Configure HTTPS in Admin Console or UMP

This article describes how to configure a Secure Sockets Layer (SSL) connection to access UMP or Admin Console using HTTPS. It provides instructions for setting up a self-signed certificate, authority-signed certificate, or wildcard certificate.
uim851
This article describes how to configure a Secure Sockets Layer (SSL) connection to access UMP or Admin Console using HTTPS. It provides instructions for setting up a self-signed certificate, authority-signed certificate, or wildcard certificate.
Contents
We recommend that you consult your network security engineers and compliance specialists regarding your specific security requirements. In general, industry-standard security requirements mandate the use of SSL encryption for client/server communications on an untrusted network. This includes the following situations:
  • If users access UMP or Admin Console using a public network, such as the Internet
  • If sessions traverse an unsecured part of your network, such as wireless networks in meeting rooms or in public-access areas
  • If sessions traverse mobile networks
For high-security environments, we recommend using at least 2048-bit encryption. However, using longer RSA keys significantly affects the speed of encryption and decryption.
Prerequisites
Verify the following prerequisites before continuing:
  • You are an administrative user with access to Infrastructure Manager.
  • Your environment is configured to run keytool commands if you plan to use a certificate other than a 1024-bit self-signed certificate. This means that the $PATH system variable includes a path to java.exe and keytool.
  • Due to the security polices on some operating systems, you might have to run the keytool commands as an administrator.
    If running the keytool commands gives unexpected results on Windows systems, use the
    Run as Administrator
    option.
Upgrade Pre-Existing Self-Signed Certificates to Java 1.8
The Java version was updated to Java 1.8 starting with CA UIM version 8.5.1. You must upgrade any self-signed certificates generated by CA UIM from previous CA UIM versions. If you do not upgrade the pre-existing certificates, HTTPS connections to Admin Console or UMP will not work due to the change in security encryption levels in Java 1.8.
Follow these steps:
  1. Repeat the following steps for each instance of wasp that you configured for HTTPS.
  2. On the robot with wasp, navigate to the wasp.keystore file in
    <nimsoft_home>\probes\service\wasp\conf\wasp.keystore.
  3. Delete the wasp.keystore file.
  4. Restart wasp on the robot. The wasp.keystore file is regenerated according to the SHA256 algorithm standard.
  5. Verify that you can reestablish browser connectivity to the system. Accept any prompts to accept the new self-signed certificate in your browser.
HTTPS Redirect and Admin Console 
Admin Console does not support the use of an HTTPS redirect. You must access Admin Console directly using the
HTTPS://
URL. You can also disable the HTTP port for Admin Console. 
You can also change your wasp configuration using Admin Console. However, you are automatically logged out of Admin Console when wasp restarts.
Follow these steps:
  1. Use Remote Desktop to connect to the UIM or UMP server.
  2. Open Infrastructure Manager.
  3. Navigate to the robot running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select 
    Raw Configure
    .
  5. With the 
    setup 
    section highlighted, select the 
    http_port 
    key, and click 
    Delete Key.
  6. Restart the wasp probe.
After the wasp probe restarts, you will be unable to access Admin Console using HTTP.
Implement a 1024-Bit Self-Signed SSL Certificate
This section provides instructions for configuring UMP to use a 1024-bit self-signed SSL certificate.
Modify wasp to Use HTTPS
If you are configuring HTTPS for UMP, modify the wasp probe on the UMP server. If you are configuring HTTPS for Admin Console, modify the wasp probe on the UIM server.
Regardless of the certificate you want to implement, the first required step is to modify the wasp.cfg file to enable HTTPS. When this change takes effect, the following actions occur:
  • The wasp.keystore file, an encrypted file that stores certificates, is generated in the directory
    <UMP or UIM server installation>/UIM/probes/service/wasp/conf
  • A 1024-bit self-signed certificate is automatically generated in wasp.keystore
Follow these steps:
  1. Use Remote Desktop to connect to the UIM or UMP server.
  2. Open Infrastructure Manager.
  3. Navigate to the robot running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select
    Raw Configure
    .
