Skip to content
CA Unified Infrastructure Management - 8.5.1
Documentation powered by DocOps

Configure HTTPS in Admin Console or UMP

Last update January 10, 2018

This article describes how to configure a Secure Sockets Layer (SSL) connection to access UMP or Admin Console using HTTPS. It provides instructions for setting up a self-signed certificate, authority-signed certificate, or wildcard certificate.

Contents

We recommend that you consult your network security engineers and compliance specialists regarding your specific security requirements. In general, industry-standard security requirements mandate the use of SSL encryption for client/server communications on an untrusted network. This includes the following situations:

  • If users access UMP or Admin Console using a public network, such as the Internet
  • If sessions traverse an unsecured part of your network, such as wireless networks in meeting rooms or in public-access areas
  • If sessions traverse mobile networks
Note: For high-security environments, we recommend using at least 2048-bit encryption. However, using longer RSA keys significantly affects the speed of encryption and decryption.

Prerequisites

Verify the following prerequisites before continuing:

  • You are an administrative user with access to Infrastructure Manager.

  • Your environment is configured to run keytool commands if you plan to use a certificate other than a 1024-bit self-signed certificate. This means that the $PATH system variable includes a path to java.exe and keytool.
  • Due to the security polices on some operating systems, you might have to run the keytool commands as an administrator.

    Important! If running the keytool commands gives unexpected results on Windows systems, use the Run as Administrator option.

Upgrade Pre-Existing Self-Signed Certificates to Java 1.8

The Java version was updated to Java 1.8 starting with CA UIM version 8.5.1. You must upgrade any self-signed certificates generated by CA UIM from previous CA UIM versions. If you do not upgrade the pre-existing certificates, HTTPS connections to Admin Console or UMP will not work due to the change in security encryption levels in Java 1.8.

Follow these steps:

  1. Repeat the following steps for each instance of wasp that you configured for HTTPS.
  2. On the robot with wasp, navigate to the wasp.keystore file in <nimsoft_home>\probes\service\wasp\conf\wasp.keystore.
  3. Delete the wasp.keystore file.
  4. Restart wasp on the robot. The wasp.keystore file is regenerated according to the SHA256 algorithm standard.
  5. Verify that you can reestablish browser connectivity to the system. Accept any prompts to accept the new self-signed certificate in your browser.

HTTPS Redirect and Admin Console 

Admin Console does not support the use of an HTTPS redirect. You must access Admin Console directly using the HTTPS:// URL. You can also disable the HTTP port for Admin Console. 

You can also change your wasp configuration using Admin Console. However, you are automatically logged out of Admin Console when wasp restarts.

Follow these steps:

  1. Use Remote Desktop to connect to the UIM or UMP server.
  2. Open Infrastructure Manager.
  3. Navigate to the robot running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select Raw Configure.
  5. With the setup section highlighted, select the http_port key, and click Delete Key.

  6. Restart the wasp probe.

After the wasp probe restarts, you will be unable to access Admin Console using HTTP.

Implement a 1024-Bit Self-Signed SSL Certificate

This section provides instructions for configuring UMP to use a 1024-bit self-signed SSL certificate.

Modify wasp to Use HTTPS

Note: If you are configuring HTTPS for UMP, modify the wasp probe on the UMP server. If you are configuring HTTPS for Admin Console, modify the wasp probe on the UIM server.

Regardless of the certificate you want to implement, the first required step is to modify the wasp.cfg file to enable HTTPS. When this change takes effect, the following actions occur:

  • The wasp.keystore file, an encrypted file that stores certificates, is generated in the directory <UMP or UIM server installation>/UIM/probes/service/wasp/conf
  • A 1024-bit self-signed certificate is automatically generated in wasp.keystore

Follow these steps:

  1. Use Remote Desktop to connect to the UIM or UMP server.
  2. Open Infrastructure Manager.
  3. Navigate to the robot running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select Raw Configure.
  5. With the setup section highlighted, locate the https_port key, and click Edit Key to specify a port. If necessary, click New Key and enter https_port.

