Configure HTTPS in Admin Console or OC (Authority-Signed Certificate)

uim203
This article describes how to configure a Secure Sockets Layer (SSL) connection to access Operator Console or Admin Console using HTTPS. It provides instructions for setting up an authority-signed certificate.
Contents
We recommend that you consult your network security engineers and compliance specialists regarding your specific security requirements. In general, industry-standard security requirements mandate the use of SSL encryption for client/server communications on an untrusted network. This includes the following situations:
  • If users access Operator Console or Admin Console using a public network, such as the Internet
  • If sessions traverse an unsecured part of your network, such as wireless networks in meeting rooms or in public-access areas
  • If sessions traverse mobile networks
For high-security environments, we recommend using at least 2048-bit encryption. However, using longer RSA keys significantly affects the speed of encryption and decryption.
Prerequisites
Verify the following prerequisites before continuing:
  • You are an administrative user with access to Infrastructure Manager.
  • Your environment is configured to run keytool commands if you plan to use a certificate other than a 1024-bit self-signed certificate. This means that the $PATH system variable includes a path to java.exe and keytool.
  • Due to the security policies on some operating systems, you might have to run the keytool commands as an administrator.
    If running the keytool commands gives unexpected results on Windows systems, use the
    Run as Administrator
    option.
HTTPS Redirect and Admin Console
Admin Console does not support the use of an HTTPS redirect. You must access Admin Console directly using the
HTTPS://
URL. You can also disable the HTTP port for Admin Console.
You can also change your wasp configuration using Admin Console. However, you are automatically logged out of Admin Console when wasp restarts.
Follow these steps:
  1. Use Remote Desktop to connect to the UIM or OC server.
  2. Open Infrastructure Manager.
  3. Navigate to the robot running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select
    Raw Configure
    .
  5. With the
    setup
    section highlighted, select the
    http_port
    key, and click
    Delete Key.
Implement an Authority-Signed SSL Certificate
This section includes information about how to implement an authority-signed SSL certificate:
Entity, Intermediate, and Root Certificates
A number of certificate authorities issue intermediate, or
chained
certificates. If your certificate authority issues chained certificates, you will typically receive the following certificate files:
  • An
    entity
    certificate
  • One or more
    intermediate
    certificates
  • A root certificate might be included
You must upload the entity certificate and any intermediate certificates your certificate authority provides. You might not need to upload a root certificate. This is because the UIM installation automatically installs a Java Runtime Environment (JRE) that includes the root certificates of many certificate authorities. However, your certificate authority may provide a new root certificate and advise that you upload it.
You can view the root certificates installed automatically with the JRE during the UIM installation.
Follow these steps:
  1. Open an administrator command prompt on the server running OC.
  2. Change directories as follows:
    cd <
    OC or UIM server_installation
    >/jre/<
    jre_version
    >/lib/security
  3. Issue the following command:
    <
    OC or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool keytool -list -keystore cacerts
    The system prompts you to enter the keystore password. After you enter a valid password, the system displays the default root certificates in the cacerts file.
Modify wasp to Use HTTPS
If you are configuring HTTPS for Operator Console, modify the wasp probe on the OC server. If you are configuring HTTPS for Admin Console, modify the wasp probe on the UIM server.
Regardless of the certificate you want to implement, the first required step is to modify the wasp.cfg file to enable HTTPS. When this change takes effect, the following occurs:
  • The wasp.keystore file, an encrypted file that stores certificates, is generated in the directory
    <OC or UIM server installation>/UIM/probes/service/wasp/conf
  • A 1024-bit self-signed certificate is automatically generated in wasp.keystore
You must replace the automatically generated 1024-bit self-signed certificate with the certificate that you want to use.
Follow these steps:
  1. Use Remote Desktop to connect to the UIM server.
  2. Open Infrastructure Manager.
  3. Navigate to the server running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select
    Raw Configure
    .
  5. With the
    setup
    section highlighted, locate the
    https_port
    key, and click
    Edit Key
    to specify a port. If necessary, click
    New Key
    and enter
    https_port
    .
    The maximum port value you can set is 65535.