  5. With the
    setup
    section highlighted, locate the
    https_port
    key, and click
    Edit Key
    to specify a port. If necessary, click
    New Key
    and enter
    https_port
    .
    : The maximum port value that you can set is 65535.
  6. Edit the
    https_max_threads
    key to configure the number of concurrent https requests. The default value is 500.
  7. Restart the wasp probe.
    After the wasp probe restarts, wasp is configured to use an HTTPS connection, and the wasp.keystore file is generated. This file is located in
    <nimsoft_home>\probes\service\wasp\conf\wasp.keystore
    .
(Optional) Change the HTTPS Ciphers
If necessary, you can customize the list of ciphers that are used by the wasp probe.
Follow these steps:
  1. Navigate to the system where wasp is installed.
  2. Navigate to the
    wasp.cfg
    file located in the following location:
    <UMP or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  3. Open the
    wasp.cfg
    file in a text editor.
  4. Locate the
    https_ciphers
    key. By default, the https_ciphers key lists several values.
  5. Change the
    https_ciphers
    key to use the desired ciphers. Refer to the SSL documentation for a list of available cypher suites.
  6. Restart the wasp probe.
Test the HTTPS Connection
Self-signed certificates can cause some browser errors or notifications, such as "Your connection is not private" or "The identity of this website has not been verified." These are normal messages and can be prevented by importing the certificate to the browser (though not all browsers allow this). To avoid these messages altogether, you must use a certificate from a certificate authority.
Follow these steps:
  1. Open a supported Web browser.
  2. Enter https:// followed by the URL for UMP or Admin Console.
The login page appears if wasp configuration was successfully modified to use HTTPS.
You can click the lock icon to the left of the URL in the browser address window to view information about the connection.
(UMP Only) Set Automatic HTTP to HTTPS Redirect
Follow these steps:
  1. Open the following file for editing:
    <UMP server_installation>/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/classes/portal-ext.properties.
  2. Add the following line at the bottom of the file:
    web.server.protocol=https
  3. Save the portal-ext.properties file.
  4. Open the following file for editing:
    <UMP or UIM server_installation>/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/web.xml.
  5. Add the following lines before </web-app>:
    <security-constraint>    <web-resource-collection>       <web-resource-name>Entire Application</web-resource-name>       <url-pattern>/*</url-pattern>    </web-resource-collection>    <user-data-constraint>       <transport-guarantee>CONFIDENTIAL</transport-guarantee>    </user-data-constraint> </security-constraint>
  6. Save the web.xml file.
  7. Open the following file for editing:
    <UMP or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  8. Add the following lines before </setup>:
    <http_connector>    redirectPort=<desired port> </http_connector>
    where <desired port> matches the https_port key defined in the subsection Modify wasp Configuration to Use HTTPS.
    Be sure to include the redirect code within the <setup> section.
  9. Save the wasp.cfg file.
  10. Activate the wasp probe.
Implement a 2048-Bit Self-Signed SSL Certificate
This section provides instructions for configuring UMP to use a 2048-bit self-signed SSL certificate.
Download OpenSSL for Windows
To begin the process, you must have a copy of OpenSSL on the system.
Follow these steps:
  1. Use Remote Desktop to connect to the system server.
    If you are configuring SSL for UMP, modify the wasp probe on the UMP server. If you are configuring SSL for Admin Console, modify the wasp probe on the UIM server.
  2. Run the executable to install the package.
Modify wasp to Use HTTPS
If you are configuring HTTPS for UMP, modify the wasp probe on the UMP server. If you are configuring HTTPS for Admin Console, modify the wasp probe on the UIM server.
Regardless of the certificate you want to implement, the first required step is to modify the wasp.cfg file to enable HTTPS. When this change takes effect, the following occurs:
  • The wasp.keystore file, an encrypted file that stores certificates, is generated in the directory
    <UMP or UIM server installation>/UIM/probes/service/wasp/conf
  • A 1024-bit self-signed certificate is automatically generated in wasp.keystore
You must replace the automatically generated 1024-bit self-signed certificate with the certificate that you want to use.
