21.4.3 SSL communication setup procedure (when different server certificates are used for manager host and Web Console server)

This subsection describes the SSL communication setup procedure to be performed when different server certificates are used for the manager host and Web Console server.

The following two types of settings are required to set up SSL communication for the Web Console server:

Setting for the SSL encryption of the communication between the manager host and Web Console server
Setting for the SSL encryption of the communication between the Web Console server and client host

The following figure shows an overview of setup operations on individual hosts.

Figure 21‒4: Overview of how to set up SSL communication when different server certificates are used for the manager host and Web Console server

The setup operation on a host involves not only the setup of the JP1/AJS3 components installed in the host but also the setup of communication-destination components.

Perform this operation on all the hosts constituting the JP1/AJS3 system. If SSL communication is enabled for some hosts and disabled for other hosts, an error will occur in the communication between hosts.

Organization of this subsection

(1) Setup to enable JP1/AJS3 - Manager to communicate in SSL
(2) Setup to enable JP1/AJS3 - Manager to communicate in SSL
(3) Setup to enable JP1/AJS3 - Agent to communicate in SSL
(4) Setup to enable JP1/AJS3 - View to communicate in SSL
(5) Setup to enable a client to communicate in SSL
(6) Checking the connection of SSL communication

(1) Setup to enable JP1/AJS3 - Manager to communicate in SSL

The following describes the setup operation to enable JP1/AJS3 - Manager to communicate in SSL:

Create a private key and CSR by using JP1/Base.

For details about how to create a private key and a CSR, see the JP1/Base User's Guide.
Send the CSR to a CA.

When the CA receives the sent CSR, the CA issues a server certificate and a root certificate to verify the server certificate.
Obtain the server certificate and root certificate from the CA.
If a server certificate issued by an intermediate CA excludes an intermediate certificate, obtain an intermediate certificate from the intermediate CA, and put the server certificate and intermediate certificate together into a file.

If the server certificate excludes the intermediate certificate, validity of the server certificate cannot be verified. Obtain the intermediate certificate to verify that the server certificate is valid.

After obtaining the intermediate certificate, open the server certificate and intermediate certificate by using a text editor, copy the content of the intermediate certificate, and paste the copy at the end of the server certificate.

If multiple intermediate certificates exist, integrate all certificates according to their hierarchical structure into a file.
Stop the JP1/AJS3 and JP1/Base services.
Place the private key and server certificate in a folder, and specify the path to the folder in the common definition information CERTIFICATEFILE of JP1/Base.

For details about the common definition information CERTIFICATEFILE of JP1/Base, see the JP1/Base User's Guide.

Deploy a PEM-format root certificate to communication-destination hosts.

To verify the server certificate for the manager host at the communication destination (client), deploy, to communication-destination hosts, the root certificate for the CA that issued the server certificate for the manager host.

The following lists the hosts to which to deploy the root certificate:

Working manager host (local host)
All manager hosts for which communication is to be established
All agent hosts for which communication is to be established
All JP1/AJS3 - View hosts for which communication is to be established
All Web Console servers for which communication is to be established

The following table describes the paths to the storage folders.

Table 21‒11: Storage folders for root certificate
No.	Host type	Path to storage folder (in Windows)	Path to storage folder (in Linux)
1	Manager host	Root certificates are stored in a folder of JP1/Base. For details, see the JP1/Base User's Guide.
2	Agent host
3	JP1/AJS3 - View host	`JP1/AJS3 - View-installation-folder\conf\ssl\rootcer`	Not applicable
4	Web Console server	`data-folder-of-JP1/AJS3 - Web-Console`^#1`\conf\ssl\rootcer`	`/etc/opt/jp1ajs3web/conf/ssl/rootcer`^#2

#1

data-folder-of-JP1/AJS3 - Web-Console is as follows:

If the installation folder is the default installation folder or is in a folder protected by the system:

%ALLUSERSPROFILE%\Hitachi\JP1\JP1_DEFAULT\jp1ajs3web

A folder protected by the system is a folder under any of the following:

- system-drive\Windows

- system-drive\Program Files

- system-drive\Program Files (x86)

The default value for %ALLUSERSPROFILE% is system-drive\ProgramData.

If the installation folder is other than the above:

JP1/AJS3-Web-Console-installation-folder

In a cluster environment:

shared-folder\jp1ajs3web

#2

In a cluster environment:

shared-directory/jp1ajs3web/conf/ssl/rootcer

When a root certificate has already been deployed to a communication-destination host, check whether the CA that issued the deployed root certificate is the same as the CA from which the server certificate was obtained as described in step 3.

