Enable HTTPS for the CA Application Delivery Analysis Web Interface

You can configure  (CA ADA) to use HTTPS for the Web interface. After https is enabled, you will no longer be able to access the Web interface using http.
cada111
You can configure 
Application Delivery Analysis
(CA ADA) to use HTTPS for the Web interface. After https is enabled, you will no longer be able to access the Web interface using http.
All steps are performed on the Windows server running the CA ADA management console.
Follow these steps:
  1. Obtain a certificate to use to secure the Internet Information Services Web Server. This can either be a certificate signed by a third party or a self-signed certificate.
    If you are using a third party signed certificate, follow the steps in 1a and then go to step 2. If you are using a self-signed certificate, follow the steps in 1b and then go to step 2.
    1. Steps for third party signed certificates:
      1. Install the signed certificate in IIS Manager Server Certificates.
        See Install an Internet Server Certificate.
      2. Verify that the certificate is properly installed.
        1. Open the certificate and select the
          Certification Path
          .
          Certification Path.jpg
        2. Select each certificate displayed in the
          Certification Path
          list and ensure that the
          Certificate status
          field shows “This certificate is OK”.
          Contact the certificate provider if the
          Certificate status
          field displays errors.
      3. Import the Certificate Authority root certificate in the IIS “Trusted Root Certification Authorities Certificates” for the local computer on the ADA manager.
        In this example, the “CA Root Cert Auth” certificate displayed in the
        Certification Path
        must be imported to the IIS “Trusted Root Certification Authorities Certificates” for the local computer.
        For more information about adding a certificate, see the “Adding certificates to the Trusted Root Certification Authorities store for a local computer” in Manage Trusted Root Certificates.
    2. Steps for self-signed certificates:
      1. Generate and export the self-signed certificate using IIS Manager. See the following link for details:
        Create and export a self-signed certificate
        The exported certificate will be used in step 7b.
    In the following steps, we use
    c:\certs\ada.cer
    as the exported certificate.
  2. Export the certificate in
    PFX
    format from IIS Manager.
    For more information, see Export a Server Certificate (IIS 7).
    Remember the password, as it will be used in steps 7 and 12.
    In the following steps, we use
    c:\certs\ada.pfx
    as the exported certificate with
    certificatepass
    as the password.
  3. Configure the HTTPS port IIS Application. By default, IIS does not have a binding for HTTPS.
    1. In the
      Internet Information Services (IIS) Manager
      , navigate to
      Hostname
      , Sites, Default Website
      .
    2. Under
      Actions
      , click
      Bindings
      .
    3. In the
      Site Bindings
      dialog, click
      Add
      .
      Site Bindings_Add.jpg
    4. Select the signed certificate from the
      SSL certificate
      list.
      Add Site Binding.jpg
      Do not disable http-port 80 binding. 
      Application Delivery Analysis
      will not work properly if http is disabled.
    5. Click
      OK
      , then
      Close
      .
  4. Using Internet Information Services (IIS) Manager, edit the
    SSL Settings
    for the
    Default Web Site
    and each of the virtual directories under the
    Default Web Site
    .
    1. Navigate to
      Sites, Default Web Site
      . Double-click
      SSL Settings
      .
      In the
      SSL Settings
      pane, uncheck
      Require SSL
      .
    2. Navigate to
      Sites, Default Web Site, ProxyServices
      . Double-click
      SSL Settings
      .
      In the
      SSL Settings
      pane, uncheck
      Require SSL
      .
    3. Repeat step b for the
      SuperAgentDataSource
      ,
      SuperAgentInternal
      , and
      SuperAgentWebService
      virtual directories.
    4. Navigate to
      Sites, Default Web Site,
      SuperAgent
      . Double-click
      SSL Settings
      .
      In the
      SSL Settings
      pane, check
      Require SSL
      .
      IIS Manager Require SSL.jpg
    5. Click
      Apply
      .
  5. Edit the product configuration
    XML
    file.
    install_path
    \Portal\SSO\webapps\sso\configuration\SuperAgent.xml
    1. In the
      SignInPageProductDefaultUrl
      section, change
      Scheme
      from http to https.
      Enter 443 for the
      Port
      (blank by default).
    2. In the
      SingleSignOnWebServiceUrl
      section, change
      Scheme
      from http to https.
      Enter 443 for the
      Port
      (blank by default).
