4.3.15 Changing the settings for encrypted communication between a web browser and the monitoring console server
You can select whether to use encrypted communication to connect from a web browser to the monitoring console server. By default, encrypted communication is disabled.
For encrypted communication, you need either a server certificate acquired from a certificate authority or a self-signed certificate created for testing. Prepare a certificate appropriate for the application. A self-signed certificate might not be usable by some web browsers.
In the following cases, you must change the settings:
-
When changing encrypted communication from disabled to enabled
-
When changing encrypted communication from enabled to disabled
-
When a certificate (server certificate or self-signed certificate) has expired
The following tables show the general procedures for making these changes.
Sequence |
Procedure |
Section to reference |
---|---|---|
1 |
Prepare a certificate (server certificate or self-signed certificate). |
|
2 |
Store files in the folder for storing encrypted communication files. |
|
3 |
Enable encrypted communication between your web browser and the monitoring console server. |
|
4 |
Apply the change in encrypted communication settings to the system linkage settings. |
|
5 |
Configure your web browser to use encrypted communication. |
Sequence |
Procedure |
Section to reference |
---|---|---|
1 |
Disable encrypted communication between your web browser and the monitoring console server. |
|
2 |
Apply the change in encrypted communication settings to the system linkage settings. |
Sequence |
Procedure |
Section to reference |
---|---|---|
1 |
Re-prepare a certificate (server certificate or self-signed certificate). |
|
2 |
Store files in the folder for storing encrypted communication files. |
|
3 |
Re-enable encrypted communication between your web browser and the monitoring console server. |
|
4 |
Configure your web browser to use encrypted communication. |
- Organization of this subsection
-
-
(1) Preparing a certificate (acquiring a server certificate from a certificate authority)
-
(2) Preparing a certificate (creating a self-signed certificate for testing)
-
(3) Storing files in the folder for storing encrypted communication files
-
(4) Enabling encrypted communication between a web browser and the monitoring console server
-
(5) Disabling encrypted communication between a web browser and the monitoring console server
-
(6) Applying changes to encrypted communication settings to system linkage settings
-
(1) Preparing a certificate (acquiring a server certificate from a certificate authority)
If you are using a multiple monitor configuration, execute this procedure on both the primary and secondary hosts separately.
-
Create a certificate signing request (CSR) file and a private key file on the PFM - Web Console host.
Execute the jpcwtool https create certreq command.
If you specify a password for the private key, a password file is also created for the private key.
If you are using a cluster system, execute this procedure on the standby node.
For details about this command, see the chapter that explains commands in the manual JP1/Performance Management Reference.
-
Send the certificate signing request file created in step 1 to the certificate authority (CA), and acquire an x.509 (PEM) format server certificate file and an intermediate CA certificate file.
To use a cross root intermediate CA certificate, acquire an x.509 (PEM) format file that links the intermediate CA certificate with the cross root intermediate CA certificate. For details about how to acquire linked certificates, contact the certificate authority.
-
Rename the server certificate file and intermediate CA certificate file acquired in step 2.
Rename them as follows:
-
Server certificate file: jpcwhttpscert.pem
-
Intermediate CA certificate file: jpcwhttpscacert.pem
-
(2) Preparing a certificate (creating a self-signed certificate for testing)
If you are using a multiple monitor configuration, execute this procedure on both the primary and secondary hosts separately.
-
Create a self-signed certificate file and a private key file on the PFM - Web Console host.
Execute the jpcwtool https create provcert command.
If you are using a cluster system, execute this procedure on the standby node.
For details about this command, see the chapter that explains commands in the manual JP1/Performance Management Reference.
(3) Storing files in the folder for storing encrypted communication files
Store the files necessary for encrypted communication, which were prepared in advance, in the folder for storing encrypted communication files.
-
Store the files in the folder for storing encrypted communication files.
If you are using a cluster system, store the files on the standby node first, and then copy these files to the active node.
The following lists the storage destination and the files to be stored.
