Configure HTTPS in Admin Console or OC (Self-Signed Certificate)

uim203
This article describes how to configure a Secure Sockets Layer (SSL) connection to access Operator Console or Admin Console using HTTPS. It provides instructions for setting up a self-signed certificate.
Contents
We recommend that you consult your network security engineers and compliance specialists regarding your specific security requirements. In general, industry-standard security requirements mandate the use of SSL encryption for client/server communications on an untrusted network. This includes the following situations:
  • If users access Operator Console or Admin Console using a public network, such as the Internet
  • If sessions traverse an unsecured part of your network, such as wireless networks in meeting rooms or in public-access areas
  • If sessions traverse mobile networks
For high-security environments, we recommend using at least 2048-bit encryption. However, using longer RSA keys significantly affects the speed of encryption and decryption.
Prerequisites
Verify the following prerequisites before continuing:
  • You are an administrative user with access to Infrastructure Manager.
  • Your environment is configured to run keytool commands if you plan to use a certificate other than a 1024-bit self-signed certificate. This means that the $PATH system variable includes a path to java.exe and keytool.
  • Due to the security polices on some operating systems, you might have to run the keytool commands as an administrator.
    If running the keytool commands gives unexpected results on Windows systems, use the
    Run as Administrator
    option.
HTTPS Redirect and Admin Console
Admin Console does not support the use of an HTTPS redirect. You must access Admin Console directly using the
HTTPS://
URL. You can also disable the HTTP port for Admin Console.
You can also change your wasp configuration using Admin Console. However, you are automatically logged out of Admin Console when wasp restarts.
Follow these steps:
  1. Use Remote Desktop to connect to the UIM or OC server.
  2. Open Infrastructure Manager.
  3. Navigate to the robot running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select
    Raw Configure
    .
  5. With the
    setup
    section highlighted, select the
    http_port
    key, and click
    Delete Key.
Implement Self-Signed SSL Certificate
This section provides instructions for configuring Operator Console to use a self-signed SSL certificate. This section includes separate procedures for 1024-bit and 2048-bit self-signed SSL certificates:
Upgrade Pre-Existing Self-Signed Certificates to Java 1.8
The Java version was updated to Java 1.8 starting with CA UIM version 8.5.1. You must upgrade any self-signed certificates generated by CA UIM from previous CA UIM versions. If you do not upgrade the pre-existing certificates, HTTPS connections to Admin Console or OC will not work due to the change in security encryption levels in Java 1.8.
Follow these steps:
  1. Repeat the following steps for each instance of wasp that you configured for HTTPS.
  2. On the robot with wasp, navigate to the wasp.keystore file in
    <nimsoft_home>\probes\service\wasp\conf\wasp.keystore.
  3. Delete the wasp.keystore file.
  4. Restart wasp on the robot. The wasp.keystore file is regenerated according to the SHA256 algorithm standard.
  5. Verify that you can reestablish browser connectivity to the system. Accept any prompts to accept the new self-signed certificate in your browser.
Implement a 1024-Bit Self-Signed SSL Certificate
This section provides instructions for configuring Operator Console to use a 1024-bit self-signed SSL certificate:
Modify wasp to Use HTTPS
If you are configuring HTTPS for OC, modify the wasp probe on the OC server. If you are configuring HTTPS for Admin Console, modify the wasp probe on the UIM server.
Regardless of the certificate you want to implement, the first required step is to modify the wasp.cfg file to enable HTTPS. When this change takes effect, the following actions occur:
  • The wasp.keystore file, an encrypted file that stores certificates, is generated in the directory
    <OC or UIM server installation>/UIM/probes/service/wasp/conf
  • A 1024-bit self-signed certificate is automatically generated in wasp.keystore
Follow these steps:
  1. Use Remote Desktop to connect to the UIM or OC server.
  2. Open Infrastructure Manager.
  3. Navigate to the robot running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select
    Raw Configure
    .
  5. With the
    setup
    section highlighted, locate the
    https_port
    key, and click
    Edit Key
    to specify a port. If necessary, click
    New Key
    and enter
    https_port
    .
