DX Operational Intelligence

Tech Tip : Enable HTTPS in CCC/DM 

11-04-2014 10:53 AM

In order to enable HTTPS in CCC and DM, we needed to modify web.xml of individual web applications along with Tomcat server.xml. 

Below are the steps. All the modified files are attached as well.   

 

Generate Key :

C:\Program Files\CA\Capacity Command Center 2.x\jre\bin>keytool -genkey-alias tomcat -keyalg RSA (Enter hostname when asked for your name) Password : changeit Accept default password in final step.

 

Generate certificate:

C:\Program Files\CA\Capacity Command Center 2.x\jre\bin>keytool -export-alias tomcat -file tomcatcertfile.cer

 

List key to see if all is well:

C:\Program Files\CA\Capacity Command Center 2.x\jre\bin>keytool -list–keystore c:/users/dmadmin/.keystore

 

Changes to Tomcat server.xml file:

 

1.       Comment out APR library loader

<!--APR library loader. Documentation at /docs/apr.html -->

<!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>  -->

 

2.       Uncomment and edit the connector for SSL

 

<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -->

  <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="C:/Users/dmadmin/.keystore"  keystorePass="changeit" clientAuth="false" sslProtocol="TLS" />

 

 

Modify WEB.xml for DM under webapps\DM\web-inf:

 

Add the following security constraint to the web.xml.

 

<security-constraint>  
<web-resource-collection>      
<web-resource-name>dm</web-resource-name>      
<url-pattern>/*</url-pattern>  
</web-resource-collection>  
<user-data-constraint>     

<transport-guarantee>CONFIDENTIAL</transport-guarantee>  
</user-data-constraint>

</security-constraint>

 

This content can be added at end, right before </web-app>. This allows tomcat to apply the redirection from anywhere in the application

 

Modify WEB.xml for CCC under webapps\ccc\web-inf:

 

We need to add the following security constraint to the web.xml.

 

Please note the order. Exclusions come first.
<transport-guarantee>NONE</transport-guarantee>
means no ssl.
<transport-guarantee>CONFIDENTIAL</transport-guarantee> means
support SSL. Web resource names are any arbitrary
names. <security-constraint>  
<web-resource-collection>      

 

 

<web-resource-name>ccc_api</web-resource-name> 
     <url-pattern>/api/*</url-pattern>  
</web-resource-collection>  
<user-data-constraint>      
<transport-guarantee>NONE</transport-guarantee>  
</user-data-constraint>

</security-constraint> <security-constraint>  
<web-resource-collection>     

 

<web-resource-name>ccc_rest</web-resource-name>      
<url-pattern>/rest/*</url-pattern>  
</web-resource-collection>  
<user-data-constraint>      
<transport-guarantee>NONE</transport-guarantee>  
</user-data-constraint>

</security-constraint> <security-constraint> 

 

<web-resource-collection>      
<web-resource-name>ccc</web-resource-name>      
<url-pattern>/*</url-pattern>  
</web-resource-collection>  
<user-data-constraint>     

<transport-guarantee>CONFIDENTIAL</transport-guarantee>  
</user-data-constraint></security-constraint>

 

Restart Apache Tomcat service after these changes

 

Application behavior after these changes:

When you access CCC and DM using http on port 8081  it will automatically redirect you to use https. You can use directly https on port 8443 as well in the URL.API and Rest interfaces of CCC continue to work with the regular http interface.

Statistics
0 Favorited
0 Views
3 Files
0 Shares
0 Downloads
Attachment(s)
zip file
sample_server.xml.zip   2K   1 version
Uploaded - 05-29-2019
zip file
sample_web(ccc).xml.zip   912B   1 version
Uploaded - 05-29-2019
zip file
sample_web(dm).xml.zip   1K   1 version
Uploaded - 05-29-2019

Tags and Keywords

Comments

09-14-2015 06:06 AM

Hi Adrian,

 

I have not tested this with UIM Capman_da probe.

However, dm_thrift_port by default is 8082 - not sure if it requires to be changed..

 

 

 

Regards,

KS

09-09-2015 09:27 AM

Hi KS

 

This Tech Tip is great.  I just have a couple of question:

  • Does the same apply for the new Thrift API service to support UIM Capman_da probe?
  • Are the configurations above sufficient, or are there other changes to make?
    • If DM moves from port 8081 to 8443 in your example above, what port could / should Thrift API be served upon? 8444 / 8445??

 

Thanks,

 

Adrian

Related Entries and Links

No Related Resource entered.