- Storage destination (folder for storing encrypted communication files)
-
- In Windows:
-
PFM-Web-Console-installation-folder\CPSB\httpsd\conf\ssl\server
- In UNIX:
-
/opt/jp1pcwebcon/CPSB/httpsd/conf/ssl/server
- Files to be stored
-
Reading privileges with the following additional privileges are required for all files:
-
In Windows: Administrator privileges
-
In Unix: root privileges
Table 4‒18: Files to be stored (when a server certificate is used) File name
Description
jpcwhttpscacert.pem
Intermediate CA certificate file
jpcwhttpscert.pem
Server certificate file
jpcwhttpskey.pem
Private key file
jpcwhttpskeypass.dat
Private key password file
(The file is stored only when a password is specified for the private key.)
Table 4‒19: Files to be stored (when a self-signed certificate is used) File name
Description
jpcwhttpscert.pem
Self-signed certificate file
jpcwhttpskey.pem
Private key file
-
(4) Enabling encrypted communication between a web browser and the monitoring console server
This subsection assumes that the required files have already been stored in the folder for storing encrypted communication files. For details about the required files, see 4.3.15(3) Storing files in the folder for storing encrypted communication files.
If you are using a multiple monitor configuration, execute this procedure on both the primary and secondary hosts separately.
-
Execute the jpcwstop command on the PFM - Web Console host to stop the services.
If you are using a cluster system, use an operation from the cluster software to stop the logical host on which PFM - Web Console is registered.
-
Execute the jpcwconf https enable command to enable encrypted communication.
If you are using a cluster system, execute this procedure on both the active and standby nodes.
For details about this command, see the chapter that explains commands in the manual JP1/Performance Management Reference.
-
Execute the jpcwstart command on the PFM - Web Console host to start the services.
If you are using a cluster system, use an operation from the cluster software to start the logical host on which PFM - Web Console is registered.
(5) Disabling encrypted communication between a web browser and the monitoring console server
If you are using a multiple monitor configuration, execute this procedure on both the primary and secondary hosts separately.
-
Execute the jpcwstop command on the PFM - Web Console host to stop the services.
If you are using a cluster system, use an operation from the cluster software to stop the logical host on which PFM - Web Console is registered.
-
Execute the jpcwconf https disable command to disable encrypted communication.
If you are using a cluster system, execute this procedure on both the active and standby nodes.
For details about this command, see the chapter that explains commands in the manual JP1/Performance Management Reference.
-
As needed, delete files from the folder for storing encrypted communication files.
For details about the folder for storing encrypted communication files, see 4.3.15(3) Storing files in the folder for storing encrypted communication files.
-
Execute the jpcwstart command on the PFM - Web Console host to start the services.
If you are using a cluster system, use an operation from the cluster software to stop the logical host on which PFM - Web Console is registered.
(6) Applying changes to encrypted communication settings to system linkage settings
If you change the settings for encrypted communication between a web browser and the monitoring console server, apply the changes to the settings of both the integrated management product (JP1/IM), the service-level management product (JP1/SLM), and the job management product (JP1/AJS3), as needed.
The Following is the procedure for applying these changes:
-
If operations are being monitored via linkage with an integrated management product (JP1/IM), change the settings.
Change the settings as follows, depending on the events that are set.
-
If JP1 user events are set
Change the URLs for the definition file for opening monitor windows, and for the definition file for the tool launcher.
-
If JP1 system events are set
Change the settings for encrypted communication.
For details, see the following sections in the chapter that explains how to perform operation monitoring via linkage with an integrated management product (JP1/IM) in the JP1/Performance Management User's Guide:
-
The section that explains how to edit and copy definition files for linkage
-
The section that explains how to configure the issuing of JP1 system events by individual PFM services
-
-
If operations are being monitored via linkage with a service-level management product (JP1/SLM), change the settings.
Change the settings so that the PFM - Web Console screen can be started from JP1/SLM.
Change the URL for PFM - Web Console that is set in the properties of the following file of JP1/SLM:
-
pfmWebConsoleURL of the system definition file (jp1itslm.properties)
For details, see the manual JP1/Service Level Management.
-
-
If operations are being monitored via linkage with the job management product (JP1/AJS3), change the settings.
Change the settings in the JP1/AJS3 - Web Console environment settings file (ajs3web.conf) so that the PFM - Web Console screen can be started from JP1/AJS3.