ca, L=hyd, ST=ts, C=in" -keystore <hostname>_keystore.jks -keyalg RSA -keysize 2048 -validity 385
    keytool -certreq -v -alias <hostname>_certname -keystore <hostname>_keystore.jks -file <hostname>_certname.csr
    keytool -gencert -v -alias <hostname>_clientcert -keystore <hostname>_keystore.jks -infile <hostname>_certname.csr -outfile <hostname>_certname.crt -ext KeyUsage:critical="digitalSignature,keyEncipherment" -ext EKU="serverAuth" -ext SAN="DNS:<hostname>" -rfc
    keytool -importcert -v -alias <hostname>_certnameimport -file <hostname>_certname.crt -keystore <hostname>_keystore.jks -storetype JKS
    keytool -list -v -keystore <hostname>_keystore.jks
  3. Copy the
    .crt
    and
    .jks
    files in one location.
    We recommend that you create a folder called
    certificates
    on the root of your local drive, for example,
    C:\certificates
    on
    Windows
    , and
    /opt/certificates
    on
    Linux
    . You can now see the files under the following paths:
    Windows
    • C:\certificates\hostname_keystore.jks
    • C:\certificates\hostname_certname.crt
    Linux
    • /opt/certificates/
      hostname_keystore.jks
    • /opt/certificates/
      hostname_certname.crt
    This article here will refer to these paths, and if you decide to use a different path, you need to change the paths as per your local drive.
  4. Do the following:
    1. Windows
      Navigate to the Command Line Interface, change the directory <xFlowInstallation Home Dir>\APPS\Services\ and run the below commands:
      echo -Dhttps.port=9444 -Dplay.server.https.keyStore.path=C:\certificates\hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > incidentmicroservice-17.0.479\INCIDENTMICROSERVICE_config.txt
      echo -Dhttps.port=9446 -Dplay.server.https.keyStore.path=C:\certificates\hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > collabmicroservice-17.0.479\COLLABMICROSERVICE_config.txt
      echo -Dhttps.port=9448 -Dplay.server.https.keyStore.path=C:\certificates\hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > insightmicroservice-17.1.694\INSIGHTMICROSERVICE_config.txt
      echo -Dhttps.port=9450 -Dplay.server.https.keyStore.path=C:\certificates\hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > pushmicroservice-17.0.479\PUSHMICROSERVICE_config.txt
      echo -Dhttps.port=9452 -Dplay.server.https.keyStore.path=C:\certificates\hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > searchmicroservice-17.0.479\SEARCHMICROSERVICE_config.txt
    2. Linux
      Go to Command Line Interface, change the directory
      <xFlowInstallation Home Dir>\APPS\Services\
      and run the below commands:
      echo -Dhttps.port=9444 -Dplay.server.https.keyStore.path=/opt/certificates/hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > incidentmicroservice-17.0.479/INCIDENTMICROSERVICE_config.txt
      echo -Dhttps.port=9446 -Dplay.server.https.keyStore.path=/opt/certificates/hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > collabmicroservice-17.0.479/COLLABMICROSERVICE_config.txt
      echo -Dhttps.port=9448 -Dplay.server.https.keyStore.path=/opt/certificates/hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > insightmicroservice-17.1.694/INSIGHTMICROSERVICE_config.txt
      echo -Dhttps.port=9450 -Dplay.server.https.keyStore.path=/opt/certificates/hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > pushmicroservice-17.0.479/PUSHMICROSERVICE_config.txt
      echo -Dhttps.port=9452 -Dplay.server.https.keyStore.path=/opt/certificates/hostname_keystore.jks -Dplay.server.https.keyStore.password=(keystore password) > searchmicroservice-17.0.479/SEARCHMICROSERVICE_config.txt
(Optional) Configuring the xFlow Interface to Connect to SSL based Micro Services
Optional steps provided here are required when you are using HTTPS.