    The maximum port value that you can set is 65535.
  6. Edit the
    https_max_threads
    key to configure the number of concurrent https requests. The default value is 500.
  7. Restart the wasp probe.
    After the wasp probe restarts, wasp is configured to use an HTTPS connection, and the wasp.keystore file is generated. This file is located in
    <nimsoft_home>\probes\service\wasp\conf\wasp.keystore
    .
(Optional) Change the HTTPS Ciphers
If necessary, you can customize the list of ciphers that are used by the wasp probe.
Follow these steps:
  1. Navigate to the system where wasp is installed.
  2. Navigate to the
    wasp.cfg
    file located in the following location:
    <OC or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  3. Open the
    wasp.cfg
    file in a text editor.
  4. Locate the
    https_ciphers
    key. By default, the https_ciphers key lists several values.
  5. Change the
    https_ciphers
    key to use the desired ciphers. Refer to the SSL documentation for a list of available cypher suites.
  6. Restart the wasp probe.
Test the HTTPS Connection
Self-signed certificates can cause some browser errors or notifications, such as "Your connection is not private" or "The identity of this website has not been verified." These are normal messages and can be prevented by importing the certificate to the browser (though not all browsers allow this). To avoid these messages altogether, you must use a certificate from a certificate authority.
Follow these steps:
  1. Open a supported Web browser.
  2. Enter https://
    <Operator Console or AdminConsole or hostname>
    :
    <port>
    followed by the URL for OC or Admin Console.
The login page appears if wasp configuration was successfully modified to use HTTPS.
You can click the lock icon to the left of the URL in the browser address window to view information about the connection.
(Operator Console Only) Set Automatic HTTP to HTTPS Redirect
You can set the automatic HTTP to HTTPS redirect by following this procedure.
Follow these steps:
  1. Search for the
    WEB-INF/web.xml
    files in the
    <OC or UIM server_installation>/Nimsoft/probes/service/wasp/webapps/
    folder, and open the files for editing.
  2. Locate the following content:
    <security-constraint> <web-resource-collection> <web-resource-name>un restricted methods</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
  3. Replace
    <transport-guarantee>NONE</transport-guarantee>
    with
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    .
  4. Save the web.xml files.
  5. Open the following file for editing:
    <OC or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  6. Add the following lines before
    </setup>
    :
    <http_connector> redirectPort=<desired port></http_connector>
    where
    <desired port>
    matches the https_port key defined in the Modify wasp to Use HTTPS subsection .
    Ensure that you include the redirect code within the
    <setup>
    section.
  7. Save the wasp.cfg file.
  8. Restart the wasp probe.
Dual mode (that is, both HTTP and HTTPS) is not allowed. Administrators can configure HTTP-only, HTTPS-only, or HTTP to HTTPS redirect.
Implement a 2048-Bit Self-Signed SSL Certificate
This section provides instructions for configuring Operator Console to use a 2048-bit self-signed SSL certificate:
Download OpenSSL for Windows
To begin the process, you must have a copy of OpenSSL on the system.
Follow these steps:
  1. Use Remote Desktop to connect to the system server.
    If you are configuring SSL for OC, modify the wasp probe on the OC server. If you are configuring SSL for Admin Console, modify the wasp probe on the UIM server.
  2. Run the executable to install the package.
Modify wasp to Use HTTPS
If you are configuring HTTPS for Operator Console, modify the wasp probe on the OC server. If you are configuring HTTPS for Admin Console, modify the wasp probe on the UIM server.
Regardless of the certificate you want to implement, the first required step is to modify the wasp.cfg file to enable HTTPS. When this change takes effect, the following occurs:
  • The wasp.keystore file, an encrypted file that stores certificates, is generated in the directory
    <OC or UIM server installation>/UIM/probes/service/wasp/conf
  • A 1024-bit self-signed certificate is automatically generated in wasp.keystore
You must replace the automatically generated 1024-bit self-signed certificate with the certificate that you want to use.
Follow these steps:
  1. Use Remote Desktop to connect to the UIM server.
  2. Open Infrastructure Manager.
  3. Navigate to the server running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select
    Raw Configure
    .