When the CA is the same:

You can use the root certificate deployed already. You do not need to overwrite the root certificate.

When the CA is different:

Bind the already deployed root certificate and the obtained root certificate together in a file. Then, bind the certificates in a way that allows individual root certificates to be associated with the corresponding parts of the bound root certificate. This is to enable any expiring part of the bound root certificate to be replaced appropriately. Because root certificates are Base64-encoded, in the file of bound root certificates, you cannot see which parts of the file correspond to individual root certificates.

For details, see the JP1/Base User's Guide.

Check that the root certificates for the agent hosts are placed on the manager hosts.

Perform deployment of the root certificates for the agent hosts as part of the setup operation to enable JP1/AJS3 - Agent to communicate in SSL. Check the operation to set up JP1/AJS3 - Agent.
Enable SSL communication.

For details about how to enable SSL communication, see the description of the communication encryption function in the JP1/Base User's Guide.

To Page Top

(2) Setup to enable JP1/AJS3 - Manager to communicate in SSL

The following describes the setup operation to enable JP1/AJS3 - Web Console to communicate in SSL:

(a) Setting for the SSL encryption of the communication between the manager host and Web Console server

The following describes the setting to enable JP1/AJS3 - Web Console to communicate with the manager host in SSL:

Open the unencrypted-communication host settings file (nosslhost.conf) by using a text editor.

The unencrypted-communication host settings file (nosslhost.conf) of JP1/AJS3 - Web Console defines the manager hosts that do not encrypt messages in the communication with JP1/AJS3 - Web Console.

For details about the nosslhost.conf file, see 21.4.6 Details on the settings in the unencrypted-communication host settings file (nosslhost.conf).
In the nosslhost.conf file, define the manager host that does not perform SSL communication with JP1/AJS3 - Web Console.

By default, the nosslhost.conf file specifies an asterisk (*) for all manager hosts so that the communication with any manager host will not be encrypted. Edit the file as shown below so that only the manager hosts not communicating in SSL are specified while the manager hosts communicating in SSL are excluded.
```
[NO_SSL_HOST]
host-name-or-IP-address-of-a-manager-host-that-does-not-communicate-in-SSL
host-name-or-IP-address-of-a-manager-host-that-does-not-communicate-in-SSL
...
host-name-or-IP-address-of-a-manager-host-that-does-not-communicate-in-SSL
```
When communications with all manager hosts are to be encrypted, write only [NO_SSL_HOST].
Save the nosslhost.conf file by using UTF-8 encoding.
Check that the root certificates for the manager hosts are placed on the Web Console server.

Perform deployment of the root certificates for the manager hosts as part of the setup operation to enable JP1/AJS3 - Manager to communicate in SSL. Check the operation to set up JP1/AJS3 - Manager.

(b) Setting for the SSL encryption of the communication between the Web Console server and client host

The following describes the setting to enable JP1/AJS3 - Web Console to communicate with the client host in SSL:

Create a private key by executing the applicable command.

One of the following commands, execute the one corresponding to the version of JP1/AJS3 - Web Console that you are using:

For JP1/AJS3 - Web Console version 11-10-02 or earlier, or version 11-00-10 or earlier.
```
keygen -rand name-of-the-file-to-be-used-for-random-number-generation -out path-to-private-key-file -bits bit-length-of-private-key
```
The path to be specified for the JP1/AJS3-Web-Console-installation-folder\uCPSB\httpsd\sbin\keygen for Windows, and /opt/jp1ajs3web/uCPSB/httpsd/sbin/keygen for Linux.

For a version other than those listed above:
- In Windows:
```
openssl.bat genrsa -rand name-of-the-file-to-be-used-for-random-number-generation -out path-to-private-key-file bit-length-of-private-key
```
The path of the openssl.bat is JP1/AJS3-Web-Console-installation-folder\uCPSB\httpsd\sbin\openssl.bat. For details about execution permission required for the openssl.bat, see the official website of OpenSSL.
- In Linux:
```
openssl.sh genrsa -rand name-of-the-file-to-be-used-for-random-number-generation -out path-to-private-key-file bit-length-of-private-key
```
The path of the openssl.sh is /opt/jp1ajs3web/uCPSB/httpsd/sbin/openssl.sh. For details about execution permission required for the openssl.sh, see the official website of OpenSSL.

Specify the following path as path-to-private-key-file.

