Skip to content
CA Network Flow Analysis - 9.3.8
Documentation powered by DocOps

Enable HTTPS for CA Network Flow Analysis

Last update January 19, 2018

CA Network Flow Analysis (CA NFA) can be configured for secure communication through the web interface.

Some of the following settings might be available during an upgrade. 

Prerequisites

Create the required certificate files using the procedure in

Generate or Configure Certificates for Use by CA Network Flow Analysis

Enable HTTPS on the Console

Follow these steps:

  1. Install the CA certificate (generated as a prerequisite) as a trusted Certificate Authority (CA) for your server.
    1. Double-click the nfa-console-truststore.pfx.
    2. Run the import wizard to import the certificate as trusted by the local machine.

    More information:
    See "To import a certificate" in How to Use the Certificates Console
  2. Install the Console SSL certificate.
    1. Install a signed certificate in IIS Manager Server Certificates.

      1. In the Internet Information Service (IIS) Manager, go to the Features view.

      2. Open Server Certificates.
      3. Under Actions, click Import to import the nfa-console-keystore.pfx file.

    2. To confirm that the certificate is properly installed, open the certificate and select the Certification Path tab.
      Select each certificate displayed in the Certification path and check that the Certificate status field shows “This certificate is OK”. Contact the certificate provider if Certificate status field displays errors.

  3. Configure the HTTPS port IIS Application. By default, IIS does not have a binding for HTTPS.
    1. In the Internet Information Services (IIS) Manager, navigate to the Default Website.
    2. Under Actions, click Bindings.
    3. In the Site Bindings dialog, click Add.


    4. Select the signed certificate from the SSL certificate list.

      Important: Do not disable http-port 80 binding. CA Network Flow Analysis will not work properly if http is disabled.
  4. Edit the product configuration XML file.
    install_path\Portal\SSO\webapps\sso\configuration\ReporterAnalyzer.xml

    1. In the SignInPageProductDefaultUrl section, change Scheme from http to https.

    2. Enter 443 for the Port (blank by default).

    Example:

    <?xml version="1.0" encoding="utf-8" ?>
    <Configuration>
          <SingleSignOnEnabled>True</SingleSignOnEnabled>
          <SingleSignOnProductCode>ra</SingleSignOnProductCode>
          <SignInPageProductTitle><![CDATA[NetQoS<sup><font class="Superscript">®</font></sup>
           ReporterAnalyzer<sup><font class="Superscript">™</font></sup>]]></SignInPageProductTitle>
          <SignInPageProductDescription>Network Traffic Analysis</SignInPageProductDescription>
          <SignInPageProductDefaultUrl>
            <Scheme>https</Scheme>
            <Port>443</Port>
            <PathAndQuery>/ra/default.aspx</PathAndQuery>
          </SignInPageProductDefaultUrl>
          <SingleSignOnWebServiceUrl>
            <Scheme>http</Scheme>
            <Port></Port>
            <PathAndQuery>/ReporterDataSource/SingleSignOnWS.asmx</PathAndQuery>
          </SingleSignOnWebServiceUrl>
    </Configuration>
  5. Configure Single Sign-On SSL scheme and port.
    Run install_path\Portal\sso\bin\SsoConfig.exe

    SSO Configuration:

    1. CA Performance Center

    2. CA Network Flow Analysis

    Choose an option >2


    SSO Configuration/CA Network Flow Analysis:

    1. LDAP Authentication

    2. SAML2 Authentication

    3. Performance Center

    4. Single Sign-On

    5. Test LDAP

    6. Export SAML2 Service Provider Metadata

    Choose an option >4

    SSO Configuration/CA Network Flow Analysis/Single Sign-On:

    Anonymous User Enabled: Disabled

    Anonymous User ID: 2

    Localhost User Sign-In Page Enabled: Disabled

    Localhost User Enabled: Enabled

    Localhost User ID: 1

    Cookie Timeout Minutes: 20

    Encryption Decryption Key: #$utP9%z

    Encryption Algorithm: DES

    Failed Sleep Seconds: 3

    Remember Me Enabled: Enabled

    Remember Me Timeout Days: 15

    Scheme: http

    Port: 8381

    Virtual Directory: sso

    1. Remote Value

    2. Local Override

    Choose an option > 2


    SSO Configuration/CA Network Flow Analysis/Single Sign-On/Local Override:

    1. Anonymous User Enabled:

    2. Anonymous User ID:

    3. Localhost User Sign-In Page Enabled:

    4. Localhost User Enabled:

    5. Localhost User ID:

    6. Cookie Timeout Minutes:

    7. Encryption Decryption Key:

    8. Encryption Algorithm:

    9. Failed Sleep Seconds:

    10. Remember Me Enabled:

    11. Remember Me Timeout Days:

    12. Scheme:

    13. Port:

    14. Virtual Directory:

    Select a Property > 12

    Enter u to update to new value > u

    Enter new value > https

    SSO Configuration/CA Network Flow Analysis/Single Sign-On/Local Override:

    1. Anonymous User Enabled:

    2. Anonymous User ID:

    3. Localhost User Sign-In Page Enabled:

    4. Localhost User Enabled:

    5. Localhost User ID:

    6. Cookie Timeout Minutes:

    7. Encryption Decryption Key:

    8. Encryption Algorithm:

    9. Failed Sleep Seconds:

    10. Remember Me Enabled:

    11. Remember Me Timeout Days:

    12. Scheme: https

    13. Port:

    14. Virtual Directory:

    Select a Property > 13

    Enter u to update to new value > u

    Enter new value > 8382

    Enter q to quit SsoConfig


  6. Backup and edit the SSO start.ini file.
    Edit install_path\Portal\SSO\start.ini.

    1. Uncomment the --module=ssl line so that it is active:

      --module=ssl
    2. Modify the --module=http line to be https:

      --module=https
  7. Configure the SSO jetty-https.xml, jetty-ssl.xml, and jetty-ssl-context.xml files.

    1. Copy the jetty-https.xml template from
      install_path\Portal\Jetty\etc\jetty-https.xml
      to
      install_path\Portal\SSO\etc\jetty-https.xml
    2. Copy the jetty-ssl.xml template from
      install_path\Portal\Jetty\etc\jetty-ssl.xml
      to
      install_path\Portal\SSO\etc\jetty-ssl.xml

    3. Copy the jetty-ssl-context.xml template from
      install_path\Portal\Jetty\etc\jetty-ssl-context.xml
      to
      install_path\Portal\SSO\etc\jetty-ssl-context.xml
    4. Edit install_path\Portal\SSO\etc\jetty-ssl.xml.
      In the addConnector section, set the port to 8382.

      <Set name="port">8382</Set>
    5. Edit install_path\Portal\SSO\etc\jetty-ssl-context.xml.
      Edit the sslContextFactory section to contain the following lines.

      <Set name="KeyStorePath">install_path/certs/nfa-console-keystore.pfx</Set>

      <Set name="KeyStorePassword">yourkeypassword</Set>

      <Set name="KeyStoreType">pkcs12</Set>

      <Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set>

      <Set name="KeyManagerPassword">yourkeypassword</Set>

      <Set name="TrustStorePath">install_path/certs/nfa-console-truststore.pfx</Set>

      <Set name="TrustStorePassword">yourkeypassword</Set>

      <Set name="TrustStoreType">pkcs12</Set>

      Use the keystore/truststore password created in Generate or Configure Certificates for Use by CA Network Flow Analysis for both the KeyStorePassword and TrustStorePassword.

  8. Reboot the NFA Console to apply the changes.
  9. Confirm that you can access the NFA Console using https.

Was this helpful?

Please log in to post comments.