1.6.3 Procedure to enable HTTPS connections (Windows, Linux 6, Linux 7, SUSE Linux 12)

Before you begin

• Log in to the JP1/AO server as a user with administrator or root permissions.

• Stop the JP1/AO service.

  For non-cluster systems:

  Execute the hcmds64srv command with the stop option specified.

  For cluster systems:

  Use the cluster software to bring the service offline.

To enable HTTPS connections:

1. Change the settings in the user_httpsd.conf file to enable HTTPS connection.

   The user_httpsd.conf file is stored in the following folder:

   • If the OS of the JP1/AO server is Windows

     Common-Component-installation-folder\uCPSB\httpsd\conf

   • If the OS of the JP1/AO server is Linux 6, Linux 7, SUSE Linux 12

     /opt/HiCommand/Base64/uCPSB/httpsd/conf

   Change the settings in the user_httpsd.conf file as follows:

   • Delete heading hash marks (#) from the Listen directive line on which the port number used for HTTPS connection is specified, and the following lines up to the HWSLogSSLVerbose On line, except the SSLECCCertificateKeyFile, SSLECCCertificateFile, SSLCACertificateFile, and Header set Strict-Transport-Security max-age=31536000 directive line.

     Note that you need to delete the hash mark (#) at the beginning of Listen [::]:22016 only if you want to enable communication with IPv6 addresses.

   • To disable all connections other than HTTPS connections, further change the settings as follows:

     • Add a hash mark (#) at the beginning of the Listen and Listen [::]: directive lines on which the port number used for HTTP connections is specified, to comment out the lines.

     • Delete the hash mark (#) at the beginning of the Listen 127.0.0.1: directive line.

   The following shows the initial settings (for HTTP connections) of the user_httpsd.conf file that exist when JP1/AO has just been installed, and the settings of that file changed to use HTTPS connections. In the following example, default port numbers are used: 22015 for HTTP connections and 22016 for HTTPS connections.

   Settings in the user_httpsd.conf file specified to use HTTP connections (initial settings):

   ServerName host-name
   Listen 22015
   Listen [::]:22015
   #Listen 127.0.0.1:22015
   SSLDisable
   #Listen 22016
   #Listen [::]:22016
   #<VirtualHost *:22016>
   #  ServerName host-name
   #  SSLEnable
   #  SSLProtocol TLSv12
   #  SSLRequiredCiphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256
   #  SSLRequireSSL
   #  SSLCertificateKeyFile "Common-Component-installation-folder/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem" 
   #  SSLCertificateFile "Common-Component-installation-folder/uCPSB/httpsd/conf/ssl/server/httpsd.pem" 
   #  SSLECCCertificateKeyFile "Common-Component-installation-folder/uCPSB/httpsd/conf/ssl/server/ecc-httpsdkey.pem" 
   #  SSLECCCertificateFile "Common-Component-installation-folder/uCPSB/httpsd/conf/ssl/server/ecc-httpsd.pem" 
   #  SSLCACertificateFile "Common-Component-installation-folder/uCPSB/httpsd/conf/ssl/cacert/anycert.pem"
   # Header set Strict-Transport-Security max-age=31536000
   #</VirtualHost>
   #HWSLogSSLVerbose On
   

   Settings in the user_httpsd.conf file specified to use HTTPS connections (changed settings):

   ServerName host-name
   #Listen 22015
   #Listen [::]:22015
   Listen 127.0.0.1:22015
   SSLDisable
   Listen 22016
   Listen [::]:22016
   <VirtualHost *:22016>
     ServerName host-name
     SSLEnable
     SSLProtocol TLSv12
     SSLRequiredCiphers AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHA
     SSLRequireSSL
     SSLCertificateKeyFile "Common-Component-installation-folder/httpsd/conf/ssl/server/httpsdkey.pem"
     SSLCertificateFile "Common-Component-installation-folder/httpsd/conf/ssl/server/httpsd.pem"
   # SSLECCCertificateKeyFile "Common-Component-installation-folder/uCPSB/httpsd/conf/ssl/server/ecc-httpsdkey.pem"
   # SSLECCCertificateFile "Common-Component-installation-folder/uCPSB/httpsd/conf/ssl/server/ecc-httpsd.pem"
   # SSLCACertificateFile "Common-Component-installation-folder/uCPSB/httpsd/conf/ssl/cacert/anycert.pem"
   # Header set Strict-Transport-Security max-age=31536000
   </VirtualHost>
   HWSLogSSLVerbose On

   Notes:

   • For the ServerName directive in the top line and the ServerName directive in the <VirtualHost> tag, specify the host name (for cluster environments, specify the logical host name) that you specified for "Common Name" in the certificate signing request. Note that host names are case sensitive.

   • For the SSLCertificateKeyFile directive, specify the absolute path of the private key file.

     Do not specify a symbolic link and junction for the path.

   • For the SSLCertificateFile directive, specify the absolute path of the server certificate.

     There are two types of server certificates: certificates signed by a certificate authority and self-signed certificates.

   • To use a certificate of the certificate authority, remove the hash mark (#) at the beginning of the line for the SSLCACertificateFile directive, and then specify the absolute path of the certificate of the certificate authority. Multiple certificates can be contained in one file by using a text editor to chain multiple PEM format certificates. Note that you must not specify a symbolic link or junction for the path.

2. Start the JP1/AO service.

   For non-cluster systems:

   Execute the hcmds64srv command with the start option specified.

   For cluster systems:

   Use the cluster software to bring the service online.

3. Update the URL information used for establishing a connection from the Web browser to the JP1/AO server.

   Execute the hcmds64chgurl command in the command prompt to update the URL information.

   For the URL, specify the host name or the IP address that is specified for the SSL server certificate.

4. If the OS of the JP1/AO server is Windows, change the URL of the shortcut file to the page displayed by performing the following operation:

   From the Start menu, select All Program, JP1_Automatic Operation, and then JP1_AO Login.

Important

If the connection between the Web browser and JP1/AO is configured incorrectly, the HBase 64 Storage Mgmt Web Service might fail to start, preventing the JP1/AO login window from appearing.