    Note: The maximum port value that you can set is 65535.

  6. Edit the https_max_threads key to configure the number of concurrent https requests. The default value is 500.
  7. Restart the wasp probe.
    After the wasp probe restarts, wasp is configured to use an HTTPS connection, and the wasp.keystore file is generated. This file is located in <nimsoft_home>\probes\service\wasp\conf\wasp.keystore.

(Optional) Change the HTTPS Ciphers

If necessary, you can customize the list of ciphers that are used by the wasp probe.

Follow these steps:

  1. Navigate to the system where wasp is installed.
  2. Navigate to the wasp.cfg file located in the following location:
    <UMP or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  3. Open the wasp.cfg file in a text editor.
  4. Locate the https_ciphers key. By default, the https_ciphers key lists several values.
  5. Change the https_ciphers key to use the desired ciphers. Refer to the SSL documentation for a list of available cypher suites.
  6. Restart the wasp probe.

Test the HTTPS Connection

Note: Self-signed certificates can cause some browser errors or notifications, such as "Your connection is not private" or "The identity of this website has not been verified." These are normal messages and can be prevented by importing the certificate to the browser (though not all browsers allow this). To avoid these messages altogether, you must use a certificate from a certificate authority.

Follow these steps:

  1. Open a supported Web browser.
  2. Enter https:// followed by the URL for UMP or Admin Console.

The login page appears if wasp configuration was successfully modified to use HTTPS.

Note: You can click the lock icon to the left of the URL in the browser address window to view information about the connection.

(UMP Only) Set Automatic HTTP to HTTPS Redirect

Follow these steps:

  1. Open the following file for editing:
    <UMP server_installation>/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/classes/portal-ext.properties.
  2. Add the following line at the bottom of the file:

    web.server.protocol=https
  3. Save the portal-ext.properties file.
  4. Open the following file for editing:
    <UMP or UIM server_installation>/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/web.xml.
  5. Add the following lines before </web-app>:

    <security-constraint>
       <web-resource-collection>
          <web-resource-name>Entire Application</web-resource-name>
          <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
    </security-constraint>
  6. Save the web.xml file.

  7. Open the following file for editing:
    <UMP or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg

  8. Add the following lines before </setup>:

    <http_connector>
       redirectPort=<desired port>
    </http_connector>

    where <desired port> matches the https_port key defined in the subsection Modify wasp Configuration to Use HTTPS.

    Note: Be sure to include the redirect code within the <setup> section.

  9. Save the wasp.cfg file.

  10. Activate the wasp probe.

Implement a 2048-Bit Self-Signed SSL Certificate

This section provides instructions for configuring UMP to use a 2048-bit self-signed SSL certificate.

Download OpenSSL for Windows

To begin the process, you must have a copy of OpenSSL on the system.

Follow these steps:

  1. Use Remote Desktop to connect to the system server.

    Note: If you are configuring SSL for UMP, modify the wasp probe on the UMP server. If you are configuring SSL for Admin Console, modify the wasp probe on the UIM server.

  2. Navigate to http://gnuwin32.sourceforge.net/packages/openssl.htm.
  3. Download the executable http://downloads.sourceforge.net/gnuwin32/openssl-0.9.8h-1-setup.exe.
  4. Run the executable to install the package.

Modify wasp to Use HTTPS

Note: If you are configuring HTTPS for UMP, modify the wasp probe on the UMP server. If you are configuring HTTPS for Admin Console, modify the wasp probe on the UIM server.

Regardless of the certificate you want to implement, the first required step is to modify the wasp.cfg file to enable HTTPS. When this change takes effect, the following occurs:

  • The wasp.keystore file, an encrypted file that stores certificates, is generated in the directory <UMP or UIM server installation>/UIM/probes/service/wasp/conf
  • A 1024-bit self-signed certificate is automatically generated in wasp.keystore

You must replace the automatically generated 1024-bit self-signed certificate with the certificate that you want to use.

