21.4.4 SSL communication setup procedure (when the server certificate for Web Console server is used for manager host)
This subsection describes the SSL communication setup procedure to be performed when the server certificate for the Web Console server is used for the manager host.
The following two types of settings are required to set up SSL communication for the Web Console server:
-
Setting for the SSL encryption of the communication between the manager host and Web Console server
-
Setting for the SSL encryption of the communication between the Web Console server and client host
The following figure shows an overview of setup operations on individual hosts.
|
|
![[Figure]](GRAPHICS/ZX210040.GIF)
The setup operation on a host involves not only the setup of the JP1/AJS3 components installed in the host but also the setup of communication-destination components.
Perform this operation on all the hosts constituting the JP1/AJS3 system. If SSL communication is enabled for some hosts and disabled for other hosts, an error will occur in the communication between hosts.
- Organization of this subsection
(1) Setup to enable JP1/AJS3 - Web Console to communicate in SSL
The following describes the setup operation to enable JP1/AJS3 - Web Console to communicate in SSL:
(a) Setting for the SSL encryption of the communication with the manager host
The setup to enable JP1/AJS3 - Web Console to communicate with the manager host in SSL is the same as the setup to be performed when different server certificates are used for the manager host and Web Console server. For details, see 21.4.3(2)(a) Setting for the SSL encryption of the communication between the manager host and Web Console server.
(b) Setting for the SSL encryption of the communication with the client host
The following describes the setup to enable JP1/AJS3 - Web Console to communicate with the client host in SSL:
-
Create a private key by executing the applicable command.
One of the following commands, execute the one corresponding to the version of JP1/AJS3 - Web Console that you are using:
For JP1/AJS3 - Web Console version 11-10-02 or earlier, or version 11-00-10 or earlier.
keygen -rand name-of-the-file-to-be-used-for-random-number-generation -out path-to-private-key-file -bits bit-length-of-private-key
The path to be specified for the JP1/AJS3-Web-Console-installation-folder\uCPSB\httpsd\sbin\keygen for Windows, and /opt/jp1ajs3web/uCPSB/httpsd/sbin/keygen for Linux.
For a version other than those listed above:
-
In Windows:
openssl.bat genrsa -rand name-of-the-file-to-be-used-for-random-number-generation -out path-to-private-key-file bit-length-of-private-key
The path of the openssl.bat is JP1/AJS3-Web-Console-installation-folder\uCPSB\httpsd\sbin\openssl.bat. For details about execution permission required for the openssl.bat, see the official website of OpenSSL.
-
In Linux:
openssl.sh genrsa -rand name-of-the-file-to-be-used-for-random-number-generation -out path-to-private-key-file bit-length-of-private-key
The path of the openssl.sh is /opt/jp1ajs3web/uCPSB/httpsd/sbin/openssl.sh. For details about execution permission required for the openssl.sh, see the official website of OpenSSL.
Specify the following path as path-to-private-key-file.
- In Windows:
-
JP1/AJS3-Web-Console-installatioon-folder\uCPSB\httpsd\conf\ssl\server\name-of-private-key-file
- In Linux:
-
/opt/jp1ajs3web/uCPSB/httpsd/conf/ssl/server/name-of-private-key-file
For details about the command for creating a private key, see E.1 Creating a private key.
You can specify any value for name-of-private-key-file. As the default of this file name, httpsdkey.pem is specified in the HTTP server definition file (httpsd.conf) to be set later. Using the default file name eliminates the need to change the setting of the name of the private key file in the HTTP server definition file.
-
-
Create a CSR by executing the applicable command.
One of the following commands, execute the one corresponding to the version of JP1/AJS3 - Web Console that you are using:
For JP1/AJS3 - Web Console version 11-10-02 or earlier, or version 11-00-10 or earlier.
certutil reqgen -sign signature-algorithm -key path-to-the-private-key-file -out path-to-the-CSR-file
The path to be specified for the certutil command is JP1/AJS3-Web-Consoleinstallation-folder\uCPSB\httpsd\sbin\certutil for Windows, and /opt/jp1ajs3web/uCPSB/httpsd/sbin/certutil for Linux.
For a version other than those listed above:
-
In Windows:
openssl.bat req -new signature-algorithm -key path-to-the-private-key-file -out path-to-the-CSR-file
The path of the openssl.bat is JP1/AJS3-Web-Console-installation-folder\uCPSB\httpsd\sbin\openssl.bat. For details about execution permission required for the openssl.bat, see the official website of OpenSSL.
-
In Linux:
openssl.sh req -new signature-algorithm -key path-to-the-private-key-file -out path-to-the-CSR-file
The path of the openssl.sh is /opt/jp1ajs3web/uCPSB/httpsd/sbin/openssl.sh. For details about execution permission required for the openssl.sh, see the official website of OpenSSL.