Perform the following steps:
  1. Backup the
    casm.conf.js
    and
    casm.conf.do-not-change.js
    files . The default location to access these files is,
    C:\Program Files\CA\xFlow\APPS\
    Services\incidentmicroservice-<xxxx>\public\conf
  2. Verify that SSL is enabled for Tomcat in CA Service Desk Manager.
  3. Open the
    casm.conf.do-not-change.js
    file and do the following:
    1. Find the text
      api : {server : 'https://localhost:8080/'},
      and modify the port number as 8443.
    2. Save and close the file.
  4. Open casm.conf.js file and configure the microservices that are required for your environment as below:
    1. Find the text
      api : {server : 'https://<hostname>:9004'},
      and modify the port number as
      9444
      .
    2. Find the text
      search : {server : 'https://<hostname>:9006'},
      and modify the port number as
      9446
      .
    3. Find the text
      websocket : {server : 'wss://<hostname>:9008'},
      and modify the port number as
      9448.
    4. Find the text
      sdm : {server : 'https://<hostname>/CAisd/pdmweb.
      exe'}
      and add the port number
      8443
      to host name. For example, http://sdmhostname:8443/CAisd/pdmweb.exe.
    5. Find the text
      insights: {server : 'https://<hostname>:port'}
      , and add the port number
      9452
      to the host name. For example, http://insights:9452.
  5. Save and close the file.
  6. Restart the
    xFlow Interface
    Service.
  7. Navigate to
    C:\Program Files\CA\xFlow\APPS\Services\insightmicroservice-17.1.705\conf
  8. Open the
    application.conf
    file in a text editor.
  9. Find the parameter
    Security headers.
  10. Search for
    play.filters.headers.frameOptions = "ALLOW-FROM <http://hostname:9002>"
  11. Replace it with
    play.filters.headers.frameOptions = "ALLOW-FROM <https://hostname: 9444>"
  12. Search for
    play.filters.headers.contentSecurityPolicy = "child-src 'self' 'unsafe-inline' 'unsafe-eval' <http://hostname:9002>"
  13. Replace it with
    play.filters.headers.contentSecurityPolicy = "child-src 'self' 'unsafe-inline' 'unsafe-eval' <https://hostname:9444>"
  14. Verify you are able to access the
    xFlow Interface
    <https://hostname:9444/>
Enable SSL on JasperSoft Tomcat Server:
To enable HTTPS on Jasper Tomcat server follow these steps:
  1. Go to the Tomcat server where Jasper is installed.
  2. Navigate to %JAVA_HOME%\bin and open command prompt. From this directory run the below command:
    keytool -genkey -alias alias -keyalg RSA -keysize 2048 -keystore <jasperkeystoreName>.keystore -sigalg "SHA1withRSA"
  3. Enter and confirm keystore and certificate passwords. When it prompts for details, enter <jaster installed Tomcat server hostname> as Common Name (CN). Fill up the rest of the details such as Organization, etc.
  4. Export the certificate from the keystore using the following command:
    keytool -export -storepass <keystorepassword> -alias alias -keystore <jasperkeystoreName>.keystore -file filename.crt
  5. Once the certificate and key are saved in the Tomcat keystore, you need to configure your secure socket in the $CATALINA_BASE/conf/server.xml file, where $CATALINA_BASE represents the base directory for the Tomcat instance. Comment out the <Connector> element and add the following code below it. Replace <keystorepassword> with password chosen above.
    <Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keyAlias="alias" keystoreFile="%JAVA_HOME%\bin\<jasperkeystoreName>.keystore" keystorePass=<keystorepassword> />
  6. You must configure the web application to enforce SSL as the only protocol allowed. Otherwise, requests coming through HTTP are still serviced.
    Edit the file
    <js-webapp>/WEB-INF/web.xml
    . At the end of the file, make the following changes inside the first
    <security-constraint>
    tag.
    1. Comment out the line
      <transport-guarantee>NONE</transport-guarantee>
    2. Uncomment the line
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  7. Login to Jasperserver through
    https://hostname:8443/jasperserver-pro/
    to verify changes.
Enable SSL for Insights Microservices
After configuring JasperSoft Reports Server for SSL, perform the following steps to enable SSL for Insights Microservices:
  1. Login to classic
    CA SDM, Administration
    ,
    xFlow Interface
    ,
    General
    . Select
    insights.domain
    from the General Configuration List.