In Windows:

JP1/AJS3-Web-Console-installatioon-folder\uCPSB\httpsd\conf\ssl\server\name-of-private-key-file

In Linux:

/opt/jp1ajs3web/uCPSB/httpsd/conf/ssl/server/name-of-private-key-file

For details about the command for creating a private key, see E.1 Creating a private key.

You can specify any value for name-of-private-key-file. As the default of this file name, httpsdkey.pem is specified in the HTTP server definition file (httpsd.conf) to be set later. Using the default file name eliminates the need to change the setting of the name of the private key file in the HTTP server definition file.
Create a CSR by executing the applicable command.

One of the following commands, execute the one corresponding to the version of JP1/AJS3 - Web Console that you are using:

For JP1/AJS3 - Web Console version 11-10-02 or earlier, or version 11-00-10 or earlier.
```
certutil reqgen -sign signature-algorithm -key path-to-the-private-key-file -out path-to-the-CSR-file
```
The path to be specified for the certutil command is JP1/AJS3-Web-Consoleinstallation-folder\uCPSB\httpsd\sbin\certutil for Windows, and /opt/jp1ajs3web/uCPSB/httpsd/sbin/certutil for Linux.

For a version other than those listed above:
- In Windows:
```
openssl.bat req -new signature-algorithm -key path-to-the-private-key-file -out path-to-the-CSR-file
```
The path of the openssl.bat is JP1/AJS3-Web-Console-installation-folder\uCPSB\httpsd\sbin\openssl.bat. For details about execution permission required for the openssl.bat, see the official website of OpenSSL.
- In Linux:
```
openssl.sh req -new signature-algorithm -key path-to-the-private-key-file -out path-to-the-CSR-file
```
The path of the openssl.sh is /opt/jp1ajs3web/uCPSB/httpsd/sbin/openssl.sh. For details about execution permission required for the openssl.sh, see the official website of OpenSSL.

For path-to-the-private-key-file, specify the path you specified in the command for creating a private key in step 1. For path-to-the-CSR-file, specify the path name of an output folder and the name of the CSR file.

For details about the command for creating a CSR, see E.2 Creating a Certificate Signing Request (CSR).
Send the CSR to a CA.

When the CA receives the CSR, the CA issues a server certificate.
Obtain the server certificate from the CA.

You can specify any value for the name of the server certificate file. As the default of the file name, httpsd.pem is specified in the HTTP server definition file (httpsd.conf) to be set later. Using the default file name eliminates the need to change the setting of the name of the server certificate file in the HTTP server definition file.
In an environment in which server certificates are issued by intermediate CAs, there might be multiple intermediate certificates obtained from intermediate CAs. If there are multiple intermediate certificates, merge them into one file.

If you obtain intermediate certificates, open them with a text editor, and then merge them according to their hierarchical structure.
Place the server certificate on the Web Console server.

The folder to store the server certificate is as follows:

In Windows:

JP1/AJS3-Web-Console-installation-folder\uCPSB\httpsd\conf\ssl\server

In Linux:

/opt/jp1ajs3web/uCPSB/httpsd/conf/ssl/server

Edit the HTTP server definition file (httpsd.conf) to enable SSL communication.

In the httpsd.conf file, cancel comments in the SSL communication setting section to enable SSL communication.

An example of changing the httpsd.conf file in Windows is shown below. In this example, the port number for communication, the name of the server certificate file, and the name of the private key file are not changed from the defaults, and only hash marks (#) indicating comments are edited. (The default of the server certificate file name is httpsd.pem, and the default of the private key file name is httpsdkey.pem.) If you place an intermediate certificate file, add the SSLCACertificateFile entry and specify the path of the intermediate certificate file that you placed. In the following example, intermediate.pem is specified as the name of the intermediate certificate file. If you do not place an intermediate certificate file, you do not need to add this entry.

Before change

...
Listen 22252
#Listen [::]:22252
SSLDisable
  
#Listen 22253
#Listen [::]:22253
#<VirtualHost *:22253>
#  ServerName MyServer
#  SSLEnable
#  SSLCertificateFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsd.pem"
#  SSLCertificateKeyFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem"
#  AllowEncodedSlashes On
#</VirtualHost>
...

After change

...
#Listen 22252
#Listen [::]:22252
SSLDisable
  
Listen 22253
#Listen [::]:22253
<VirtualHost *:22253>
  ServerName MyServer
  SSLEnable
  SSLCertificateFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsd.pem"
  SSLCertificateKeyFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem"
  SSLCACertificateFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/intermediate.pem"
  AllowEncodedSlashes On
</VirtualHost>
...

