InformixHQ setup as Secured Server (SSL)

To use the Secure Sockets Layer (SSL) protocol to encrypt communication with InformixHQ, you will need a keystore and a certificate. You can use the method that best fits your environment for creating the keystore and certificate, for example Java keytool, OpenSSL, or even the IBM Global Security Kit (GSKit).

Steps 1 to 5 explain setting up InformixHQ as Secured Server (SSL) using Java keytool.

Step 6 explains how to use IBM GSKit to create a keystore and a certificate.

  1. Create SSL keystore with self-signed certificate.
    • Use the following command to create jks keystore with self-signed certificate on HQ server at desired path:
      keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks
    • Modify -alias and -keystore values as needed.
    • User will be prompted to set keystore password, enter the password of your choice.
    • Remember to note the password as this will be needed at a later stage.
    • Password can also be set using argument -storepass in the keytool command given above.
    • User must type the HQ server hostname in response to keytool’s first prompt in which it asks for first and last names. InformixHQ agent will check for this value while attempting a secured connection.
    • After this user will be asked a few more questions about unit, organization, locality, province, country. Provide values as per your choice, any values are fine.
    • Once all the values are entered, user will be asked for confirmation, type "yes".
    • Now, user will be asked password for certificate in keystore. If you wish to keep this password same as keystore (entered in step 1), press enter. If different password, remember to note it down for later use.

    For further details on how to generate jks self-signed certificate, refer How to use keytool to create a server certificate and How to create a self signed certificate using Java Keytool

  2. Note down SSL keystore path, filename just created.
  3. Modify monitoring-server.properties to add/modify following properties:
    • httpPort=8080
    • httpsPort=8082 (HQ server port serving secured connections)
    • redirectHTTPtoHTTPS=true (if true, redirects http request to https)
    • ssl.keystore.file=<Keystore absolute path with file name>
    • ssl.keystore.password=<password>
    • #ssl.key.password=<password> (Use this only if you have set different password for certificate within keystore)
  4. Now start InformixHQ server as usual.
  5. Open a browser and enter the following url: 
    http://<HQserverhost>:8080 OR https://<HQserverhost>:8082

    If redirectHTTPtoHTTPS is set to true, it will automatically direct http request to https port.

    Note:

    1) Internally InformixHQ server uses self-signed certificate to authenticate secured connection.

    2) User can verify by providing incorrect values for ssl.keystore.file or ssl.keystore.password in parameter file monitoring-server.properties. After this, if user tries to access HQ server from a browser, it will respond with “connection refused.”

    3) On a Windows machine, add double slash for keystore path such as D:\\SSL\\keystore\\key.jks

  6. If you choose IBM GSKit, use the following commands for creating a keystore with a self-signed certificate: 
    gsk8capicmd_64 -keydb -create  -db hq.p12 -pqc false -pw password -type pkcs12 -stash
gsk8capicmd_64 -cert  -create  -db hq.p12  -dn "CN=hq_label" -label hq_label -stashed