Follow these steps:

  1. Use Remote Desktop to connect to the UIM server.
  2. Open Infrastructure Manager.
  3. Navigate to the server running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select Raw Configure.
  5. With the setup section highlighted, locate the https_port key, and click Edit Key to specify a port. If necessary, click New Key and enter https_port.

    Note: The maximum port value that you can set is 65535.

  6. Edit the https_max_threads key to configure the number of concurrent https requests. The default value is 500.
    After the wasp probe restarts, wasp is configured to use an HTTPS connection, and the wasp.keystore file is generated. This file is located in <nimsoft_home>\probes\service\wasp\conf\wasp.keystore.

(Optional) Change the HTTPS Ciphers

If necessary, you can customize the list of ciphers that are used by the wasp probe.

Follow these steps:

  1. Navigate to the system where wasp is installed.
  2. Navigate to the wasp.cfg file located in the following location:
    <UMP or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  3. Open the wasp.cfg file in a text editor.
  4. Locate the https_ciphers key. By default, the https_ciphers key lists several values.
  5. Change the https_ciphers key to use the desired ciphers. Refer to the SSL documentation for a list of available cypher suites.
  6. Restart the wasp probe.

Reinitialize wasp.keystore

The wasp probe is an embedded web server running as a probe. Modifying the wasp probe to use HTTPS creates the wasp.keystore file. To use SSL, you must regenerate this file. To regenerate the file, you must:

  1. Locate and delete the existing file from the fileset.
  2. Run a probe utility command to reinitialize the file.

Important! Only perform the following steps if you are NOT using a 1024-bit self-signed certificate, and at least one of the following statements is true:

  • You do not know the password of wasp.keystore.
  • This is the first time that you are configuring UMP to use HTTPS.

You must configure the associated wasp probes for Admin Console and UMP servers to fully configure HTTPS.

Note: If you are running the UIM and UMP servers on the same system, there is only wasp probe that must be configured to enable HTTPS on both Admin Console and UMP.

In addition, you must enter a valid password for wasp.keystore. However, wasp.keystore has a hard-coded, unknown password. Therefore, the first time you configure wasp for HTTPS, it is recommended that you execute the ssl_reinitialize_keystore callback and set a new password.

The ssl_reinitialize_keystore callback re-creates wasp.keystore and its password hash. When you run this callback, enter a new password as an argument, and then securely store the new password for future use. If you lose or forget this password, the only way to reset it is to reinitialize wasp.keystore again.

Important! Use caution with the ssl_reinitialize_keystore callback. This callback changes the encryption hash of wasp.keystore, and will invalidate any certificates you are currently using. For this reason, it is strongly recommended that you back up individual key and certificate files, so that if you have to reinitialize the keystore, you can reload the keys and certificates into the new keystore.

In addition, do not use the keytool utility to change the password of wasp.keystore, as wasp will not recognize the new password. Currently, the only way to change the password of wasp.keystore is to use the ssl_reinitialize_keystore callback.

Follow these steps:

  1. Use Remote Desktop to connect to the appropriate server.
  2. Open Infrastructure Manager.
  3. Navigate to the robot running the wasp probe.
  4. Open the actions menu for the probe and select 'Deactivate'.
  5. In the fileset, navigate to /Nimsoft/probes/service/wasp/conf and delete the file wasp.keystore.
  6. In Infrastructure Manager, open the actions menu and select 'Restart'.
  7. In Infrastructure Manager, click on the wasp probe to highlight it.
  8. Press Ctrl+<P> to open the probe utility.
  9. In the drop-down list under Probe commandset, select ssl_reinitialize_keystore.
  10. Enter a new password as an argument.

    Note: Use a password that is at least six characters long. The wasp probe utility will not prevent you from using a shorter password, but you will be unable to make changes to the wasp.keystore file as described later.

  11. Click the green Execute button () to run the callback.
    The Command status bar displays the text OK.
  12. Securely record the password that you set for future use.