Follow these steps:
  1. Use Remote Desktop to connect to the UIM server.
  2. Open Infrastructure Manager.
  3. Navigate to the server running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select
    Raw Configure
    .
  5. With the
    setup
    section highlighted, locate the
    https_port
    key, and click
    Edit Key
    to specify a port. If necessary, click
    New Key
    and enter
    https_port
    .
    : The maximum port value that you can set is 65535.
  6. Edit the
    https_max_threads
    key to configure the number of concurrent https requests. The default value is 500.
    After the wasp probe restarts, wasp is configured to use an HTTPS connection, and the wasp.keystore file is generated. This file is located in <nimsoft_home>\probes\service\wasp\conf\wasp.keystore.
(Optional) Change the HTTPS Ciphers
If necessary, you can customize the list of ciphers that are used by the wasp probe.
Follow these steps:
  1. Navigate to the system where wasp is installed.
  2. Navigate to the
    wasp.cfg
    file located in the following location:
    <UMP or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  3. Open the
    wasp.cfg
    file in a text editor.
  4. Locate the
    https_ciphers
    key. By default, the https_ciphers key lists several values.
  5. Change the https_ciphers key to use the desired ciphers. Refer to the SSL documentation for a list of available cypher suites.
  6. Restart the wasp probe.
Reinitialize wasp.keystore
The wasp probe is an embedded web server running as a probe. Modifying the wasp probe to use HTTPS creates the wasp.keystore file. To use SSL, you must regenerate this file. To regenerate the file, you must:
  1. Locate and delete the existing file from the fileset.
  2. Run a probe utility command to reinitialize the file.
Only perform the following steps
if you are NOT using a 1024-bit self-signed certificate, and
at least one of the following statements is true
:
  • You do not know the password of wasp.keystore.
  • This is the
    first time that you are
    configuring UMP to use HTTPS.
You must configure the associated wasp probes for Admin Console and UMP servers to fully configure HTTPS.
If you are running the UIM and UMP servers on the same system, there is only wasp probe that must be configured to enable HTTPS on both Admin Console and UMP.
In addition, you must enter a valid password for wasp.keystore.
However, wasp.keystore has a
hard-coded, unknown
password
.
Therefore, the first time you configure wasp for HTTPS, it is recommended that you execute the
ssl_reinitialize_keystore
callback and set a new password.
The ssl_reinitialize_keystore
callback re-creates wasp.keystore and its password hash. When you run this callback, enter a new password as an argument, and then
securely store the new password for future use
. If you lose or forget this password, the only way to reset it is to reinitialize wasp.keystore again.
Use
caution with the ssl_reinitialize_keystore callback. This callback changes the encryption hash of wasp.keystore, and will 
invalidate any certificates you are currently using
. For this reason, it is strongly recommended that you back up individual key and certificate files, so that if you have to reinitialize the keystore, you can reload the keys and certificates into the new keystore.
In addition, do not use the keytool utility to change the password of wasp.keystore, as wasp will not recognize the new password.
Currently, the only way to change the password of wasp.keystore is to use the ssl_reinitialize_keystore callback.
Follow these steps:
  1. Use Remote Desktop to connect to the appropriate server.
  2. Open Infrastructure Manager.
  3. Navigate to the robot running the wasp probe.
  4. Open the actions menu for the probe and select 'Deactivate'.
  5. In the fileset, navigate to
    /Nimsoft/probes/service/wasp/conf
    and delete the file
    wasp.keystore
    .
  6. In Infrastructure Manager, open the actions menu and select 'Restart'.
  7. In Infrastructure Manager, click on the wasp probe to highlight it.
  8. Press
    Ctrl+<P>
    to open the probe utility.
  9. In the drop-down list under
    Probe commandset
    , select
    ssl_reinitialize_keystore
    .
  10. Enter a new password as an argument.
    Use a password that is at least six characters long. The wasp probe utility will not prevent you from using a shorter password, but you will be unable to make changes to the wasp.keystore file as described later.
  11. Click the green Execute button ( Execute.png ) to run the callback.
    The
    Command
    status bar displays the text
    OK
    .