  5. With the
    setup
    section highlighted, locate the
    https_port
    key, and click
    Edit Key
    to specify a port. If necessary, click
    New Key
    and enter
    https_port
    .
    The maximum port value that you can set is 65535.
  6. Edit the
    https_max_threads
    key to configure the number of concurrent https requests. The default value is 500.
    After the wasp probe restarts, wasp is configured to use an HTTPS connection, and the wasp.keystore file is generated. This file is located in <nimsoft_home>\probes\service\wasp\conf\wasp.keystore.
(Optional) Change the HTTPS Ciphers
If necessary, you can customize the list of ciphers that are used by the wasp probe.
Follow these steps:
  1. Navigate to the system where wasp is installed.
  2. Navigate to the
    wasp.cfg
    file located in the following location:
    <OC or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  3. Open the
    wasp.cfg
    file in a text editor.
  4. Locate the
    https_ciphers
    key. By default, the https_ciphers key lists several values.
  5. Change the https_ciphers key to use the desired ciphers. Refer to the SSL documentation for a list of available cypher suites.
  6. Restart the wasp probe.
Reinitialize wasp.keystore
The wasp probe is an embedded web server running as a probe. Modifying the wasp probe to use HTTPS creates the wasp.keystore file. To use SSL, you must regenerate this file. To regenerate the file, you must:
  1. Locate and delete the existing file from the fileset.
  2. Run a probe utility command to reinitialize the file.
Only perform the following steps
if you are NOT using a 1024-bit self-signed certificate, and
at least one of the following statements is true
:
  • You do not know the password of wasp.keystore.
  • This is the
    first time that you are
    configuring OC to use HTTPS.
You must configure the associated wasp probes for Admin Console and OC servers to fully configure HTTPS.
If you are running the UIM and OC servers on the same system, there is only wasp probe that must be configured to enable HTTPS on both Admin Console and Operator Console.
In addition, you must enter a valid password for wasp.keystore.
However, wasp.keystore has a
hard-coded, unknown
password
.
Therefore, the first time you configure wasp for HTTPS, it is recommended that you execute the
ssl_reinitialize_keystore
callback and set a new password.
The ssl_reinitialize_keystore
callback re-creates wasp.keystore and its password hash. When you run this callback, enter a new password as an argument, and then
securely store the new password for future use
. If you lose or forget this password, the only way to reset it is to reinitialize wasp.keystore again.
Use
caution with the ssl_reinitialize_keystore callback. This callback changes the encryption hash of wasp.keystore, and will
invalidate any certificates you are currently using
. For this reason, it is strongly recommended that you back up individual key and certificate files, so that if you have to reinitialize the keystore, you can reload the keys and certificates into the new keystore.
In addition, do not use the keytool utility to change the password of wasp.keystore, as wasp will not recognize the new password.
Currently, the only way to change the password of wasp.keystore is to use the ssl_reinitialize_keystore callback.
Follow these steps:
  1. Use Remote Desktop to connect to the appropriate server.
  2. Open Infrastructure Manager.
  3. Navigate to the robot running the wasp probe.
  4. Open the actions menu for the probe and select 'Deactivate'.
  5. In the fileset, navigate to
    /Nimsoft/probes/service/wasp/conf
    and delete the file
    wasp.keystore
    .
  6. In Infrastructure Manager, open the actions menu and select 'Restart'.
  7. In Infrastructure Manager, click on the wasp probe to highlight it.
  8. Press
    Ctrl+<P>
    to open the probe utility.
  9. In the drop-down list under
    Probe commandset
    , select
    ssl_reinitialize_keystore
    .
  10. Enter a new password as an argument.
    Use a password that is at least six characters long. The wasp probe utility will not prevent you from using a shorter password, but you will be unable to make changes to the wasp.keystore file as described later.
  11. Click the green Execute button ( Execute Button Icon ) to run the callback.
    The
    Command
    status bar displays the text
    OK
    .