  6. Edit the
    https_max_threads
    key to configure the number of concurrent https requests. The default value is 500.
    After the wasp probe restarts, wasp is configured to use an HTTPS connection, and the wasp.keystore file is generated. This file is located in <nimsoft_home>\probes\service\wasp\conf\wasp.keystore.
(Optional) Change the HTTPS Ciphers
If necessary, you can customize the list of ciphers that are used by the wasp probe.
Follow these steps:
  1. Navigate to the system where wasp is installed.
  2. Navigate to the
    wasp.cfg
    file located in the following location:
    <OC or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  3. Open the
    wasp.cfg
    file in a text editor.
  4. Locate the
    https_ciphers
    key. By default, the https_ciphers key lists several values.
  5. Change the https_ciphers key to use the desired ciphers. Refer to the SSL documentation for a list of available cypher suites.
  6. Restart the wasp probe.
Reinitialize wasp.keystore
Only perform the following steps
if you are not using a 1024-bit self-signed certificate, and
at least one of the following statements is true
:
  • You do not know the password of wasp.keystore.
  • This is the
    first time that you are
    configuring Operator Console to use HTTPS.
If neither of the above statements is true, review the section Wasp and the ssl_reintialize_keystore Callback before continuing.
You must configure the associated wasp probes for Admin Console and Operator Console to fully configure HTTPS. The wasp probe is an embedded web server running as a probe.
If you are running the UIM and OC servers on the same system, there is only wasp probe that must be configured to enable HTTPS on both Admin Console and Operator Console.
In addition, you must enter a valid password for wasp.keystore.
However, wasp.keystore has a
hard-coded, unknown
password
.
Therefore, the first time you configure wasp for HTTPS, it is recommended that you execute the
ssl_reinitialize_keystore
callback and set a new password.
The ssl_reinitialize_keystore
callback re-creates wasp.keystore and its password hash. When you run this callback, enter a new password as an argument, and then
securely store the new password for future use
. If you lose or forget this password, the only way to reset it is to reinitialize wasp.keystore again.
Use
caution with the ssl_reinitialize_keystore callback. This callback changes the encryption hash of wasp.keystore, and will
invalidate any certificates you are currently using
. For this reason, it is strongly recommended that you back up individual key and certificate files, so that if you have to reinitialize the keystore, you can reload the keys and certificates into the new keystore.
In addition, do not use the keytool utility to change the password of wasp.keystore, as wasp will not recognize the new password.
Currently, the only way to change the password of wasp.keystore is to use the ssl_reinitialize_keystore callback.
Follow these steps:
  1. Open Infrastructure Manager.
  2. Navigate to the server running the wasp probe.
  3. Click on the wasp probe to highlight it.
  4. Press Ctrl+<P> to open the probe utility.
  5. In the drop-down list under
    Probe commandset
    , select
    ssl_reinitialize_keystore
    .
  6. Enter a new password as an argument.
    Use a password that is at least six characters long. The wasp probe utility will not prevent you from using a shorter password, but you will be unable to make changes to the wasp.keystore file as described later.
  7. Click the green play button to run the callback.
    The
    Command
    status bar displays the text
    OK
    .
  8. Securely record the password you set for future use.
Generate a Public and Private Key Pair
Follow these steps:
  1. Open an administrator command prompt on the server running wasp
    Run the following keytool commands in the same directory as the wasp.keystore file, typically <
    OC or UIM server_installation
    >/probes/service/wasp/conf. The keytool utility is located in the directory where the JRE resides, typically <
    OC or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool.
  2. Set the JAVA_HOME environment variables as follows:
    <
    OC or UIM server_installation
    >/jre/<
    jre_version
    >/bin/
  3. Verify that you have a valid password for the wasp.keystore file:
    <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf> keytool -list -keystore wasp.keystore
    You will receive a confirmation message, 'Your keystore contains 1 entry.'
  4. Delete the automatically generated private key:
    <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf> keytool -delete -alias wasp -keystore wasp.keystore
  5. Verify that the key was deleted:
    <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf> keytool -list -keystore wasp.keystore
    You will receive a confirmation message, 'Your keystore contains 0 entries.'