  12. Securely record the password that you set for future use.
Generate a Public and Private Key Pair
To generate a new certificate, you must delete the existing 1024-bit certificate, create a public and private key pair, and create a new certificate. Enter keytool commands at a command prompt in the same directory as the wasp.keystore file, typically <
UMP or UIM server_installation
>Nimsoft/probes/service/wasp/conf. The keytool utility is located in the directory where the JRE resides, typically <
UMP or UIM server_installation
>/jre/<
jre_version
>/bin/keytool.
Follow these steps:
  1. Open an administrator command prompt on the server running wasp and navigate to the wasp configuration directory.
  2. Verify that you have a valid password for the wasp.keystore file:
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool -list -keystore wasp.keystore
  3. Delete the current 1024-bit certificate:
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool" -delete -alias wasp -keystore wasp.keystore 
     
  4. Verify that the key was deleted:
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool -list -keystore wasp.keystore
  5. Generate the public and private key pair with the key size you require. The valid period is set in calendar days: for example,
    365
    represents one calendar year.
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize 2048 -keystore wasp.keystore  -validity <
    days_cert_is_valid
    >
  6. When prompted for your first and last name, enter the FQDN.
  7. When prompted, provide entries for the following fields:
    • Organizational unit
    • Organization
    • City or Locality
    • State or Province
    • Two-letter country code
    You are prompted to confirm that the information you entered is correct.
    Generate a certificate signing request for the certificate:
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool -certreq -alias wasp -validity 365 -keystore wasp.keystore -file wasp.csr
     
Export the Private Key
Next, export the private key from the keystore so that you can use it to generate a self-signed certificate. You will need to enter the keystore password which you noted in a previous step in the appropriate fields.
Follow these steps:
  1. Create a file called wasp.keystore.p12 in the wasp/conf folder:
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool -importkeystore -srckeystore wasp.keystore -srcstorepass (keystore password) -srckeypass (keystore password) -destkeystore wasp.keystore.p12 -deststoretype PKCS12 -srcalias wasp -deststorepass (keystore password) -destkeypass (keystore password)
  2.  Change the location for the command to  "C:\Program Files (x86)\GnuWin32\bin\openssl."
  3. Export the private key from this .p12 file to create a wasp.key file in the wasp/conf folder: 
    "C:/Program Files (x86)/GnuWin32/bin/openssl" pkcs12 -in wasp.keystore.p12 -passin pass:(keystore password) -nocerts -out wasp.key -passout pass:(keystore password)
Generate and Import the Certificate
Generate the certificate with the key created in the previous steps.
Follow these steps:
  1. Create a wasp.cer file in the wasp/conf folder, which is our certificate:
    "C:/Program Files (x86)/GnuWin32/bin/openssl" req -x509 -sha256 -days 365 -key wasp.key -in wasp.csr -out wasp.cer
  2. Change the location for the command and import the certificate:
    <
    UMP or UIM server_installation
    >/jre/jre8u102/bin/keytool.exe" -import -trustcacerts -alias wasp -file wasp.cer -keystore wasp.keystore
Test the HTTPS Connection
Self-signed certificates can cause some browser errors or notifications, such as "Your connection is not private" or "The identity of this website has not been verified." These are normal messages and can be prevented by importing the certificate to the browser (though not all browsers allow this). To avoid these messages altogether, you must use a certificate from a certificate authority.
Follow these steps:
  1. Open a supported Web browser.
  2. Enter https:// followed by the URL for UMP or Admin Console.
The login page appears if wasp configuration was successfully modified to use HTTPS.
You can click the lock icon to the left of the URL in the browser address window to view information about the connection.
Record Certificate Information
Follow these steps:
  1. Securely record the new password that you set for the wasp.keystore file.
  2. Ensure that you record the validity period you set for the certificate.
  3. Back up the certificate files to a secure location.
(UMP Only) Set Automatic HTTP to HTTPS Redirect
Follow these steps:
  1. Open the following file for editing:
    <UMP_installation>/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/classes/portal-ext.properties.
