Jetty Configuration Options for Version 10.7
Information about Jetty configuration in this article are only valid for version 10.7, not for the service packs.
Jetty Configuration Options for SSL
A default Jetty configuration file (
em-jetty-config.xml) in the
<EM_Home>/configdirectory lets you modify many components of SSL. For example:
- Change the HTTPS port from the default 8444, by changing the value of the port attribute.Example: <Set name="port">8444</Set>
- By default, the SSL listener is configured to use the/internal/server/keystoreKeystore path. This path is relative to the/configdirectory. This keyStore contains a self-signed certificate that is untrustworthy. You can substitute your own keyStore with a keyStore containing a certificate from a recognized Certificate Authority (CA).
- The default keystorePassword ispassword. Clear text passwords inem-jetty-config.xmlandwebview-jetty-config.xmlare obfuscated by default. The obfuscated passwords start withOBF:. The plain text passwords can be provided by removingOBF:. For more information about configuring SSL, see https://wiki.eclipse.org/Jetty/Howto/Configure_SSL.
- By default, SSL is configured to accept self-signed certificates. The SSL does not verify that the host name in the client URL matches the host name in the digital certificate. This configuration is sufficient for testing standalone Enterprise Managers only. This configuration ensures that SSL works by default with the untrusted certificate in the default keyStore. If you require highly secure authentication, create a keystore containing a trusted certificate.The Enterprise Managers are also clients when communicating over SSL. The Enterprise Managers require a valid certificate or a trusted self-signed certificate with the correct hostname in the Java trustStore. You must use a valid certificate. For testing purposes, you can use a self-signed certificate, but you must generate a certificate for your hostname and domain. Add the certificate to the global Java trustStore. The Enterprise Manager as a client uses the global Java trustStore to verify trusted servers.For production environments, a valid certificate from a recognized Certificate Authority is required.Then set these attributes in the XML and replacing the default keyStore with your own:<Set name="validateCertificates">true</Set> <Set name="verifyHostnames">true</Set> <Set name="keystore"><SystemProperty name="introscope.config" default="./config" />/internal/server/keystore</Set> <Set name="password">password</Set>
- You can also create a trustStore that contains client certificates to require the client authentication, as follows:<Set name="needClientAuth">true</Set> <Set name="truststore"><SystemProperty name="introscope.config" default="./config" />/internal/server/keystore</Set> <Set name="trustPassword">password</Set>
- If you require client authentication, configure the agents and Workstations with a keyStore that contains a certificate. The Enterprise Manager web server must trust this certificate.To set the enabled cipher suites, set thecipherSuitesattribute to a list of cipher suites:<Set name="cipherSuites"> <Array type="java.lang.String"> <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item> </Array> </Set>The agents and Workstations must have an enabled cipher suite in common with the Enterprise Manager to use SSL. You can restrict the enabled cipher suites to these actions:
- Prevent vulnerability in weak cipher suites.
- Allow anonymous connections.
- Not encrypt data.
- If you require to customise the list of accepted protocols, define the protocols for the<Item>tag in theem-jetty-config.xmlandwebview-jetty-config.xmlfiles as shown in the following example:<Set name="protocols"><Array type="java.lang.String"><Item>TLSv1.2</Item><Item>TLSv1.1</Item><Item>TLSv1</Item> </Array></Set>
- The Enterprise Manager uses themaxThreadsproperty to limit the number of HTTPS agent connections that the Enterprise Manager can service. If there are not enough threads, the Enterprise Manager does not recognize the connected agents or process metrics from them.
- When using HTTPS, the Enterprise Manager services only the number of agents that are configured in themaxThreadsproperty. The number of allowed agent connections is configured in theintroscope.enterprisemanager.agent.connection.limitproperty in theapm-events-thresholds-config.xmlfile. Be sure that themaxThreadsvalue is greater than or equal to theintroscope.enterprisemanager.agent.connection.limit value. Some agents do not appear in clients or report any metrics when there are not enough threads to connect over HTTPS.
Reset the Default Request Header Size for CEM Console
If you occasionally see blank pages when you access the CEM console, reset the default request header size limit of 8 kB. Reset the header size limit in the Jetty configuration file.
Follow these steps:
- Navigate to the<EM_Home>/configdirectory on the MOM and open theem-jetty-config.xmlfile in a text editor.
- Locate the section with the following line:<New class="org.eclipse.jetty.server.HttpConfiguration">
- Modify theNoNPESocketConnectorproperty with this value:<Set name="RequestBufferSize">16384</Set>"
- Save and close the file.
- Navigate to theIntroscopeEnterpriseManager.propertiesfile on each MOM and Collector.
- Uncomment the line in this property:introscope.enterprisemanager.webserver.jetty.configurationFile=em-jetty-config.xml
- Save and close the file.
- Restart the web server.