Generate a Public and Private Key Pair

To generate a new certificate, you must delete the existing 1024-bit certificate, create a public and private key pair, and create a new certificate. Enter keytool commands at a command prompt in the same directory as the wasp.keystore file, typically <UMP or UIM server_installation>Nimsoft/probes/service/wasp/conf. The keytool utility is located in the directory where the JRE resides, typically <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool.

Follow these steps:

  1. Open an administrator command prompt on the server running wasp and navigate to the wasp configuration directory.

  2. Verify that you have a valid password for the wasp.keystore file:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -list -keystore wasp.keystore
  3. Delete the current 1024-bit certificate:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool" -delete -alias wasp -keystore wasp.keystore 

     
  4. Verify that the key was deleted:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -list -keystore wasp.keystore
  5. Generate the public and private key pair with the key size you require. The valid period is set in calendar days: for example, 365 represents one calendar year.

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize 2048 -keystore wasp.keystore  -validity <days_cert_is_valid>
  6. When prompted for your first and last name, enter the FQDN.
  7. When prompted, provide entries for the following fields:
    • Organizational unit
    • Organization
    • City or Locality
    • State or Province
    • Two-letter country code

    You are prompted to confirm that the information you entered is correct.

    Generate a certificate signing request for the certificate:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -certreq -alias wasp -validity 365 -keystore wasp.keystore -file wasp.csr 

     

Export the Private Key

Next, export the private key from the keystore so that you can use it to generate a self-signed certificate. You will need to enter the keystore password which you noted in a previous step in the appropriate fields.

Follow these steps:

  1. Create a file called wasp.keystore.p12 in the wasp/conf folder:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -importkeystore -srckeystore wasp.keystore -srcstorepass (keystore password) -srckeypass (keystore password) -destkeystore wasp.keystore.p12 -deststoretype PKCS12 -srcalias wasp -deststorepass (keystore password) -destkeypass (keystore password)


  2.  Change the location for the command to  "C:\Program Files (x86)\GnuWin32\bin\openssl."

  3. Export the private key from this .p12 file to create a wasp.key file in the wasp/conf folder: 

    "C:/Program Files (x86)/GnuWin32/bin/openssl" pkcs12 -in wasp.keystore.p12 -passin pass:(keystore password) -nocerts -out wasp.key -passout pass:(keystore password)


Generate and Import the Certificate

Generate the certificate with the key created in the previous steps.

Follow these steps:

  1. Create a wasp.cer file in the wasp/conf folder, which is our certificate:

    "C:/Program Files (x86)/GnuWin32/bin/openssl" req -x509 -sha256 -days 365 -key wasp.key -in wasp.csr -out wasp.cer
  2. Change the location for the command and import the certificate:

    <UMP or UIM server_installation>/jre/jre8u102/bin/keytool.exe" -import -trustcacerts -alias wasp -file wasp.cer -keystore wasp.keystore

Test the HTTPS Connection

Note: Self-signed certificates can cause some browser errors or notifications, such as "Your connection is not private" or "The identity of this website has not been verified." These are normal messages and can be prevented by importing the certificate to the browser (though not all browsers allow this). To avoid these messages altogether, you must use a certificate from a certificate authority.

Follow these steps:

  1. Open a supported Web browser.
  2. Enter https:// followed by the URL for UMP or Admin Console.

The login page appears if wasp configuration was successfully modified to use HTTPS.

Note: You can click the lock icon to the left of the URL in the browser address window to view information about the connection.

Record Certificate Information

Follow these steps:

  1. Securely record the new password that you set for the wasp.keystore file.
  2. Ensure that you record the validity period you set for the certificate.
  3. Back up the certificate files to a secure location.

(UMP Only) Set Automatic HTTP to HTTPS Redirect

Follow these steps:

  1. Open the following file for editing:
    <UMP_installation>/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/classes/portal-ext.properties.
  2. Add the following line at the bottom of the file:

    web.server.protocol=https
  3. Save the portal-ext.properties file.
  4. Open the following file for editing:
    <UMP or UIM server_installation>/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/web.xml.
  5. Add the following lines before </web-app>:

    <security-constraint>
       <web-resource-collection>
          <web-resource-name>Entire Application</web-resource-name>
          <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
    </security-constraint>
  6. Save the web.xml file.