    <?xml version="1.0" encoding="utf-8" ?> <Configuration>   <SingleSignOnEnabled>True</SingleSignOnEnabled>   <SingleSignOnProductCode>sa</SingleSignOnProductCode>   <SignInPageProductTitle><![CDATA[CA<sup><font class="Superscript">®</font></sup> ADA<sup><font class="Superscript">®</font></sup>]] ></SignInPageProductTitle>   <SignInPageProductDescription>Application Delivery Analysis</SignInPageProductDescription>   <SignInPageProductDefaultUrl>     <Scheme>
    https
    </Scheme>     <Port>
    443
    </Port>     <PathAndQuery>/SuperAgent/default.aspx</PathAndQuery>   </SignInPageProductDefaultUrl>   <SingleSignOnWebServiceUrl>     <Scheme>
    https
    </Scheme>     <Port>
    443
    </Port>     <PathAndQuery>/SuperAgentDataSource/SingleSignOnWS.asmx</PathAndQuery>   </SingleSignOnWebServiceUrl> </Configuration>
  6. Open a Windows command window.
  7. Create the jetty keystore file from the PFX certificate exported in step 2.
    1. Rename the existing
      install_path
      \Portal\Jetty\etc\keystore
      file, if it exists.
    2. Run the
      keytool
      import command to create the new jetty keystore file with the PFX certificate as the source:
      keytool -importkeystore -srckeystore c:\certs\ada.pfx -srcstoretype pkcs12 -destkeystore C:\CA\Portal\Jetty\etc\keystore -deststoretype JKS
      1. Enter destination keystore password
        :
        keystorepass
        This step creates a new password. In this example we will use
        keystorepass
        as the password.
      2. Re-enter new password
        keystorepass
      3. Enter source keystore password
        :
        certificatepass
        This is the
        pfx
        file password from step 2.
      Remember both passwords as they will be used in later steps.
    3. Run the
      keytool
      list command to verify the imported keystore and password.
      keytool -list -keystore C:\CA\Portal\Jetty\etc\keystore -storepass keystorepass
  8. Import the certificate(s) to the java trusted certificates keystore.
    install_path
    \jre\lib\security\cacerts
    Follow the steps in section a for signed certificates and section b for self-signed certificates.
    1. Steps for signed certificates:
      If 
      Application Delivery Analysis
      is using a certificate signed by a Certificate Authority (
      CA
      ) that is not included in the Java cacerts keystore by default, you need to import an intermediate certificate and/or root certificate into the
      cacerts
      file for https connections work properly. These certificates are ones displayed in the
      Certification Path
      in step 1a.
      The default Java cacerts file stores root certificates for the most common CAs, such as VeriSign, GoDaddy, etc.
      1. Run the
        keytool -list
        command to view the default certificates included in the java trusted certificates keystore.
        The default cacerts keystore password is
        changeit
        .
        keytool -list -keystore "C:\CA\jre\lib\security\cacerts" -storepass changeit  > C:\certs\CACertsTrustedCerts1.txt
      2. Edit the output file,
        CACertsTrustedCerts1.txt
        , and search for the alias name.
      3. Import the root certificate and/or intermediate certificate into the Java trusted keystore (cacerts) with the
        keytool
        command:
        keytool -import -file c:\certs\ CARootCertAuth.cer -alias CARootCertAuth  -trustcacerts -keystore "C:\CA\jre\lib\security\cacerts" -storepass changeit
        If prompted to trust the certificate, answer "yes".
      4. Run the
        keytool
        command to print the certificates list and verify that imported certificate is in the list.
        keytool -list -keystore "C:\CA\jre\lib\security\cacerts" -storepass changeit  > C:\certs\CACertsTrustedCerts2.txt
        Edit the output file,
        CACertsTrustedCerts2.txt
        , and search for the alias name used in the last import command.
    2. Steps for self-signed certificates:
      1. Import the self-signed certificate exported in step 1b to the Java trusted keystore (
        cacerts
        ):
        keytool -import -file c:\certs\ada.cer  -alias adaserver -trustcacerts -keystore "C:\CA\jre\lib\security\cacerts" -storepass changeit
        If prompted to trust the certificate, answer "yes".
      2. Run the
        keytool
        command to print the certificates list and verify that imported certificate is in the list.
        keytool -list -keystore "C:\CA\jre\lib\security\cacerts" -storepass changeit  > C:\certs\CACertsTrustedCerts3.txt
        Edit the output file,
        CACertsTrustedCerts3.txt
        , and search for the alias name used in the last import command.
