21.4.5 SSL communication setup procedure (when the server certificate for manager host is used for Web Console server)
This subsection describes the SSL communication setup procedure to be performed when the server certificate for the manager host is used for the Web Console server.
The following figure shows an overview of setup operations on individual hosts.
|
|
![[Figure]](GRAPHICS/ZX210050.GIF)
The setup operation on a host involves not only the setup of the JP1/AJS3 components installed in the host but also the setup of communication-destination components.
Perform this operation on all the hosts constituting the JP1/AJS3 system. If SSL communication is enabled for some hosts and disabled for other hosts, an error will occur in the communication between hosts.
- Organization of this subsection
(1) Setup to enable JP1/AJS3 - Manager to communicate in SSL
The procedure for the setup to enable JP1/AJS3 - Manager to communicate in SSL is the same as the setup procedure for the manager/agent configuration. For details, see 21.4.2(1) Setup to enable JP1/AJS3 - Manager to communicate in SSL.
(2) Setup to enable JP1/AJS3 - Web Console to communicate in SSL
The following describes the setup operation to enable JP1/AJS3 - Web Console to communicate in SSL:
(a) Setting for the SSL encryption of the communication with the manager host
The setup to enable JP1/AJS3 - Web Console to communicate with the manager host in SSL is the same as the setup to be performed when different server certificates are used for the manager host and Web Console server. For details, see 21.4.3(2)(a) Setting for the SSL encryption of the communication between the manager host and Web Console server.
(b) Setting for the SSL encryption of the communication with the client host
The following describes the setup procedure to enable JP1/AJS3 - Web Console to communicate with the client host in SSL:
-
Copy the private key and server certificate for the manager host into a folder of JP1/AJS3 - Web Console.
Copy the private key and server certificate (into the folder of JP1/AJS3 - Web Console) obtained by the setup operation to enable JP1/AJS3 - Manager to communicate in SSL.
The following shows the copy-destination folder of JP1/AJS3 - Web Console:
- In Windows:
-
JP1/AJS3 - Web-Console-installation-folder\uCPSB\httpsd\conf\ssl\server
- In Linux:
-
/opt/jp1ajs3web/uCPSB/httpsd/conf/ssl/server
-
If server certificates have been issued by intermediate CAs and the server certificate and intermediate certificates have been merged into one file, separate them into two files.
Open the server certificate with a text editor and cut the intermediate certificates. Next, create a new intermediate certificate file in the same folder, paste the intermediate certificates to the file, and then save the file. After that, save the server certificate (from which the intermediate certificates were cut) without changing the file name.
-
Edit the HTTP server definition file (httpsd.conf) to enable SSL communication.
In the httpsd.conf file, cancel comments in the SSL communication setting section to enable SSL communication.
An example of changing the httpsd.conf file in Windows is shown below. In this example, the port number for communication, the name of the server certificate file, and the name of the private key file are not changed from the defaults, and only hash marks (#) indicating comments are edited. (The default of the server certificate file name is httpsd.pem, and the default of the private key file name is httpsdkey.pem.) If you place an intermediate certificate file, add the SSLCACertificateFile entry and specify the path of the intermediate certificate file that you placed. In the following example, intermediate.pem is specified as the name of the intermediate certificate file. If you do not place an intermediate certificate file, you do not need to add this entry.
Before change
... Listen 22252 #Listen [::]:22252 SSLDisable #Listen 22253 #Listen [::]:22253 #<VirtualHost *:22253> # ServerName MyServer # SSLEnable # SSLCertificateFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsd.pem" # SSLCertificateKeyFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem" # AllowEncodedSlashes On #</VirtualHost> ...
After change
... #Listen 22252 #Listen [::]:22252 SSLDisable Listen 22253 #Listen [::]:22253 <VirtualHost *:22253> ServerName MyServer SSLEnable SSLCertificateFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsd.pem" SSLCertificateKeyFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem" SSLCACertificateFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/intermediate.pem" AllowEncodedSlashes On </VirtualHost> ...
If the port number for SSL communication, name of server certificate file, and name of the private key file have been changed in the environment being used, also change the settings in the httpsd.conf file to adjust to the environment.
The following table lists the defaults settings in the httpsd.conf file.
Table 21‒15: Defaults in the httpsd.conf file No.
Item
Default
1
SSL communication port number
22253
2
Server certificate file name
httpsd.pem
3
Private key file name
httpsdkey.pem
For details about the httpsd.conf file, see 3.4.5 Details on the settings in the HTTP server definition file (httpsd.conf) (for Windows) or 13.3.5 Details on settings in the HTTP server definition file (httpsd.conf) (for Linux).
-
Edit the HTTP server definition file to enable the SSL communication log output.
In the httpsd.conf file, release the LogFormat and CustomLog settings from the comment status to enable the SSL communication log output. An example of changing the httpsd.conf file in Windows is shown below.
Before change
... #LogFormat "%t %{version}c %{cipher}c %{clientcert}c" hws_ssl #CustomLog "|\"\"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/sbin/rotatelogs2.exe\" \"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/logs/ssl\" 10240 8\"" hws_ssl ...After change
... LogFormat "%t %{version}c %{cipher}c %{clientcert}c" hws_ssl CustomLog "|\"\"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/sbin/rotatelogs2.exe\" \"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/logs/ssl\" 10240 8\"" hws_ssl ... -
Restart the JP1/AJS3 HTTP Server service.
(3) Setup to enable JP1/AJS3 - Agent to communicate in SSL
The procedure for the setup to enable JP1/AJS3 - Agent to communicate in SSL is the same as the setup procedure for the manager/agent configuration. For details, see 21.4.2(2) Setup to enable JP1/AJS3 - Agent to communicate in SSL.
(4) Setup to enable JP1/AJS3 - View to communicate in SSL
The procedure for the setup to enable JP1/AJS3 - View to communicate in SSL is the same as the setup procedure for the manager/agent configuration. For details, see 21.4.2(3) Setup to enable JP1/AJS3 - View to communicate in SSL.
(5) Setup to enable the Web GUI to communicate in SSL
The setup to enable the Web GUI to communicate in SSL is the same as the setup to be performed when different server certificates are used for the manager host and Web Console server. For details, see 21.4.3(5)(a) Setup to enable the Web GUI to communicate in SSL.
(6) Setup to enable the user application to communicate in SSL
The setup to enable the user application to communicate in SSL is the same as the setup to be performed when different server certificates are used for the manager host and Web Console server. For details, see 21.4.3(5)(b) Setup to enable the user application to communicate in SSL.
(7) Checking the connection of SSL communication
The method of checking the connection of SSL communication between components is the same as the method of checking when different server certificates are used for the manager host and Web Console server. For details, see 21.4.3(6) Checking the connection of SSL communication.