  7. Open the following file for editing:
    <UMP or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg

  8. Add the following lines before </setup>:

    <http_connector>
       redirectPort=<desired port>
    </http_connector>

    where <desired port> matches the https_port key defined in the subsection Modify wasp Configuration to Use HTTPS.

    Note: Be sure to include the redirect code within the <setup> section.

  9. Save the wasp.cfg file.

  10. Activate the wasp probe.

Implement an Authority-Signed SSL Certificate

Entity, Intermediate, and Root Certificates

A number of certificate authorities issue intermediate, or chained certificates. If your certificate authority issues chained certificates, you will typically receive the following certificate files:

  • An entity certificate
  • One or more intermediate certificates
  • A root certificate might be included

You must upload the entity certificate and any intermediate certificates your certificate authority provides. You might not need to upload a root certificate. This is because the UIM installation automatically installs a Java Runtime Environment (JRE) that includes the root certificates of many certificate authorities. However, your certificate authority may provide a new root certificate and advise that you upload it.

You can view the root certificates installed automatically with the JRE during the UIM installation.

Follow these steps:

  1. Open an administrator command prompt on the server running UMP.
  2. Change directories as follows:

    cd <UMP or UIM server_installation>/jre/<jre_version>/lib/security

  3. Issue the following command:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool keytool -list -keystore cacerts

    The system prompts you to enter the keystore password. After you enter a valid password, the system displays the default root certificates in the cacerts file.

Modify wasp to Use HTTPS

Note: If you are configuring HTTPS for UMP, modify the wasp probe on the UMP server. If you are configuring HTTPS for Admin Console, modify the wasp probe on the UIM server.

Regardless of the certificate you want to implement, the first required step is to modify the wasp.cfg file to enable HTTPS. When this change takes effect, the following occurs:

  • The wasp.keystore file, an encrypted file that stores certificates, is generated in the directory <UMP or UIM server installation>/UIM/probes/service/wasp/conf
  • A 1024-bit self-signed certificate is automatically generated in wasp.keystore

You must replace the automatically generated 1024-bit self-signed certificate with the certificate that you want to use.

Follow these steps:

  1. Use Remote Desktop to connect to the UIM server.
  2. Open Infrastructure Manager.
  3. Navigate to the server running the wasp probe.
  4. Press the Ctrl key as you right-click the wasp probe, and then select Raw Configure.
  5. With the setup section highlighted, locate the https_port key, and click Edit Key to specify a port. If necessary, click New Key and enter https_port.

    Note: The maximum port value you can set is 65535.

  6. Edit the https_max_threads key to configure the number of concurrent https requests. The default value is 500.
    After the wasp probe restarts, wasp is configured to use an HTTPS connection, and the wasp.keystore file is generated. This file is located in <nimsoft_home>\probes\service\wasp\conf\wasp.keystore.

(Optional) Change the HTTPS Ciphers

If necessary, you can customize the list of ciphers that are used by the wasp probe.

Follow these steps:

  1. Navigate to the system where wasp is installed.
  2. Navigate to the wasp.cfg file located in the following location:
    <UMP or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg
  3. Open the wasp.cfg file in a text editor.
  4. Locate the https_ciphers key. By default, the https_ciphers key lists several values.
  5. Change the https_ciphers key to use the desired ciphers. Refer to the SSL documentation for a list of available cypher suites.
  6. Restart the wasp probe.

Reinitialize wasp.keystore

Important! Only perform the following steps if you are not using a 1024-bit self-signed certificate, and at least one of the following statements is true:

  • You do not know the password of wasp.keystore.
  • This is the first time that you are configuring UMP to use HTTPS.

If neither of the above statements is true, review the section Wasp and the ssl_reintialize_keystore Callback before continuing.

