In order to enable HTTPS in CCC and DM, we needed to modify web.xml of individual web applications along with Tomcat server.xml.
Below are the steps. All the modified files are attached as well.
Generate Key :
C:\Program Files\CA\Capacity Command Center 2.x\jre\bin>keytool -genkey-alias tomcat -keyalg RSA (Enter hostname when asked for your name) Password : changeit Accept default password in final step.
Generate certificate:
C:\Program Files\CA\Capacity Command Center 2.x\jre\bin>keytool -export-alias tomcat -file tomcatcertfile.cer
List key to see if all is well:
C:\Program Files\CA\Capacity Command Center 2.x\jre\bin>keytool -list–keystore c:/users/dmadmin/.keystore
Changes to Tomcat server.xml file:
1. Comment out APR library loader
<!--APR library loader. Documentation at /docs/apr.html -->
<!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/> -->
2. Uncomment and edit the connector for SSL
<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="C:/Users/dmadmin/.keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" />
Modify WEB.xml for DM under webapps\DM\web-inf:
Add the following security constraint to the web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>dm</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This content can be added at end, right before </web-app>. This allows tomcat to apply the redirection from anywhere in the application
Modify WEB.xml for CCC under webapps\ccc\web-inf:
We need to add the following security constraint to the web.xml.
Please note the order. Exclusions come first.
<transport-guarantee>NONE</transport-guarantee>
means no ssl.
<transport-guarantee>CONFIDENTIAL</transport-guarantee> means
support SSL. Web resource names are any arbitrary
names. <security-constraint>
<web-resource-collection>
<web-resource-name>ccc_api</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint> <security-constraint>
<web-resource-collection>
<web-resource-name>ccc_rest</web-resource-name>
<url-pattern>/rest/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint> <security-constraint>
<web-resource-collection>
<web-resource-name>ccc</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint>
Restart Apache Tomcat service after these changes
Application behavior after these changes:
When you access CCC and DM using http on port 8081 it will automatically redirect you to use https. You can use directly https on port 8443 as well in the URL.API and Rest interfaces of CCC continue to work with the regular http interface.