If the port number for SSL communication, name of server certificate file, and name of the private key file have been changed in the environment being used, also change the settings in the httpsd.conf file to adjust to the environment.

The following table lists the defaults settings in the httpsd.conf file.

Table 21‒12: Defaults in the httpsd.conf file
No.	Item	Default
1	SSL communication port number	`22253`
2	Server certificate file name	`httpsd.pem`
3	Private key file name	`httpsdkey.pem`

For details about the httpsd.conf file, see 3.4.5 Details on the settings in the HTTP server definition file (httpsd.conf) (for Windows) or 13.3.5 Details on settings in the HTTP server definition file (httpsd.conf)(for Linux).

Edit the HTTP server definition file to enable the SSL communication log output.

In the httpsd.conf file, release the LogFormat and CustomLog settings from the comment status to enable the SSL communication log output. An example of changing the httpsd.conf file in Windows is shown below.

Before change

...
#LogFormat "%t %{version}c %{cipher}c %{clientcert}c" hws_ssl
#CustomLog "|\"\"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/sbin/rotatelogs2.exe\" \"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/logs/ssl\" 10240 8\"" hws_ssl
...

After change

...
LogFormat "%t %{version}c %{cipher}c %{clientcert}c" hws_ssl
CustomLog "|\"\"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/sbin/rotatelogs2.exe\" \"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/logs/ssl\" 10240 8\"" hws_ssl
...

Restart the JP1/AJS3 HTTP Server service.

To Page Top

(3) Setup to enable JP1/AJS3 - Agent to communicate in SSL

The procedure for the setup to enable JP1/AJS3 - Agent to communicate in SSL is the same as the setup procedure for the manager/agent configuration. For details, see 21.4.2(2) Setup to enable JP1/AJS3 - Agent to communicate in SSL.

To Page Top

(4) Setup to enable JP1/AJS3 - View to communicate in SSL

The procedure for the setup to enable JP1/AJS3 - View to communicate in SSL is the same as the setup procedure for the manager/agent configuration. For details, see 21.4.2(3) Setup to enable JP1/AJS3 - View to communicate in SSL.

To Page Top

(5) Setup to enable a client to communicate in SSL

The following two types of clients are available for the Web Console server:

Web GUI
User application

The following describes the setup operation to enable a client to communicate with the Web Console server in SSL.

(a) Setup to enable the Web GUI to communicate in SSL

The following describes the setup operation to enable the Web GUI to communicate in SSL:

Enable SSL communication with your browser.

You must enable SSL and TLS in your web browser beforehand. For details about how to enable them, see the documentation for your browser.

If SSL and TLS are disabled, the login window does not appear even when you access the URL for SSL communication. Also, if you disable SSL and TLS after login, subsequent operation will be disabled.

(b) Setup to enable the user application to communicate in SSL

The method of setting to enable the user application to communicate in SSL varies with the programming language used for the user application.

Develop the user application by using the setup method provided in each programming language.

To Page Top

(6) Checking the connection of SSL communication

The following describes the procedure for checking that the communication between components is encrypted.

(a) Checking the connection of SSL communication between the manager host and JP1/AJS3 - View host

From JP1/AJS3 - View, log in to JP1/AJS3 - Manager.
Check the integrated trace log of the manager host to determine whether the KNAD3995-I and KAVS0532-I messages have been output.

The KNAD3995-I message indicates that SSL communication is enabled.

The KAVS0532-I message indicates that the user has normally logged in to JP1/AJS3 - Manager by using JP1/AJS3 - View.

(b) Checking the connection of SSL communication between the manager host and agent host

From JP1/AJS3 - View, log in to JP1/AJS3 - Manager.
Create a jobnet by using JP1/AJS3 - View, define PC or Unix jobs under the jobnet, and specify the agent host to be connected by SSL communication in the Exec-agent field.
Register the defined jobnet for immediate execution.
Check that the jobnet ends normally.

When the jobnet ends normally, the SSL communication between the manager and agent hosts is operating normally.

(c) Checking the connection of SSL communication between the Web Console server and Web GUI

Access the following URL by using the Web GUI:

https://host-name-or-IP-address-of-Web-Console-server:SSL-communication-port-number/ajs/login.html

The default of SSL-communication-port-number is 22253.

When the login window appears normally, SSL communication is operating normally.

(d) Checking the connection of SSL communication between the manager host and Web Console server

From the Web GUI, log in to JP1/AJS3 - Manager.
Check the integrated trace log of the manager host to determine whether the KNAD3995-I message has been output.

The KNAD3995-I message indicates that SSL communication is enabled.

To Page Top