You must configure the associated wasp probes for Admin Console and UMP to fully configure HTTPS. The wasp probe is an embedded web server running as a probe.

Note: If you are running the UIM and UMP servers on the same system, there is only wasp probe that must be configured to enable HTTPS on both Admin Console and UMP.

 In addition, you must enter a valid password for wasp.keystore. However, wasp.keystore has a hard-coded, unknown password. Therefore, the first time you configure wasp for HTTPS, it is recommended that you execute the ssl_reinitialize_keystore callback and set a new password.

The ssl_reinitialize_keystore callback re-creates wasp.keystore and its password hash. When you run this callback, enter a new password as an argument, and then securely store the new password for future use. If you lose or forget this password, the only way to reset it is to reinitialize wasp.keystore again.

Important! Use caution with the ssl_reinitialize_keystore callback. This callback changes the encryption hash of wasp.keystore, and will invalidate any certificates you are currently using. For this reason, it is strongly recommended that you back up individual key and certificate files, so that if you have to reinitialize the keystore, you can reload the keys and certificates into the new keystore.

In addition, do not use the keytool utility to change the password of wasp.keystore, as wasp will not recognize the new password. Currently, the only way to change the password of wasp.keystore is to use the ssl_reinitialize_keystore callback.

Follow these steps:

  1. Open Infrastructure Manager.
  2. Navigate to the server running the wasp probe.
  3. Click on the wasp probe to highlight it.
  4. Press Ctrl+<P> to open the probe utility.
  5. In the drop-down list under Probe commandset, select ssl_reinitialize_keystore.
  6. Enter a new password as an argument.

    Note: Use a password that is at least six characters long. The wasp probe utility will not prevent you from using a shorter password, but you will be unable to make changes to the wasp.keystore file as described later.

  7. Click the green play button to run the callback.
    The Command status bar displays the text OK.
  8. Securely record the password you set for future use.

Generate a Public and Private Key Pair

Follow these steps:

  1. Open an administrator command prompt on the server running wasp

    Note: Run the following keytool commands in the same directory as the wasp.keystore file, typically <UMP or UIM server_installation>/probes/service/wasp/conf. The keytool utility is located in the directory where the JRE resides, typically <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool.

  2. Verify that you have a valid password for the wasp.keystore file:

    <UMP_installation>/jre/<jre_version>/bin/keytool -list -keystore wasp.keystore
  3. Delete the automatically generated private key:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -delete -alias wasp -keystore wasp.keystore
    
  4. Verify that the key was deleted:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -list -keystore wasp.keystore
  5. Generate the public and private key pair with the key size you require:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize <key_size> -keystore wasp.keystore  -validity <days_cert_is_valid>
  6. When prompted for your first and last name, enter the FQDN.
  7. When prompted, provide entries for the following fields:
    • Organizational unit
    • Organization
    • City or Locality
    • State or Province
    • Two-letter country code

    You are prompted to confirm that the information you entered is correct.

Record Certificate Information

Follow these steps:

  1. Securely record the new password that you set for the wasp.keystore file.
  2. Ensure that you record the validity period you set for the certificate.
  3. Back up the certificate files to a secure location.

Generate and Submit a CSR

Note: For a wildcard certificate, enter <your_domain>.csr as the last argument in this command.

Follow these steps:

  1. Generate a Certificate Signing Request (CSR):

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -certreq -alias wasp -validity <days_cert_is_valid> -keystore wasp.keystore -file <your_domain>.csr

    Note: The CSR is built with the public keys that are generated by using the RSA key algorithm. Therefore, the certificates from the certificate authority must be built with the key encipherment ("Allows key exchange only with key encryption") encryption option.

  2. (Optional) Create a backup copy of the wasp.keystore. This is not a required step, but it is strongly recommended. In the event you encounter a problem later in this procedure, a backup copy of the wasp.keystore file will save you from having to repeat previous steps.