  12. Securely record the password that you set for future use.
Generate a Public and Private Key Pair
To generate a new certificate, you must delete the existing 1024-bit certificate, create a public and private key pair, and create a new certificate. Enter keytool commands at a command prompt in the same directory as the wasp.keystore file, typically <
OC or UIM server_installation
>Nimsoft/probes/service/wasp/conf. The keytool utility is located in the directory where the JRE resides, typically <
OC or UIM server_installation
>/jre/<
jre_version
>/bin/keytool.
Follow these steps:
  1. Open an administrator command prompt on the server running wasp and navigate to the wasp configuration directory.
  2. Set the JAVA_HOME environment variables as follows:
    <
    OC or UIM server_installation
    >/jre/<
    jre_version
    >/bin/
  3. Verify that you have a valid password for the wasp.keystore file:
    <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf>keytool -list -keystore wasp.keystore
    You will receive a confirmation message, 'Your keystore contains 1 entry.'
  4. Delete the current 1024-bit certificate:
    <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf> keytool -delete -alias wasp -keystore wasp.keystore
  5. Verify that the key was deleted:
    <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf>keytool -list -keystore wasp.keystore
    You will receive a confirmation message, 'Your keystore contains 0 entries.'
  6. Generate the public and private key pair with the key size you require. The valid period is set in calendar days: for example,
    365
    represents one calendar year.
    <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf> keytool -genkeypair -alias wasp -keyalg RSA -keysize 2048 -keystore wasp.keystore -validity <
    days_cert_is_valid
    >
  7. When prompted for your first and last name, enter the FQDN.
    1. When prompted, provide entries for the following fields:
      • Organizational unit
      • Organization
      • City or Locality
      • State or Province
      • Two-letter country code
      You are prompted to confirm that the information you entered is correct.
      Generate a certificate signing request for the certificate:
      <
      OC or UIM server_installation
      >Nimsoft/probes/service/wasp/conf> keytool -certreq -alias wasp -validity 365 -keystore wasp.keystore -file wasp.csr
Export the Private Key
Next, export the private key from the keystore so that you can use it to generate a self-signed certificate. You will need to enter the keystore password which you noted in a previous step in the appropriate fields.
Follow these steps:
  1. Create a file called wasp.keystore.p12 in the wasp/conf folder:
    <OC or UIM server_installation>
    Nimsoft/probes/service/wasp/conf> keytool -importkeystore -srckeystore wasp.keystore -srcstorepass (keystore password) -srckeypass (keystore password) -destkeystore wasp.keystore.p12 -deststoretype PKCS12 -srcalias wasp -deststorepass (keystore password) -destkeypass (keystore password)
  2. Set the environment path variable to "C:\Program Files (x86)\GnuWin32\bin".
  3. Set the environment variable OPENSSL_CONF to "C:\Program Files (x86)\GnuWin32\share\openssl.cnf".
  4. Open a new command window to get the new values.
  5. Export the private key from this .p12 file to create a wasp.key file in the wasp/conf folder: 
    <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf> openssl pkcs12 -in wasp.keystore.p12 -passin pass:(keystore password) -nocerts -out wasp.key -passout pass:(keystore password)
Generate and Import the Certificate
Generate the certificate with the key created in the previous steps.
Follow these steps:
  1. Create a wasp.cer file in the wasp/conf folder, which is the certificate:
    <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf> openssl req -x509 -sha256 -days 365 -key wasp.key -in wasp.csr -out wasp.cer
  2. Change the location for the command and import the certificate:
    <
    OC or UIM server_installation
    >Nimsoft/probes/service/wasp/conf> keytool -import -trustcacerts -alias wasp -file wasp.cer -keystore wasp.keystore
Test the HTTPS Connection
Self-signed certificates can cause some browser errors or notifications, such as "Your connection is not private" or "The identity of this website has not been verified." These are normal messages and can be prevented by importing the certificate to the browser (though not all browsers allow this). To avoid these messages altogether, you must use a certificate from a certificate authority.
Follow these steps:
  1. Open a supported Web browser.
  2. Enter https:// followed by the URL for OC or Admin Console.
The login page appears if wasp configuration was successfully modified to use HTTPS.
You can click the lock icon to the left of the URL in the browser address window to view information about the connection.