  2. Change
    hostname:8080
    (default) to
    JasperHostname:8443
    (for example, if 8443 is your JasperSoft server's SSL port).
  3. Save the changes.
  4. Now, change the insights protocol. From the xFlow General Configuration List (
    Step 1
    ), select
    insights.protocol
    and edit to change HTTP to HTTPS.
  5. Save the changes.
  6. Restart the xFlow Analyst Interface Services.
Adding Jasper Certificate to Insights Trust Store
For insights to connect to HTTPS enabled jasper, the jasper certificate you exported above should be imported into the Insights trust store.
  1. Navigate to <xFlowInstallation Home Dir>\jre\bin and run the following command:
    keytool -importcert -alias alias -file filename.crt -keystore c:\\<Insightkeystorename>.jks -keypass <JasperCertificatePassword> -storepass <InsightsKeyStorePassword>
  2. Navigate to
    <xFlow_server>\APPS\Services\insightmicroservice-version\conf\application.conf
    file and add the java keystore path (jks):
    https configurations
    play.ws.ssl { trustManager = { stores = [ { path = "C:\.jks", password: "<Password for InsightKeystoreName.jks" } ] } }
  3. Restart the Insights server.
Enable SSL for EBL and Search Server
The search servers do not have SSL/TLS enabled, by default. For the search microservices and event-based load to interact with the search server securely, you can configure SSL. SSL encrypts any communication with the search server.
Step 1: Install and Configure Reverse-Proxy on the ngnix Server
This procedure explains how to configure the
nginx-1.10.0
server as a reverse-proxy on Windows. You can follow similar steps to configure reverse-proxy on Apache or other similar servers.
Prerequisite
  • Download and install the
    nginx-1.10.0
    server on each search server.
: Configure nginx server as reverse-proxy on all the search servers in the cluster.
Follow these steps:
  1. Navigate to the
    <nginx_install>\conf
    folder and define the search server details in the
    nginx.conf
    file.
    • Locate the
      server
      section in the file and perform the following actions:
      • (Optional) Edit the
        listen
        port number, if necessary.
        For example, if you have IIS running, which listens to port 80, then change to a different port number in the
        listen
        property.
      • Edit the
        proxy_pass
        value in the
        location
        section and define the search server port number.
        Default Port Number
        : 9012
        server {
        listen 80;
        server_name localhost;
        #charset koi8-r;
        #access_log logs/host.access.log main;
        location / {
        proxy_pass http://localhost:9012;
        proxy_read_timeout 90;
        }
      • Save the file.
  2. Verify the configuration:
    • From the command prompt, navigate to the
      nginx
      folder and execute
      nginx.exe
      script to start the ngnix server.
    • Access the search server:
      http://<hostname>:<listen-port>/
      For example, access http://localhost:80/
      A message appears displaying the search server details, such as cluster name and version, in JSON format.
      : To troubleshoot, view the
      logs\error.log
      file.
Step 1.1: Create an SSL Certificate
Prerequisites
  • Ensure that you have installed OpenSSL 0.9.x.
    CA Service Management is certified with OpenSSL 0.9.8zh.
: You can create a certificate on any system that has OpenSSL installed. However, create the SSL certificate for each search server in the cluster.
Perform the following steps:
  1. From the command prompt, execute the following command to generate the self-signed certificate:
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout <hostname>.key -out <hostname>.crt
    : In this command, replace the <hostname> with the search server hostname.
  2. Define the following details:
    Country; state; city; organization name; organization unit name; common name; email address
    : Define the common name as the hostname of the nginx server.
    The command generates these files: 
    <hostname>.crt
    and
    <hostname>
    .key
  3. Repeat step 1 and 2 to create SSL certificates for each search server.
Step 1.2: Configure the Certificates in the ngnix Server
: Define the certificate details in the
ngnix.conf
file in each search server.
Follow these steps:
  1. In the search server, navigate to the
    <nginx_install>\conf
    folder and edit the
    ngnix.conf
    file.
