Jetty Configuration Options for Version 10.7

Information about Jetty configuration in this article are only valid for version 10.7, not for the service packs.
Jetty Configuration Options for SSL
A default Jetty configuration file (
) in the 
 directory lets you modify many components of SSL. For example:
  • Change the HTTPS port from the default 8444, by changing the value of the port attribute. 
    Example: <Set name="port">8444</Set>
  • By default, the SSL listener is configured to use the 
     Keystore path. This path is relative to the 
     directory. This keyStore contains a self-signed certificate that is untrustworthy. You can substitute your own keyStore with a keyStore containing a certificate from a recognized Certificate Authority (CA).
  • The default keystorePassword is 
    . Clear text passwords in 
     are obfuscated by default. The obfuscated passwords start with 
    . The plain text passwords can be provided by removing 
    . For more information about configuring SSL, see
  • By default, SSL is configured to accept self-signed certificates. The SSL does not verify that the host name in the client URL matches the host name in the digital certificate. This configuration is sufficient for testing standalone Enterprise Managers only. This configuration ensures that SSL works by default with the untrusted certificate in the default keyStore. If you require highly secure authentication, create a keystore containing a trusted certificate.
    The Enterprise Managers are also clients when communicating over SSL. The Enterprise Managers require a valid certificate or a trusted self-signed certificate with the correct hostname in the Java trustStore. You must use a valid certificate. For testing purposes, you can use a self-signed certificate, but you must generate a certificate for your hostname and domain. Add the certificate to the global Java trustStore. The Enterprise Manager as a client uses the global Java trustStore to verify trusted servers.
    For production environments, a valid certificate from a recognized Certificate Authority is required.
    Then set these attributes in the XML and replacing the default keyStore with your own:
    <Set name="validateCertificates">true</Set> <Set name="verifyHostnames">true</Set> <Set name="keystore"><SystemProperty name="introscope.config" default="./config" />/internal/server/keystore</Set> <Set name="password">password</Set>
  • You can also create a trustStore that contains client certificates to require the client authentication, as follows:
    <Set name="needClientAuth">true</Set> <Set name="truststore"><SystemProperty name="introscope.config" default="./config" />/internal/server/keystore</Set> <Set name="trustPassword">password</Set>
  • If you require client authentication, configure the agents and Workstations with a keyStore that contains a certificate. The Enterprise Manager web server must trust this certificate.
    To set the enabled cipher suites, set the 
    attribute to a list of cipher suites:
    <Set name="cipherSuites"> <Array type="java.lang.String"> <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item> </Array> </Set>
    The agents and Workstations must have an enabled cipher suite in common with the Enterprise Manager to use SSL. You can restrict the enabled cipher suites to these actions:
    • Prevent vulnerability in weak cipher suites.
    • Allow anonymous connections.
    • Not encrypt data.
  • If you require to customise the list of accepted protocols, define the protocols for the 
     tag in the 
     files as shown in the following example:
    <Set name="protocols">
    <Array type="java.lang.String">
  • The Enterprise Manager uses the 
     property to limit the number of HTTPS agent connections that the Enterprise Manager can service. If there are not enough threads, the Enterprise Manager does not recognize the connected agents or process metrics from them. 
  • When using HTTPS, the Enterprise Manager services only the number of agents that are configured in the 
     property. The number of allowed agent connections is configured in the 
     property in the 
     file. Be sure that the 
     value is greater than or equal to the 
    introscope.enterprisemanager.agent.connection.limit value
    . Some agents do not appear in clients or report any metrics when there are not enough threads to connect over HTTPS.
Reset the Default Request Header Size for CEM Console
If you occasionally see blank pages when you access the CEM console, reset the default request header size limit of 8 kB. Reset the header size limit in the Jetty configuration file.
Follow these steps:
  1. Navigate to the 
     directory on the MOM and open the 
     file in a text editor.
  2. Locate the section with the following line:
    <New class="org.eclipse.jetty.server.HttpConfiguration">
  3. Modify the 
     property with this value:
    <Set name="RequestBufferSize">16384</Set>"
  4. Save and close the file.
  5. Navigate to the
     file on each MOM and Collector.
  6. Uncomment the line in this property:
  7. Save and close the file.
  8. Restart the web server.