  2. Add the following line at the bottom of the file:
    web.server.protocol=https
  3. Save the portal-ext.properties file.
  4. Open the following file for editing:
    <
    UMP or UIM server_installation
    >/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/web.xml.
  5. Add the following lines before </web-app>:
    <security-constraint>    <web-resource-collection>       <web-resource-name>Entire Application</web-resource-name>       <url-pattern>/*</url-pattern>    </web-resource-collection>    <user-data-constraint>       <transport-guarantee>CONFIDENTIAL</transport-guarantee>    </user-data-constraint> </security-constraint>
  6. Save the web.xml file.
  7. Open the following file for editing:
    <UMP or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  8. Add the following lines before </setup>:
    <http_connector>    redirectPort=
    <desired port>
    </http_connector>
    where <
    desired port
    > matches the https_port key defined in the subsection 
    Modify wasp Configuration to Use HTTPS
    .
    Be sure to include the redirect code within the <setup> section.
  9. Save the wasp.cfg file.
  10. Activate the wasp probe.
Implement an Authority-Signed SSL Certificate
Entity, Intermediate, and Root Certificates
A number of certificate authorities issue intermediate, or
chained
certificates. If your certificate authority issues chained certificates, you will typically receive the following certificate files:
  • An
    entity
    certificate
  • One or more
    intermediate
    certificates
  • A root certificate might be included
You must upload the entity certificate and any intermediate certificates your certificate authority provides. You might not need to upload a root certificate. This is because the UIM installation automatically installs a Java Runtime Environment (JRE) that includes the root certificates of many certificate authorities. However, your certificate authority may provide a new root certificate and advise that you upload it.
You can view the root certificates installed automatically with the JRE during the UIM installation.
Follow these steps:
  1. Open an administrator command prompt on the server running UMP.
  2. Change directories as follows:
    cd <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/lib/security
  3. Issue the following command:
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool keytool -list -keystore cacerts
    The system prompts you to enter the keystore password. After you enter a valid password, the system displays the default root certificates in the cacerts file.
Modify wasp to Use HTTPS
If you are configuring HTTPS for UMP, modify the wasp probe on the UMP server. If you are configuring HTTPS for Admin Console, modify the wasp probe on the UIM server.
Regardless of the certificate you want to implement, the first required step is to modify the wasp.cfg file to enable HTTPS. When this change takes effect, the following occurs:
  • The wasp.keystore file, an encrypted file that stores certificates, is generated in the directory
    <UMP or UIM server installation>/UIM/probes/service/wasp/conf
  • A 1024-bit self-signed certificate is automatically generated in wasp.keystore
You must replace the automatically generated 1024-bit self-signed certificate with the certificate that you want to use.
Follow these steps:
  1. Use Remote Desktop to connect to the UIM server.
  2. Open Infrastructure Manager.
  3. Navigate to the server running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select
    Raw Configure
    .
  5. With the
    setup
    section highlighted, locate the
    https_port
    key, and click
    Edit Key
    to specify a port. If necessary, click
    New Key
    and enter
    https_port
    .
    : The maximum port value you can set is 65535.
  6. Edit the
    https_max_threads
    key to configure the number of concurrent https requests. The default value is 500.
    After the wasp probe restarts, wasp is configured to use an HTTPS connection, and the wasp.keystore file is generated. This file is located in <nimsoft_home>\probes\service\wasp\conf\wasp.keystore.
(Optional) Change the HTTPS Ciphers
If necessary, you can customize the list of ciphers that are used by the wasp probe.
Follow these steps:
  1. Navigate to the system where wasp is installed.
  2. Navigate to the
    wasp.cfg
    file located in the following location:
    <UMP or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  3. Open the
    wasp.cfg
    file in a text editor.
  4. Locate the
    https_ciphers
    key. By default, the https_ciphers key lists several values.
  5. Change the https_ciphers key to use the desired ciphers. Refer to the SSL documentation for a list of available cypher suites.