For path-to-the-private-key-file, specify the path you specified in the command for creating a private key in step 1. For path-to-the-CSR-file, specify the path name of an output folder and the name of the CSR file.
For details about the command for creating a CSR, see E.2 Creating a Certificate Signing Request (CSR).
-
-
Send the CSR to a CA.
When the CA receives the sent CSR, the CA issues a server certificate and a root certificate to verify the server certificate.
-
Obtain the server certificate and root certificate from the CA.
You can specify any values as the names of server certificate and root certificate files.
As the default of the name of server certificate file, httpsd.pem is specified in the HTTP server definition file (httpsd.conf) to be set later. Using the default file name eliminates the need to change the setting of the name of the server certificate file in the HTTP server definition file.
The obtained root certificate is used for the setup to enable JP1/AJS3 - Manager to communicate in SSL.
-
In an environment in which server certificates are issued by intermediate CAs, there might be multiple intermediate certificates obtained from intermediate CAs. If there are multiple intermediate certificates, merge them into one file.
If you obtain intermediate certificates, open them with a text editor, and then merge them according to their hierarchical structure.
-
Place the server certificate on the Web Console server.
The folder to store the server certificate is as follows:
- In Windows:
-
JP1/AJS3-Web-Console-installation-folder\uCPSB\httpsd\conf\ssl\server
- In Linux:
-
/opt/jp1ajs3web/uCPSB/httpsd/conf/ssl/server
-
Edit the HTTP server definition file (httpsd.conf) to enable SSL communication.
In the httpsd.conf file, cancel comments in the SSL communication setting section to enable SSL communication.
An example of changing the httpsd.conf file in Windows is shown below. In this example, the port number for communication, the name of the server certificate file, and the name of the private key file are not changed from the defaults, and only hash marks (#) indicating comments are edited. (The default of the server certificate file name is httpsd.pem, and the default of the private key file name is httpsdkey.pem.) If you place an intermediate certificate file, add the SSLCACertificateFile entry and specify the path of the intermediate certificate file that you placed. In the following example, intermediate.pem is specified as the name of the intermediate certificate file. If you do not place an intermediate certificate file, you do not need to add this entry.
Before change
... Listen 22252 #Listen [::]:22252 SSLDisable #Listen 22253 #Listen [::]:22253 #<VirtualHost *:22253> # ServerName MyServer # SSLEnable # SSLCertificateFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsd.pem" # SSLCertificateKeyFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem" # AllowEncodedSlashes On #</VirtualHost> ...
After change
... #Listen 22252 #Listen [::]:22252 SSLDisable Listen 22253 #Listen [::]:22253 <VirtualHost *:22253> ServerName MyServer SSLEnable SSLCertificateFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsd.pem" SSLCertificateKeyFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem" SSLCACertificateFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/intermediate.pem" AllowEncodedSlashes On </VirtualHost> ...
If the port number for SSL communication, name of server certificate file, and name of the private key file have been changed in the environment being used, also change the settings in the httpsd.conf file to adjust to the environment.
The following table lists the defaults settings in the httpsd.conf file.
Table 21‒13: Defaults in the httpsd.conf file No.
Item
Default
1
SSL communication port number
22253
2
Server certificate file name
httpsd.pem
3
Private key file name
httpsdkey.pem
For details about the httpsd.conf file, see 3.4.5 Details on the settings in the HTTP server definition file (httpsd.conf) (for Windows) or 13.3.5 Details on settings in the HTTP server definition file (httpsd.conf) (for Linux).
-
Edit the HTTP server definition file to enable the SSL communication log output.
In the httpsd.conf file, release the LogFormat and CustomLog settings from the comment status to enable the SSL communication log output. An example of changing the httpsd.conf file in Windows is shown below.
Before change
... #LogFormat "%t %{version}c %{cipher}c %{clientcert}c" hws_ssl #CustomLog "|\"\"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/sbin/rotatelogs2.exe\" \"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/logs/ssl\" 10240 8\"" hws_ssl ...After change
... LogFormat "%t %{version}c %{cipher}c %{clientcert}c" hws_ssl CustomLog "|\"\"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/sbin/rotatelogs2.exe\" \"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/logs/ssl\" 10240 8\"" hws_ssl ... -
Restart the JP1/AJS3 HTTP Server service.
(2) Setup to enable JP1/AJS3 - Manager to communicate in SSL
The following describes the setup operation to enable JP1/AJS3 - Manager to communicate in SSL:
-
Stop the JP1/AJS3 and JP1/Base services.
-
Specify the folder storing the private key and server certificate for the Web Console server in the PRIVATEKEYFILE common definition information of JP1/Base.
For details about the PRIVATEKEYFILE common definition information of JP1/Base, see the JP1/Base User's Guide.