Record Certificate Information
Follow these steps:
  1. Securely record the new password that you set for the wasp.keystore file.
  2. Ensure that you record the validity period you set for the certificate.
  3. Back up the certificate files to a secure location.
(OC Only) Set Automatic HTTP to HTTPS Redirect
Follow these steps:
  1. Open the following file for editing:
    <OC_installation>/Nimsoft/probes/service/wasp/conf/config.properties.
  2. Add the following line at the bottom of the file:
    web.server.protocol=https
  3. Save the config.properties file.
  4. Open the following file for editing:
    <
    OC or UIM server_installation
    >/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/web.xml.
  5. Add the following lines before </web-app>:
    <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
  6. Save the web.xml file.
  7. Open the following file for editing:
    <OC or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  8. Add the following lines before </setup>:
    <http_connector> redirectPort=
    <desired port>
    </http_connector>
    where <
    desired port
    > matches the https_port key defined in the subsection
    Modify wasp Configuration to Use HTTPS
    .
    Be sure to include the redirect code within the <setup> section.
  9. Save the wasp.cfg file.
  10. Restart the wasp probe.
Set/Enable Secure Flag for Cookie
You can set/enable a secure flag for cookies in Admin Console and OC:
Set/Enable Secure Flag for Cookie in Admin Console
For setting/enabling the secure flag for the cookie in Admin Console.
Follow these steps:
  1. Open the following file for editing:
    <UIM server_installation>/Nimsoft/probes/service/wasp/webapps/adminconsoleapp/WEB-INF/web.xml.
  2. Uncomment the  < secure> Tag
    <session-config> <session-timeout>1</session-timeout> <cookie-config> <http-only>true</http-only> <!--<secure>true</secure>--> </cookie-config> </session-config>
Set/Enable Secure Flag for Cookie in Operator Console
For setting/enabling the secure flag for the cookie in Operator Console.
Follow these steps:
  1. Open the following file for editing:
    <OC>/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/web.xml.
  2. Uncomment the  < secure> Tag
    <session-config> <session-timeout>1</session-timeout> <cookie-config> <http-only>true</http-only> <!--<secure>true</secure>--> </cookie-config> </session-config>
Update Expect-CT Header Values
You can update Expect-CT-Header values in Admin Console and OC:
Update Expect-CT Header Values in Admin Console
By default Expect-CT is set to “enforce, max-age=300”, to change the values or adding report-uri.
Follow these steps:
  1. Navigate to the
    wasp.cfg
    file located in the following location:
    <UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  2. Open the
    wasp.cfg
    file in a text editor.
  3. In the webapps\adminconsole section, add/edit configuration attributes in Expect-CT-Header property as below
    Expect-CT-Header = enforce, max-age=300
  4. Restart the wasp.
Update Expect-CT Header Values in Operator Console
By default Expect-CT is set to “enforce, max-age=300”, to change the values or adding report-uri in the Operator Console.
Follow these steps:
  1. Navigate to the
    wasp.cfg
    file located in the following location:
    <OC server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  2. Open the
    wasp.cfg
    file in a text editor.
  3. In the webapps\operatorconsole_portlet\custom\uncrypted section, add/edit configuration attributes in Expect-CT-Header property as below
    Expect-CT-Header = enforce, max-age=300
  4. Restart the wasp.
(Optional) Access CABI Server
Additional configuration is required if you are using the CABI for UIM dashboards. For more information, see the (Optional) Access CABI Server with HTTPS section in CA Business Intelligence with CA UIM.
UIM 20.3.3 has removed dependency on CA Business Intelligence (CABI) for rendering the native OC screens: Home page, Group view page, Device view page, and Monitoring Technologies (probes) view page. Custom and Out-of-the-Box dashboards and reports are still rendered by using CABI; that is, they have a dependency on CABI. However, the native OC screens are no longer dependent on CABI (Jaspersoft) and are rendered by using HTML5. For more information about the native OC screens using HTML5, see the Configuring and Viewing Monitoring Data article or the "Removing CABI Dependency (Native Operator Console)" section in the UIM 20.3.3 article.