  6. Restart the wasp probe.
Reinitialize wasp.keystore
Only perform the following steps
if you are not using a 1024-bit self-signed certificate, and
at least one of the following statements is true
:
  • You do not know the password of wasp.keystore.
  • This is the
    first time that you are
    configuring UMP to use HTTPS.
If neither of the above statements is true, review the section Wasp and the ssl_reintialize_keystore Callback before continuing.
You must configure the associated wasp probes for Admin Console and UMP to fully configure HTTPS. The wasp probe is an embedded web server running as a probe.
If you are running the UIM and UMP servers on the same system, there is only wasp probe that must be configured to enable HTTPS on both Admin Console and UMP.
 In addition, you must enter a valid password for wasp.keystore.
However, wasp.keystore has a
hard-coded, unknown
password
.
Therefore, the first time you configure wasp for HTTPS, it is recommended that you execute the
ssl_reinitialize_keystore
callback and set a new password.
The ssl_reinitialize_keystore
callback re-creates wasp.keystore and its password hash. When you run this callback, enter a new password as an argument, and then
securely store the new password for future use
. If you lose or forget this password, the only way to reset it is to reinitialize wasp.keystore again.
Use
caution with the ssl_reinitialize_keystore callback. This callback changes the encryption hash of wasp.keystore, and will 
invalidate any certificates you are currently using
. For this reason, it is strongly recommended that you back up individual key and certificate files, so that if you have to reinitialize the keystore, you can reload the keys and certificates into the new keystore.
In addition, do not use the keytool utility to change the password of wasp.keystore, as wasp will not recognize the new password.
Currently, the only way to change the password of wasp.keystore is to use the ssl_reinitialize_keystore callback.
Follow these steps:
  1. Open Infrastructure Manager.
  2. Navigate to the server running the wasp probe.
  3. Click on the wasp probe to highlight it.
  4. Press Ctrl+<P> to open the probe utility.
  5. In the drop-down list under
    Probe commandset
    , select
    ssl_reinitialize_keystore
    .
  6. Enter a new password as an argument.
    Use a password that is at least six characters long. The wasp probe utility will not prevent you from using a shorter password, but you will be unable to make changes to the wasp.keystore file as described later.
  7. Click the green play button to run the callback.
    The
    Command
    status bar displays the text
    OK
    .
  8. Securely record the password you set for future use.
Generate a Public and Private Key Pair
Follow these steps:
  1. Open an administrator command prompt on the server running wasp
    Run the following keytool commands in the same directory as the wasp.keystore file, typically <
    UMP or UIM server_installation
    >/probes/service/wasp/conf. The keytool utility is located in the directory where the JRE resides, typically <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool.
  2. Verify that you have a valid password for the wasp.keystore file:
    <
    UMP_installation
    >/jre/<
    jre_version
    >/bin/keytool -list -keystore wasp.keystore
  3. Delete the automatically generated private key:
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool -delete -alias wasp -keystore wasp.keystore
  4. Verify that the key was deleted:
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool -list -keystore wasp.keystore
  5. Generate the public and private key pair with the key size you require:
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize <
    key_size
    > -keystore wasp.keystore  -validity <
    days_cert_is_valid
    >
  6. When prompted for your first and last name, enter the FQDN.
  7. When prompted, provide entries for the following fields:
    • Organizational unit
    • Organization
    • City or Locality
    • State or Province
    • Two-letter country code
    You are prompted to confirm that the information you entered is correct.
Record Certificate Information
Follow these steps:
  1. Securely record the new password that you set for the wasp.keystore file.
  2. Ensure that you record the validity period you set for the certificate.
  3. Back up the certificate files to a secure location.
Generate and Submit a CSR
: For a wildcard certificate, enter
<your_domain>.csr
as the last argument in this command.
Follow these steps:
  1. Generate a Certificate Signing Request (CSR):
    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -certreq -alias wasp -validity <days_cert_is_valid> -keystore wasp.keystore -file <your_domain>.csr
    The CSR is built with the public keys that are generated by using the RSA key algorithm. Therefore, the certificates from the certificate authority must be built with the key encipherment ("Allows key exchange only with key encryption") encryption option.