  6. Generate the public and private key pair with the key size you require:
    <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf> keytool -genkeypair -alias wasp -keyalg RSA -keysize <
    key_size
    > -keystore wasp.keystore -validity <
    days_cert_is_valid
    >
  7. When prompted for your first and last name, enter the FQDN.
  8. When prompted, provide entries for the following fields:
    • Organizational unit
    • Organization
    • City or Locality
    • State or Province
    • Two-letter country code
    You are prompted to confirm that the information you entered is correct.
Record Certificate Information
Follow these steps:
  1. Securely record the new password that you set for the wasp.keystore file.
  2. Ensure that you record the validity period you set for the certificate.
  3. Back up the certificate files to a secure location.
Generate and Submit a CSR
For a wildcard certificate, enter
<your_domain>.csr
as the last argument in this command.
Follow these steps:
  1. Generate a Certificate Signing Request (CSR):
    <OC or UIM server_installation>/jre/<jre_version>/bin/keytool -certreq -alias wasp -validity <days_cert_is_valid> -keystore <OC or UIM server_installation>Nimsoft/probes/service/wasp/conf/wasp.keystore -file <your_domain>.csr
    The CSR is built with the public keys that are generated by using the RSA key algorithm. Therefore, the certificates from the certificate authority must be built with the key encipherment ("Allows key exchange only with key encryption") encryption option.
  2. (Optional)
    Create a backup copy of the wasp.keystore. This is not a required step, but it is strongly recommended. In the event you encounter a problem later in this procedure, a backup copy of the wasp.keystore file will save you from having to repeat previous steps.
  3. Submit the CSR to the certificate authority:
    1. Paste the CSR into the web form of the certificate authority.
    2. Remove any characters before
      ----BEGIN CERTIFICATE REQUEST
      and after
      END CERTIFICATE REQUEST----.
Import the Certificates
All keystore entries must use a unique alias. You must use the alias wasp for the signed, or entity certificate. If your certificate authority provides multiple intermediate certificates, each intermediate certificate must also use a unique alias.
Follow these steps:
  1. Open an administrator command prompt on the server running OC.
    Run the following keytool commands in the same directory as the wasp.keystore file, typically <
    OC or UIM server_installation
    >/probes/service/wasp/conf. The keytool utility is located in the directory where the JRE resides, typically <
    OC or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool
  2. If your certificate authority provided a root certificate, import the root certificate:
    <
    OC or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool -import -trustcacerts -alias <
    root_certificate
    > -file  <
    root_certificate
    >.cer -keystore <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf/wasp.keystore
  3. Import the intermediate certificate:
    <
    OC or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool -import -trustcacerts -alias <
    first_intermediate_certificate
    > -file <
    first_intermediate_certificate
    >.cer -keystore <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf/wasp.keystore
  4. Repeat the previous step as needed for additional intermediate certificates.
  5. Import the signed certificate. This is the entity certificate if you received a chained certificate:
    <
    OC or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool  -import  -trustcacerts  -alias wasp  -file <
    your_domain
    >.crt  -keystore <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf/wasp.keystore
  6. Click
    yes
    at the prompt
    Existing entry alias wasp exists, overwrite?
  7. Issue the following command to verify that the wasp.keystore file was updated:
    <
    OC or UIM server_installation
    >/jre/<jre_version>/bin/keytool -list -keystore <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf/wasp.keystore
  8. Restart the wasp probe.
Test the HTTPS Connection
Self-signed certificates can cause some browser errors or notifications, such as "Your connection is not private" or "The identity of this website has not been verified." These are normal messages and can be prevented by importing the certificate to the browser (though not all browsers allow this). To avoid these messages altogether, you must use a certificate from a certificate authority.
Follow these steps:
  1. Open a supported Web browser.
  2. Enter https:// followed by the URL for Operator Console or Admin Console.
The login page appears if wasp configuration was successfully modified to use HTTPS.
Note:
You can click the lock icon to the left of the URL in the browser address window to view information about the connection.