  9. Configure the Single-Sign On SSL scheme and port.
    Run
    install_path
    \Portal\SSO\bin\SsoConfig.exe
    SSO Configuration: 1. CA Performance Center 2. CA Application Delivery Analysis Choose an option >
    2
      SSO Configuration/CA Application Delivery Analysis: 1. LDAP Authentication 2. SAML2 Authentication 3. Performance Center 4. Single Sign-On 5. Test LDAP 6. Export SAML2 Service Provider Metadata Choose an option >
    4
      SSO Configuration/ CA Application Delivery Analysis /Single Sign-On: Anonymous User Enabled: Disabled Anonymous User ID: 2 Localhost User Sign-In Page Enabled: Disabled Localhost User Enabled: Enabled Localhost User ID: 1 Cookie Timeout Minutes: 20 Encryption Decryption Key: #$utP9%z Encryption Algorithm: DES Failed Sleep Seconds: 3 Remember Me Enabled: Enabled Remember Me Timeout Days: 15 Scheme: http Port: 8381 Virtual Directory: sso   1. Remote Value 2. Local Override Choose an option >
    2
      SSO Configuration/CA Application Delivery Analysis/Single Sign-On/Local Override: 1. Anonymous User Enabled: 2. Anonymous User ID: 3. Localhost User Sign-In Page Enabled: 4. Localhost User Enabled: 5. Localhost User ID: 6. Cookie Timeout Minutes: 7. Encryption Decryption Key: 8. Encryption Algorithm: 9. Failed Sleep Seconds: 10. Remember Me Enabled: 11. Remember Me Timeout Days: 12. Scheme: 13. Port: 14. Virtual Directory: Select a Property >
    12
      Enter u to update to new value >
    u
    Enter new value >
    https
      SSO Configuration/CA Application Delivery Analysis/Single Sign-On/Local Override: 1. Anonymous User Enabled: 2. Anonymous User ID: 3. Localhost User Sign-In Page Enabled: 4. Localhost User Enabled: 5. Localhost User ID: 6. Cookie Timeout Minutes: 7. Encryption Decryption Key: 8. Encryption Algorithm: 9. Failed Sleep Seconds: 10. Remember Me Enabled: 11. Remember Me Timeout Days: 12. Scheme: https 13. Port: 14. Virtual Directory: Select a Property >
    13
      Enter u to update to new value >
    u
    Enter new value >
    8382
      Enter q to quit SsoConfig
  10. Backup the
    install_path
    \Portal\SSO\start.ini
    file.
    Edit
    install_path
    \Portal\SSO\start.ini
    .
    1. Search for
      module=http
      and change it to
      module=https
      .
    2. Search for
      module=ssl
      and remove the # so that it is active.
  11. Backup the
    install_path
    \Portal\SSO\conf\wrapper.conf
    file.
    Edit
    install_path
    \Portal\SSO\conf\wrapper.conf
    and change the following line:
    wrapper.java.additional.3=-Djetty.http.port=8381
    to:
    wrapper.java.additional.3=-Djetty.ssl.port=8382
  12. Configure Jetty SSL.
    1. Copy
      install_path
      \Portal\Jetty\etc\jetty-ssl.xml
      to the
      install_path
      \Portal\SSO\etc
        directory.
    2. Edit the following lines in the
      install_path
      \Portal\SSO\start.d\ssl.ini
      file:
      • Uncomment the lines for the configuration variables.
      • Use the keystore password created in step 7b for both the
        KeyStorePasssword
        and
        TrustStorePasword
        .
      • Use the PFX certificate password created in step 2 for the
        KeyManagerPassword
        .
      • Set the port to 8382.
      # define the port to use for secure redirection
      jetty.ssl.port=8382
      jetty.https.port=8382
      jetty.httpConfig.securePort=8382
      # Set up a keystore and truststore
      jetty.sslContext.keyStoreType=JKS
      jetty.sslContext.keyStorePath=etc/keystore
      jetty.sslContext.trustStorePath=etc/keystore
      # Set up passwords
      jetty.sslContext.keyStorePassword=keystorepass
      jetty.sslContext.keyManagerPassword=certificatepass
      jetty.sslContext.trustStorePassword=keystorepass
  13. Confirm that port 8382 is open if the firewall is enabled.
  14. Restart the “CA Performance Center SSO” service and run an
    iisreset
    from the command prompt.
  15. Verify that the CA ADA Web interface is accessible via https.
    The following log files can be checked if login fails or if
    SsoConfig.exe
    fails to launch.
    • install_path
      \Portal\SSO\logs\wrapper
    • install_path
      \Portal\SSO\logs\SSOService.log
    • install_path
      \Portal\SSO\logs\application.log
      (if present)
       
  16. Configure CA ADA as a data source in CA PC.
    If CA ADA is associated with CA PC, you need to configure the
    Web Console
    settings. 
    1. Login to CA PC and edit the data source settings for CA ADA. 
    2. In the
      Web Console
      section:
      • Uncheck
        Same as Data Source
        .
      • Host Name
        : The name that the certificate was issued to.
      • Port
        : 443
      • Select
        https.
    3. Click
      Test
      to verify connectivity.
      The following log files can be checked if the
      Test
      option fails.
      /CAPerformancenstallDirectory/PC/logs
    4. Click
      Save
      .
    5. Resync the CA ADA data source from CA PC and verify that CA ADA views show data. Click the
      ADA
      link to ensure that CA ADA is accessible.