Jetty Configuration Options for Version 10.7

apmdevops106
Information about Jetty configuration in this article are only valid for version 10.7, not for the service packs.
Jetty Configuration Options for SSL
Important: 
A default Jetty configuration file (
em-jetty-config.xml
) in the 
<EM_Home>/config
 directory lets you modify many components of SSL. For example:
  • Change the HTTPS port from the default 8444, by changing the value of the port attribute. 
    Example: <Set name="port">8444</Set>
  • By default, the SSL listener is configured to use the 
    /internal/server/keystore
     Keystore path. This path is relative to the 
    /config
     directory. This keyStore contains a self-signed certificate that is untrustworthy. You can substitute your own keyStore with a keyStore containing a certificate from a recognized Certificate Authority (CA).
  • The default keystorePassword is 
    password
    . Clear text passwords in 
    em-jetty-config.xml
     and 
    webview-jetty-config.xml
     are obfuscated by default. The obfuscated passwords start with 
    OBF:
    . The plain text passwords can be provided by removing 
    OBF:
    . For more information about configuring SSL, see https://wiki.eclipse.org/Jetty/Howto/Configure_SSL.
  • By default, SSL is configured to accept self-signed certificates. The SSL does not verify that the host name in the client URL matches the host name in the digital certificate. This configuration is sufficient for testing standalone Enterprise Managers only. This configuration ensures that SSL works by default with the untrusted certificate in the default keyStore. If you require highly secure authentication, create a keystore containing a trusted certificate.
    The Enterprise Managers are also clients when communicating over SSL. The Enterprise Managers require a valid certificate or a trusted self-signed certificate with the correct hostname in the Java trustStore. You must use a valid certificate. For testing purposes, you can use a self-signed certificate, but you must generate a certificate for your hostname and domain. Add the certificate to the global Java trustStore. The Enterprise Manager as a client uses the global Java trustStore to verify trusted servers.
    For production environments, a valid certificate from a recognized Certificate Authority is required.
    Then set these attributes in the XML and replacing the default keyStore with your own:
    <Set name="validateCertificates">true</Set> <Set name="verifyHostnames">true</Set> <Set name="keystore"><SystemProperty name="introscope.config" default="./config" />/internal/server/keystore</Set> <Set name="password">password</Set>
  • You can also create a trustStore that contains client certificates to require the client authentication, as follows:
    <Set name="needClientAuth">true</Set> <Set name="truststore"><SystemProperty name="introscope.config" default="./config" />/internal/server/keystore</Set> <Set name="trustPassword">password</Set>
  • If you require client authentication, configure the agents and Workstations with a keyStore that contains a certificate. The Enterprise Manager web server must trust this certificate.
    To set the enabled cipher suites, set the 
    cipherSuites 
    attribute to a list of cipher suites:
    <Set name="cipherSuites"> <Array type="java.lang.String"> <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item> </Array> </Set>
    The agents and Workstations must have an enabled cipher suite in common with the Enterprise Manager to use SSL. You can restrict the enabled cipher suites to these actions:
    • Prevent vulnerability in weak cipher suites.
    • Allow anonymous connections.
    • Not encrypt data.
  • If you require to customise the list of accepted protocols, define the protocols for the 
    <Item>
     tag in the 
    em-jetty-config.xml 
    and 
    webview-jetty-config.xml
     files as shown in the following example:
    <Set name="protocols">
    <Array type="java.lang.String">
    <Item>TLSv1.2</Item>
    <Item>TLSv1.1</Item>
    <Item>TLSv1</Item> 
    </Array>
    </Set>
  • The Enterprise Manager uses the 
    maxThreads
     property to limit the number of HTTPS agent connections that the Enterprise Manager can service. If there are not enough threads, the Enterprise Manager does not recognize the connected agents or process metrics from them. 
  • When using HTTPS, the Enterprise Manager services only the number of agents that are configured in the 
    maxThreads
     property. The number of allowed agent connections is configured in the 
    introscope.enterprisemanager.agent.connection.limit
     property in the 
    apm-events-thresholds-config.xml
     file. Be sure that the 
    maxThreads
     value is greater than or equal to the 
    introscope.enterprisemanager.agent.connection.limit value
    . Some agents do not appear in clients or report any metrics when there are not enough threads to connect over HTTPS.
Reset the Default Request Header Size for CEM Console
If you occasionally see blank pages when you access the CEM console, reset the default request header size limit of 8 kB. Reset the header size limit in the Jetty configuration file.
Follow these steps:
  1. Navigate to the 
    <EM_Home>/config
     directory on the MOM and open the 
    em-jetty-config.xml
     file in a text editor.
  2. Locate the section with the following line:
    <New class="org.eclipse.jetty.server.HttpConfiguration">
  3. Modify the 
    NoNPESocketConnector
     property with this value:
    <Set name="RequestBufferSize">16384</Set>"
  4. Save and close the file.
  5. Navigate to the 
    IntroscopeEnterpriseManager.properties
     file on each MOM and Collector.
  6. Uncomment the line in this property:
    introscope.enterprisemanager.webserver.jetty.configurationFile=em-jetty-config.xml
  7. Save and close the file.
  8. Restart the web server.