(Operator Console Only) Set Automatic HTTP to HTTPS Redirect
You can set the automatic HTTP to HTTPS redirect by following this procedure.
Follow these steps:
  1. Search for the
    WEB-INF/web.xml
    files in the
    <OC or UIM server_installation>/Nimsoft/probes/service/wasp/webapps/
    folder, and open the files for editing.
  2. Locate the following content:
    <security-constraint> <web-resource-collection> <web-resource-name>un restricted methods</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
  3. Replace
    <transport-guarantee>NONE</transport-guarantee>
    with
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    .
  4. Save the web.xml files.
  5. Open the following file for editing:
    <OC or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  6. Add the following lines before
    </setup>
    :
    <http_connector> redirectPort=<desired port></http_connector>
    where
    <desired port>
    matches the https_port key defined in the Modify wasp to Use HTTPS subsection .
    Ensure that you include the redirect code within the
    <setup>
    section.
  7. Save the wasp.cfg file.
  8. Restart the wasp probe.
Dual mode (that is, both HTTP and HTTPS) is not allowed. Administrators can configure HTTP-only, HTTPS-only, or HTTP to HTTPS redirect.
Set/Enable Secure Flag for Cookie
You can set/enable a secure flag for cookies in Admin Console and OC:
Set/Enable Secure Flag for Cookie in Admin Console
For setting/enabling the secure flag for the cookie in Admin Console.
Follow these steps:
  1. Open the following file for editing:
    <UIM server_installation>/Nimsoft/probes/service/wasp/webapps/adminconsoleapp/WEB-INF/web.xml.
  2. Uncomment the  < secure> Tag
    <session-config> <session-timeout>1</session-timeout> <cookie-config> <http-only>true</http-only> <!--<secure>true</secure>--> </cookie-config> </session-config>
Set/Enable Secure Flag for Cookie in Operator Console
For setting/enabling the secure flag for the cookie in Operator Console.
Follow these steps:
  1. Open the following file for editing:
    <OC>/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/web.xml.
  2. Uncomment the  < secure> Tag
    <session-config> <session-timeout>1</session-timeout> <cookie-config> <http-only>true</http-only> <!--<secure>true</secure>--> </cookie-config> </session-config>
Update Expect-CT Header Values
You can update Expect-CT-Header values in Admin Console and OC:
Update Expect-CT Header Values in Admin Console
By default Expect-CT is set to “enforce, max-age=300”, to change the values or adding report-uri.
Follow these steps:
  1. Navigate to the
    wasp.cfg
    file located in the following location:
    <UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  2. Open the
    wasp.cfg
    file in a text editor.
  3. In the webapps\adminconsole section, add/edit configuration attributes in Expect-CT-Header property as below
    Expect-CT-Header = enforce, max-age=300
  4. Restart the wasp.
Update Expect-CT Header Values in Operator Console
By default Expect-CT is set to “enforce, max-age=300”, to change the values or adding report-uri in the Operator Console.
Follow these steps:
  1. Navigate to the
    wasp.cfg
    file located in the following location:
    <OC server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  2. Open the
    wasp.cfg
    file in a text editor.
  3. In the webapps\operatorconsole_portlet\custom\uncrypted section, add/edit configuration attributes in Expect-CT-Header property as below
    Expect-CT-Header = enforce, max-age=300
  4. Restart the wasp.
(Optional) Access CABI Server
Additional configuration is required if you are using the CABI for UIM dashboards. For more information, see the (Optional) Access CABI Server with HTTPS section in CA Business Intelligence with CA UIM.
UIM 20.3.3 has removed dependency on CA Business Intelligence (CABI) for rendering the native OC screens: Home page, Group view page, Device view page, and Monitoring Technologies (probes) view page. Custom and Out-of-the-Box dashboards and reports are still rendered by using CABI; that is, they have a dependency on CABI. However, the native OC screens are no longer dependent on CABI (Jaspersoft) and are rendered by using HTML5. For more information about the native OC screens using HTML5, see the Configuring and Viewing Monitoring Data article or the "Removing CABI Dependency (Native Operator Console)" section in the UIM 20.3.3 article.