  3. Submit the CSR to the certificate authority:

    1. Paste the CSR into the web form of the certificate authority.

    2. Remove any characters before ----BEGIN CERTIFICATE REQUEST and after END CERTIFICATE REQUEST----.

Import the Certificates

Note: All keystore entries must use a unique alias. You must use the alias wasp for the signed, or entity certificate. If your certificate authority provides multiple intermediate certificates, each intermediate certificate must also use a unique alias.

Follow these steps:

  1. Open an administrator command prompt on the server running UMP.

    Note: Run the following keytool commands in the same directory as the wasp.keystore file, typically <UMP or UIM server_installation>/probes/service/wasp/conf. The keytool utility is located in the directory where the JRE resides, typically <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool

  2. If your certificate authority provided a root certificate, import the root certificate:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -import -trustcacerts -alias <root_certificate> -file  <root_certificate>.cer -keystore wasp.keystore
  3. Import the intermediate certificate:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -import -trustcacerts -alias <first_intermediate_certificate> -file <first_intermediate_certificate>.cer -keystore wasp.keystore
  4. Repeat the previous step as needed for additional intermediate certificates.
  5. Import the signed certificate. This is the entity certificate if you received a chained certificate:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool  -import  -trustcacerts  -alias wasp  -file <your_domain>.crt  -keystore wasp.keystore
  6. Click yes at the prompt Existing entry alias wasp exists, overwrite?
  7. Issue the following command to verify that the wasp.keystore file was updated:

    <UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -list -keystore wasp.keystore
    
  8. Restart the wasp probe.

Test the HTTPS Connection

Note: Self-signed certificates can cause some browser errors or notifications, such as "Your connection is not private" or "The identity of this website has not been verified." These are normal messages and can be prevented by importing the certificate to the browser (though not all browsers allow this). To avoid these messages altogether, you must use a certificate from a certificate authority.

Follow these steps:

  1. Open a supported Web browser.
  2. Enter https:// followed by the URL for UMP or Admin Console.

The login page appears if wasp configuration was successfully modified to use HTTPS.

Note: You can click the lock icon to the left of the URL in the browser address window to view information about the connection.

(UMP Only) Set Automatic HTTP to HTTPS Redirect

Follow these steps:

  1. Open the following file for editing:
    <UMP_installation>/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/classes/portal-ext.properties.
  2. Add the following line at the bottom of the file:

    web.server.protocol=https
  3. Save the portal-ext.properties file.
  4. Open the following file for editing:
    <UMP or UIM server_installation>/Nimsoft/probes/service/wasp/webapps/ROOT/WEB-INF/web.xml.
  5. Add the following lines before </web-app>:

    <security-constraint>
       <web-resource-collection>
          <web-resource-name>Entire Application</web-resource-name>
          <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
    </security-constraint>
  6. Save the web.xml file.

  7. Open the following file for editing:
    <UMP or UIM server_Installation>\Nimsoft\probes\service\wasp\wasp.cfg

  8. Add the following lines before </setup>:

    <http_connector>
       redirectPort=<desired port>
    </http_connector>

    where <desired port> matches the https_port key defined in the subsection Modify wasp Configuration to Use HTTPS.

    Note: Be sure to include the redirect code within the <setup> section.

  9. Save the wasp.cfg file.

  10. Activate the wasp probe.

(Optional) Access CABI Server

Additional configuration is required if you are using the CABI for UIM dashboards. For more information, see the (Optional) Access CABI Server with HTTPS section in CA Business Intelligence with CA UIM.

 
 


Was this helpful?

Please log in to post comments.

  1. John Roncaglione
    2017-12-06 08:50

    A good note to include when using the RSA algorithm for creating the public and private key pair then the certificate from the certificate authority must be created with the "Allow key exchange only with key encryption" option.

    1. Cynthia Timko
      2017-12-08 08:34

      Hi John,

      Thanks for providing this tip! We will take another look at this topic and see where we can add this info.

      DE333487

    1. Medikonda, Sandeep Samuel
      2018-08-27 03:30

      HiĀ John Roncaglione, we are closing the loop on this one. We now have a note to clarify the above scenario.

      -Documentation Team