  2. (Optional)
    Create a backup copy of the wasp.keystore. This is not a required step, but it is strongly recommended. In the event you encounter a problem later in this procedure, a backup copy of the wasp.keystore file will save you from having to repeat previous steps.
  3. Submit the CSR to the certificate authority:
    1. Paste the CSR into the web form of the certificate authority.
    2. Remove any characters before
      ----BEGIN CERTIFICATE REQUEST
      and after
      END CERTIFICATE REQUEST----.
Import the Certificates
All keystore entries must use a unique alias. You must use the alias wasp for the signed, or entity certificate. If your certificate authority provides multiple intermediate certificates, each intermediate certificate must also use a unique alias.
Follow these steps:
  1. Open an administrator command prompt on the server running UMP.
    Run the following keytool commands in the same directory as the wasp.keystore file, typically <
    UMP or UIM server_installation
    >/probes/service/wasp/conf. The keytool utility is located in the directory where the JRE resides, typically <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool
  2. If your certificate authority provided a root certificate, import the root certificate:
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool -import -trustcacerts -alias <
    root_certificate
    > -file  <
    root_certificate
    >.cer -keystore wasp.keystore
  3. Import the intermediate certificate:
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool -import -trustcacerts -alias <
    first_intermediate_certificate
    > -file <
    first_intermediate_certificate
    >.cer -keystore wasp.keystore
  4. Repeat the previous step as needed for additional intermediate certificates.
  5. Import the signed certificate. This is the entity certificate if you received a chained certificate:
    <
    UMP or UIM server_installation
    >/jre/<
    jre_version
    >/bin/keytool  -import  -trustcacerts  -alias wasp  -file <
    your_domain
    >.crt  -keystore wasp.keystore
  6. Click
    yes
    at the prompt
    Existing entry alias wasp exists, overwrite?
  7. Issue the following command to verify that the wasp.keystore file was updated:
    <
    UMP or UIM server_installation
    >/jre/<jre_version>/bin/keytool -list -keystore wasp.keystore
  8. Restart the wasp probe.
Test the HTTPS Connection
Self-signed certificates can cause some browser errors or notifications, such as "Your connection is not private" or "The identity of this website has not been verified." These are normal messages and can be prevented by importing the certificate to the browser (though not all browsers allow this). To avoid these messages altogether, you must use a certificate from a certificate authority.
Follow these steps:
  1. Open a supported Web browser.
  2. Enter https:// followed by the URL for UMP or Admin Console.
The login page appears if wasp configuration was successfully modified to use HTTPS.
Note:
You can click the lock icon to the left of the URL in the browser address window to view information about the connection.
(UMP Only) Set Automatic HTTP to HTTPS Redirect
Follow these steps:
  1. Open the following file for editing:
    <UMP_installation>/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/classes/portal-ext.properties.
  2. Add the following line at the bottom of the file:
    web.server.protocol=https
  3. Save the portal-ext.properties file.
  4. Open the following file for editing:
    <
    UMP or UIM server_installation
    >/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/web.xml.
  5. Add the following lines before </web-app>:
    <security-constraint>    <web-resource-collection>       <web-resource-name>Entire Application</web-resource-name>       <url-pattern>/*</url-pattern>    </web-resource-collection>    <user-data-constraint>       <transport-guarantee>CONFIDENTIAL</transport-guarantee>    </user-data-constraint> </security-constraint>
  6. Save the web.xml file.
  7. Open the following file for editing:
    <UMP or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  8. Add the following lines before </setup>:
    <http_connector>    redirectPort=
    <desired port>
    </http_connector>
    where <
    desired port
    > matches the https_port key defined in the subsection 
    Modify wasp Configuration to Use HTTPS
    .
    Be sure to include the redirect code within the <setup> section.
  9. Save the wasp.cfg file.
  10. Activate the wasp probe.
(Optional) Access CABI Server
Additional configuration is required if you are using the CABI for UIM dashboards. For more information, see the (Optional) Access CABI Server with HTTPS section in CA Business Intelligence with CA UIM.
conf_https_UMP