Configure OneClick for Secure Sockets Layer

Contents
casp941
Contents
OneClick supports the Secure Sockets Layer (SSL) protocol to encrypt communications between the OneClick web server and OneClick clients. OneClick clients can access information securely across unsecured networks, such as the Internet. In addition to encryption, SSL uses certificates for authentication. Authentication protects users from downloading and running applications from suspicious or "untrusted" sources.
Both Certificate Authority-signed certificates and self-signed certificates provide secure connections using SSL encryption. However, certificates signed by a Certificate Authority provide an additional level of security. These certificates verify the creator of the certificate and certify that the product is truly from that vendor. Certificates that are signed by a Certificate Authority protect servers by making it difficult to impersonate a trusted entity (the certified vendor). However, self-signed certificates are appropriate if you require the encryption that an SSL certificate provides without requiring proof of the certificate source.
Follow these steps:
  1. On the OneClick web server host, change to the
    $SPECROOT
    /Java/bin directory.
  2. Generate a private self-signed certificate in the custom cacerts file by issuing the following command:
    ./keytool -genkey -alias tomcatssl -keyalg RSA -keystore c:/win32app/Spectrum/custom/keystore/cacerts
    The keytool prompts with a series of questions and uses the values that you specify to perform the following actions:
    • Create an issuer name for your organization (This name is an X.500 Distinguished Name that is intended to be unique across the Internet. For more information, see the keytool utility at http://java.sun.com).
    • Generate the self-signed certificate using the issuer name.
      In case the keystore is not saved to $SPECROOT/custom/keystore, it is overwritten during an upgrade.
  3. Enter your answers to the following questions:
    Enter keystore password:
    If you change the default password for the Tomcat web server, specify the custom password in the
    $SPECROOT
    /tomcat/conf/server.xml configuration file.
    What is your first and last name?
    Enter the common name (with the fully qualified domain name) of your website. For example, www.ca.com.
    What is the name of your organizational unit?
    Enter a small organization name, such as the name of a division, business unit, or department. For example, Purchasing.
    What is the name of your organization?
    Enter a large organization name, such as ABCSystems, Inc.
    What is the name of your City or Locality?
    Enter your city name, such as Hyderabad.
    What is the name of your State or Province?
    Enter the full name, such as Andhra Pradesh.
    What is the two-letter country code for this unit?
    Enter the two-letter country code. For example, IN.
    Is CN=www.ca.com, OU=Purchasing, O="ABCSystems, Inc.", L=Hyderabad, ST=Andrapradesh, C=IN correct?
    Enter Yes.
    Enter key password for <tomcatssl> (RETURN if same as keystore password):
    Enter key password for <tomcatssl>. Press Enter to use the same password as the keystore password.
  4. (Optional) If you require a certificate that is signed by a Certificate Authority, request the certificate from the Certificate Authority and then import it.
    Before proceeding with this step (Step 4), as a best practice, skip to Step 5 and set up SSL. You can then test to determine whether the information that you provided in the previous step was correct. If HTTPS works, you can continue with this step.
    As part of certificate configuration, generate a Certificate Signing Request (CSR) file from the system that runs the secure OneClick web server. The Java Development Kit (JDK) that is included with OneClick provides a keytool utility that you can use to generate the CSR file. Use the information that you provided in the previous step. Use the same alias name as tomcatssl.
  5. Request and import the Certificate Authority-signed certificate as follows:
  6. On the OneClick web server host, change to the
    $SPECROOT
    /Java/bin directory.
    1. Generate the CSR file by entering the following command:
    ./keytool -certreq -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -file filename.csr
    You are prompted for a password. Use the same password that you provided earlier.The contents of the .csr file that is generated are used to request the secure certificate from the Certificate Authority (the next step).
    Request a secure certificate from a Certificate Authority. Verify the following examples:
    VeriSign: http://www.verisign.com
    TrustCenter: http://www.trustcenter.de
    thawte: http://www.thawte.com
    Instructions are available at these websites.
    Import the Certificate Authority-signed certificate into the keystore that is used by the OneClick web server. For more information, see Import a Certificate Authority-Signed Certificate.
  7. Configure the secure socket on the server that hosts the OneClick web server. For more information, see Configure the Secure Socket on the OneClick Web Server Host.
  8. If you are running Report Manager, configure OneClick to be launched from Report Manager using SSL. For more information, see Configure OneClick and Report Manager for Secure Sockets Layer.
Import a Certificate Authority-Signed Certificate
If you have obtained a Certificate Authority-signed SSL certificate, import it into the keystore that the OneClick web server uses.
A chain (root) certificate from the Certificate Authority must also exist in the keystore. By default, OneClick includes chain certificates from many popular vendors. Click List on the SSL Certificates administration page to view the aliases for these certificates. This information helps you determine whether to obtain one and import it.
Follow these steps:
  1. If necessary, download a chain (root) certificate from the Certificate Authority from which you obtained the signed certificate.
  2. If you downloaded a chain certificate in the previous step, import it into the keystore used by the OneClick web server:
    1. On the OneClick web server host, change to the
      $SPECROOT
      /Java/bin directory.