  2. Disable the existing listen port.
    For example,
    #listen 80
    server {
    #listen 80;
    server_name localhost;
    #charset koi8-r;
    #access_log logs/host.access.log main;
    location / {
    proxy_pass http://localhost:9012/;
    proxy_read_timeout 90;
    }
  3. Define the new listen port.
    For example, define the new listen port as 443.
    server {
    #listen 80;
    server_name localhost;
    #charset koi8-r;
    #access_log logs/host.access.log main;
    listen 443 ssl;
    location / {
    proxy_pass http://localhost:9012/;
    proxy_read_timeout 90;
    }
  4. Define the search server certificate details.
    server {
    #listen 80;
    server_name localhost;
    #charset koi8-r;
    #access_log logs/host.access.log main;
    listen 443 ssl;
    ssl_certificate ./cert/<hostname>.crt;
    ssl_certificate_key ./cert/<hostname>.key;
    location / {
    proxy_pass http://localhost:9012/;
    proxy_read_timeout 90;
    }
  5. Navigate to the nginx folder  and execute
    nginx.exe
    to restart the nginx server.
  6. Verify if you can access the URL: https://
    For example, access https://<hostname>:443
  7. Install the certificates when prompted.
Step 2: Configure Certificates on the xFlow Interface Server and Event Based Load
Step 2.1: Configure the Certificates on the xFlow Interface Server
Configuring the search server certificates on the xFlow Interface server enables secure communication between the search microservices and search servers.
: Configure certificates of each search server on each xFlow Interface server. For example, if there are two search servers and two xFlow Interface servers, configure the certificates of both the search servers on each xFlow Interface server.
Follow these steps:
  1. In the xFlow Interface server, copy the
    <hostname>.crt
    file.
  2. Navigate to the path that stores keytool.
    For example, navigate to
    C:\Program Files\CA\SC\JRE\1.8.0_74\bin.
  3. Execute the following command:
    keytool -importcert -alias "<hostname>" -file <hostname>.crt -keystore c:\\es_new_keystore.jks -keypass <password> -storepass <password>
  4. Repeat step 1 and 2 for each search server.
    Replace the <hostname> values with the search server host names.
  5. Navigate to the <xFlow_server>\APPS\Services\
    searchmicroservice- 0.1-SNAPSHOT
    \conf\application.conf file and add the java keystore path (jks):
    #https configurations
    play.ws.ssl {
    trustManager = {
    stores = [
    { path = "C:\\es_new_keystore.jks"}
    ]
    }
    }
Step 2.2: Configure the HTTPS NX Variables for Event Based Load
  1. Ensure that you have the path to the java keystore file created in the procedure
    Step 2.1: Configure the Certificates on the xFlow Interface Server.
  2. Generate an encrypted password by executing the following command:
    $<sdm_install>\bin\pdm_pen <password>
    : Password is the same as the one you used in
    Step 2.1: Configure the Certificates on the xFlow Interface Server
    procedure.
  3. Execute the
    pdm_options_mgr
    command to configure the jks file and the encrypted password in the
    https
    NX variables.
    For more information about configuring the NX variables, see Configure Event Based Load.
Step 2.3: Update the Search server port number and protocol Details in CA SDM.
For example, in CA SDM update the port number as
443
and protocol as
https
. For more information about editing the server details, see Configure Search Servers in CA SDM.
Step 2.4: (Optional) If your search server is secure by a firewall, update the HTTP port from 9012 to 443.
Step 2.5: Restart the CA SDM services.
Step 2.6: Restart the
CA Service Management
xFlow Interface Server service.
Configure SSO for a Service
Perform the following steps to configure Single-Sign On (SSO) for a service:
  1. Specify
    authenticationtype= SSO
    within the application.conf file.
  2. Specify
    SSOArtifactType = HEADER
    .
  3. The
    SSOArtifactType
    can take any one of these values (COOKIE, HEADER, PARAMETER, REQUEST)
  4. Specify
    SSOArtifactName= sm_user
    .
  5. Users should be present in CA SDM with access policy set to
    Allow external authentication
    .
    If a user is not present in CA SDM, Error 401 (unauthorized error) is shown.