The following shows the folder storing the private key and server certificate for the Web Console server:
- In Windows:
-
JP1/AJS3 - Web-Console-installation-folder\uCPSB\httpsd\conf\ssl\server
- In Linux:
-
/opt/jp1ajs3web/uCPSB/httpsd/conf/ssl/server
-
Copy the root certificate (into the communication-destination host) obtained by the setup operation to enable the Web Console server to perform SSL encryption of the communication with the client host.
To verify server certificates at the communication destination (client), copy the root certificate obtained by the setup operation for the Web Console server to the communication-destination host.
The following lists the hosts into which to copy the root certificate:
-
Working manager host (local host)
-
All manager hosts for which communication is to be established
-
All agent hosts for which communication is to be established
-
All JP1/AJS3 - View hosts for which communication is to be established
-
All JP1/AJS3 - Web Console servers for which communication is to be established
The following table describes the paths to the storage folders.
Table 21‒14: Storage folders for root certificate No.
Host type
Path to storage folder (in Windows)
Path to storage folder (in Linux)
1
Manager host
Root certificates are stored in a folder of JP1/Base. For details, see the JP1/Base User's Guide.
2
Agent host
3
JP1/AJS3 - View host
JP1/AJS3 - View-installation-folder\conf\ssl\rootcer
Not applicable
4
Web Console server
data-folder-of-JP1/AJS3 - Web-Console#1\conf\ssl\rootcer
/etc/opt/jp1ajs3web/conf/ssl/rootcer#2
- #1
-
data-folder-of-JP1/AJS3 - Web-Console is as follows:
If the installation folder is the default installation folder or is in a folder protected by the system:
%ALLUSERSPROFILE%\Hitachi\JP1\JP1_DEFAULT\jp1ajs3web
A folder protected by the system is a folder under any of the following:
- system-drive\Windows
- system-drive\Program Files
- system-drive\Program Files (x86)
The default value for %ALLUSERSPROFILE% is system-drive\ProgramData.
If the installation folder is other than the above:
JP1/AJS3-Web-Console-installation-folder
In a cluster environment:
shared-folder\jp1ajs3web
- #2
-
In a cluster environment:
shared-directory/jp1ajs3web/conf/ssl/rootcer
When a root certificate has already been deployed to a communication-destination host, check whether the CA that issued the deployed root certificate is the same as the CA from which the server certificate was obtained as described.
- When the CA is the same:
-
You can use the root certificate deployed already. You do not need to overwrite the root certificate.
- When the CA is different:
-
Put together and bind the root certificates already deployed and the root certificates newly deployed to manager hosts. Then, bind the certificates in a way that allows individual root certificates to be associated with the corresponding parts of the bound root certificate. This is to enable any expiring part of the bound root certificate to be replaced appropriately. Because root certificates are Base64-encoded, in the file of bound root certificates, you cannot see which parts of the file correspond to individual root certificates.
For details, see the JP1/Base User's Guide.
-
-
Check that the root certificates for the agent hosts are placed on the manager hosts.
Perform deployment of the root certificates for the agent hosts as part of the setup operation to enable JP1/AJS3 - Agent to communicate in SSL. Check the operation to set up JP1/AJS3 - Agent.
-
Enable SSL communication.
For details about how to enable SSL communication, see the description of the communication encryption function in the JP1/Base User's Guide.
(3) Setup to enable JP1/AJS3 - Agent to communicate in SSL
The procedure for the setup to enable JP1/AJS3 - Agent to communicate in SSL is the same as the setup procedure for the manager/agent configuration. For details, see 21.4.2(2) Setup to enable JP1/AJS3 - Agent to communicate in SSL.
(4) Setup to enable JP1/AJS3 - View to communicate in SSL
The procedure for the setup to enable JP1/AJS3 - View to communicate in SSL is the same as the setup procedure for the manager/agent configuration. For details, see 21.4.2(3) Setup to enable JP1/AJS3 - View to communicate in SSL.
(5) Setup to enable the Web GUI to communicate in SSL
The setup to enable the Web GUI to communicate in SSL is the same as the setup to be performed when different server certificates are used for the manager host and Web Console server. For details, see 21.4.3(5)(a) Setup to enable the Web GUI to communicate in SSL.
(6) Setup to enable the user application to communicate in SSL
The setup to enable the user application to communicate in SSL is the same as the setup to be performed when different server certificates are used for the manager host and Web Console server. For details, see 21.4.3(5)(b) Setup to enable the user application to communicate in SSL.
(7) Checking the connection of SSL communication
The method of checking the connection of SSL communication between components is the same as the method of checking when different server certificates are used for the manager host and Web Console server. For details, see 21.4.3(6) Checking the connection of SSL communication.