Enabling HTTPS protocol

Configuration that is required to enable HTTPS protocol.

Before you begin

You must back up the following files:
  • $WMCROOT/as/server/default/deploy/jbossweb-tomcat55.sar/server.xml
  • $WMCROOT/as/server/default/deploy/http-invoker.sar/invoker.war/WEB-INF/web.xml
  • $WMCROOT/as/server/default/deploy/http-invoker.sar/META-INF/jboss-service.xml

Procedure

  1. Edit the $WMCROOT/as/server/default/deploy/jbossweb-tomcat55.sar/server.xml to comment out the HTTP/1.1 Connector block as follows: 
    <!-- A HTTP/1.1 Connector on port 8080
<Connector port="${vallent.as.web.http.port}" address="${jboss.bind.address}"
maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
enableLookups="false" redirectPort="${vallent.as.web.redirect.port}" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" compression="200000"
compressableMimeType="text/html,text/xml,text/css,text/plain,text/javascript,
application/javascript,application/x-javascript,image/png,image/jpg,image/gif,     
application/x-amf,application/java-archive"
/>
-->
    Add the following lines:
    <Connector port="${vallent.as.web.http.port}" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true" algorithm="IbmX509"
enableLookups="false" redirectPort="${vallent.as.web.redirect.port}" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" compression="200000"
compressableMimeType="text/html,text/xml,text/css,text/plain,text/javascript,
application/javascript,application/x-javascript,image/png,image/jpg,image/gif,
application/x-amf,application/java-archive"
    scheme="https" secure="true" clientAuth="false"
    keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
   keystorePass="changeit" sslProtocol = "TLS" 
		/>
  2. Update the $WMCROOT/as/server/default/deploy/http-invoker.sar/invoker.war/WEB-INF/web.xml to change the value of type attribute in the following block to HTTPS from HTTP: 
    <param-value>jboss:service=invoker,type=https</param-value>
<param-value>jboss:service=invoker,type=https,target=Naming</param-value>
<param-value>jboss:service=invoker,type=https,target=Naming,readonly=true</param-value>
  3. Update the $WMCROOT/as/server/default/deploy/http-invoker.sar/META-INF/jboss-service.xml to change the value of type and InvokerURLPrefix attributes to HTTPS in the following mbean blocks: 
    <mbean code="org.jboss.invocation.http.server.HttpInvoker"
    name="jboss:service=invoker,type=https">
<attribute name>="InvokerURLPrefix">https://</attribute>


 <mbean code="org.jboss.invocation.http.server.HttpProxyFactory"
      name="jboss:service=invoker,type=https,target=Naming">
<attribute name>="InvokerURLPrefix">https://</attribute>
	  
 <mbean code="org.jboss.invocation.http.server.HttpProxyFactory"
      name="jboss:service=invoker,type=https,target=Naming,readonly=true"> 
 <attribute name>="InvokerURLPrefix">https://</attribute>
    For example:
    <!-- Expose the Naming service interface via HTTP --> 
<mbean code="org.jboss.invocation.http.server.HttpProxyFactory" name="jboss:service=invoker,
type=https,target=Naming">
<!-- The Naming service we are proxying --> 

  <attribute name="InvokerName">jboss:service=Naming</attribute> 
 <!-- Compose the invoker URL from the cluster node address --> 
  
  <attribute name="InvokerURLPrefix">https://</attribute> 
  <attribute name="InvokerURLSuffix">:${vallent.as.web.http.port}/invoker/JMXInvokerServlet
  </attribute> 
  <attribute name="UseHostName">true</attribute> 
  <attribute name="ExportedInterface">org.jnp.interfaces.Naming</attribute> 
  <attribute name="JndiName" /> 
<attribute name="ClientInterceptors">
<interceptors>
  <interceptor>org.jboss.proxy.ClientMethodInterceptor</interceptor> 
  <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor> 
  <interceptor>org.jboss.naming.interceptors.ExceptionInterceptor</interceptor> 
  <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor> 
  </interceptors>
  </attribute>
  </mbean>
  4. Run the following command as user virtuo to generate the keystore localhost as the first and last name and changeit as the password: 
    $WMCROOT/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore 
$WMCROOT/as/server/default/conf/server.keystore -validity 36500
    
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:
localhost
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? 
(type "yes" or "no")
[no]: yes

Enter key password for <tomcat>: 
(RETURN if same as keystore password):
  5. Add the certificate to the Java keystore when you set up the SSL. To export certificate to file, use the following command: 
    $WMCROOT/jre/bin/keytool -export -alias tomcat -storepass changeit -file 
$WMCROOT/tomcat.cer -keystore $WMCROOT/as/server/default/conf/server.keystore
    The output of the command is as follows:
    
Certificate stored in file </appl/virtuo/tomcat.cer>
    Import the certificate to the Java keystore as root user, use the following commands:
    su - root
cd /appl/virtuo/jre/lib/security
/appl/virtuo/jre/bin/keytool -import -alias tomcat -keystore 
cacerts -file /appl/virtuo/tomcat.cer
    The output of the command is as follows:
    
Enter keystore password:
Re-enter new password:
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 5208911e
Valid from: 8/12/13 1:09 PM until: 7/19/13 1:09 PM
Certificate fingerprints:
MD5: F4:2C:D8:F4:82:47:17:62:46:65:39:FD:C8:B4:8F:32
SHA1: 15:83:FD:7E:64:05:23:4D:BD:C3:B6:E7:A6:59:CD:72:B0:26:25:26
Trust this certificate? [no]: yes
Certificate was added to keystore
  6. Stop and start the Application Server by using the following command: 
    sap stop as
sap start as
  7. Optional: Right-click the Active Events List in OMNIbus Web GUI to run the Tivoli Netcool Performance Manager defined JavaScript file. This file location is specified in the Integrating Tivoli Netcool/OMNIbus Web GUI for Wireless. In tnpmforwireless.cgi file, update the var _protocol value to HTTPS as follows: 
    var _protocol="https://";
  8. Start sqlplus as the virtuo user:
    sqlplus virtuo/virtuo_password@vtdb
  9. Run the following command to update the links when you switch protocol from http to https:
    SQL> update alarm_alarms set additional_text = replace(additional_text, 'http','https') where substr(additional_text,1,5) = 'http:';
    SQL> commit;

Results

Start the web browser after the HTTPS is enabled by using the following URL:
https://<hostname>:<port>/tnpmw/login.do