    2. Enter the following command:
      ./keytool -import -alias root -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file root_chain_certificate_filename
      You are prompted for a password for the Tomcat web server. The alias name does not have to be 'root'. You can supply a more descriptive name for the type of root certificate that you are importing. The alias name cannot already exist.
  3. Import the Certificate Authority-signed SSL certificate into the keystore used by the OneClick web server:
    1. If necessary, on the OneClick web server host, change to the
      $SPECROOT
      /Java/bin directory.
    2. Enter the following command:
      ./keytool -import -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_certificate_filename
      You are prompted for a password for the Tomcat web server. Use the same alias that you used when you generated the private self-signed certificate. See Name Resolution Requirements for more information.
Configure the Secure Socket on the OneClick Web Server Host
Configure the secure socket on the server that hosts the OneClick web server. Consider this task as the final step in configuring the OneClick web server for SSL.
CA Spectrum supports the use of SSL v3.
Follow these steps:
  1. Shut down the OneClick web server.
  2. Open $SPECROOT/tomcat/conf/server.xml in your preferred text editor.
  3. Locate the following section in the server.xml file:
    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 443 --> <!-- <Connector port="443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ssl_enabled=yes keystoreFile="<SPECROOT>/custom/keystore/cacerts" keystorePass="changeit"> </Connector> -->
    By default the <Connector> element in the section is commented out.
    The preceding XML fragment is Windows-specific, with 443 as the default port where the OneClick web server listens for SSL communications. End users can omit the port from the URL for accessing the OneClick home page:
    https://<fully_qualified_host_name>/spectrum
    On a UNIX-based installation, the OneClick web server is not run as root, and the default port is 8443 (because it must be greater than 1024). As a result, end users must specify the port number in the web browser when they enter the URL to access the OneClick home page:
    https://<fully_qualified_host_name>:8443/spectrum
  4. Remove the comments around the Connector definition. Perform the following actions:
    1. Remove "<!--" from the line preceding to <Connector.
    2. Remove "-->" from the end of the section (after </Connector>).
  5. Replace the <
    SPECROOT
    > variable in the value for the keystoreFile attribute with the fully qualified path to the directory where CA Spectrum is installed. You can use the cacerts file for the keytool commands to generate the certificates. Verify the following examples:
    • Windows
      C:/win32app/SPECTRUM/custom/keystore/cacerts
    • UNIX
      /usr/SPECTRUM/custom/keystore/cacerts
  6. Save and close the server.xml file.
  7. If you have CA Spectrum integrated with CA Performance Center, perform the following steps to enable the communication between SSL enabled OneClick and CA Performance Center:
    1. Open the "axis2.xml" file in an editor from "$SPECROOT/tomcat/webapps/axis2/WEB-INF/conf".
    2. Locate the following section in axis2.xml:
      <transportReceiver name="http" class="org.apache.axis2.transport.http.SimpleHTTPServer"> <parameter name="port">8080</parameter>
    3. Change the section as follows:
      <transportReceiver name="https" class="org.apache.axis2.transport.http.SimpleHTTPServer"> <parameter name="port">8443</parameter>
  8. Start the OneClick web server.
    You can find instructions on configuring SSL and configuration parameters. For more information, see http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html.
Configure OneClick and Report Manager for Secure Sockets Layer
If you are running Report Manager and you have configured OneClick to use the Secure Sockets Layer (SSL) protocol to encrypt communications between OneClick clients and the OneClick web server, you must also configure OneClick to be launched from Report Manager using SSL.
Report Manager allows you to create reports on the inventory, performance, change history, and fault history of the network assets managed by CA Spectrum. For more information, see Report Manager.
Follow these steps:
  1. Enable write permissions on the following file:
    <$SPECROOT>\tomcat\webapps\spectrum\repmgr\js\repmgr.js
  2. Open the file that you modified in the previous step, and locate the launchOneClick function.
  3. Locate the following line in the launchOneClick function:
    url = "http://"+servername+contextApp+"/oneclick.jnlp";
  4. Change "http" to "https" as follows:
    url = "https://"+servername+contextApp+"/oneclick.jnlp";
  5. Save and close the file.
    This file is overwritten during an upgrade. Repeat this procedure after an upgrade.
You can launch OneClick in the context of a specific report (for example, in the context of a device that is listed in an asset report). However, this type of launch cannot be configured to use SSL.
Errors Connecting to the Secure OneClick Web Server from a OneClick Client Using SSL
Symptom:
I am encountering errors when I try to connect to the secure OneClick web server from a OneClick client using SSL.
Solution:
Verify the following:
  • The fully qualified domain name of the host on which the OneClick web server is running was specified in the private key you generated for signing the security certificate used for authentication. When you generated the key, you should have entered the fully qualified domain name at the following prompt: “What is your first and last name?”
  • Both the Certificate Authority chain (root) certificate
    and
    the security certificate were imported into the cacerts file in the custom directory on the secure OneClick web server.
Errors Launching OneClick Client from Report Manager Using SSL
Symptom:
I am encountering errors when I launch a OneClick client from Report Manager using SSL.
Solution:
Verify that you have completed the configuration procedure described in Configure OneClick and Report Manager for Secure Sockets Layer.