4.3.15 Changing the settings for encrypted communication between a web browser and the monitoring console server

You can select whether to use encrypted communication to connect from a web browser to the monitoring console server. By default, encrypted communication is disabled.

For encrypted communication, you need either a server certificate acquired from a certificate authority or a self-signed certificate created for testing. Prepare a certificate appropriate for the application. A self-signed certificate might not be usable by some web browsers.

In the following cases, you must change the settings:

When changing encrypted communication from disabled to enabled
When changing encrypted communication from enabled to disabled
When a certificate (server certificate or self-signed certificate) has expired

The following tables show the general procedures for making these changes.

Table 4‒15: General procedure for changing encrypted communication from disabled to enabled
Sequence	Procedure	Section to reference
1	Prepare a certificate (server certificate or self-signed certificate).	4.3.15(1), 4.3.15(2)
2	Store files in the folder for storing encrypted communication files.	4.3.15(3)
3	Enable encrypted communication between your web browser and the monitoring console server.	4.3.15(4)
4	Apply the change in encrypted communication settings to the system linkage settings.	4.3.15(6)
5	Configure your web browser to use encrypted communication.	4.1.6

Table 4‒16: General procedure changing encrypted communication from enabled to disabled
Sequence	Procedure	Section to reference
1	Disable encrypted communication between your web browser and the monitoring console server.	4.3.15(5)
2	Apply the change in encrypted communication settings to the system linkage settings.	4.3.15(6)

Table 4‒17: General procedure when a certificate (server certificate or self-signed certificate) has expired
Sequence	Procedure	Section to reference
1	Re-prepare a certificate (server certificate or self-signed certificate).	4.3.15(1), 4.3.15(2)
2	Store files in the folder for storing encrypted communication files.	4.3.15(3)
3	Re-enable encrypted communication between your web browser and the monitoring console server.	4.3.15(4)
4	Configure your web browser to use encrypted communication.	4.1.6

Organization of this subsection

(1) Preparing a certificate (acquiring a server certificate from a certificate authority)
(2) Preparing a certificate (creating a self-signed certificate for testing)
(3) Storing files in the folder for storing encrypted communication files
(4) Enabling encrypted communication between a web browser and the monitoring console server
(5) Disabling encrypted communication between a web browser and the monitoring console server
(6) Applying changes to encrypted communication settings to system linkage settings

(1) Preparing a certificate (acquiring a server certificate from a certificate authority)

If you are using a multiple monitor configuration, execute this procedure on both the primary and secondary hosts separately.

Create a certificate signing request (CSR) file and a private key file on the PFM - Web Console host.

Execute the jpcwtool https create certreq command^#.

If you specify a password for the private key, a password file is also created for the private key.

If you are using a cluster system, execute this procedure on the standby node.

For details about this command, see the chapter that explains commands in the manual JP1/Performance Management Reference.

#

The jpcwtool https create certreq command does not output Subject Alternative Names (SANs). When you use Google Chrome as the browser, a server certificate created with a certificate signing request (CSR) that does not contain a SAN definition is regarded as an untrusted certificate. In this case, you have to create a server certificate by using OpenSSL or other tools capable of creating a CSR with a SAN definition added to it. When you create a server certificate, you have to not only specify the entries that need to be set in the jpcwtool https create certreq command but also set a SAN as the Common Name (CN).
Send the certificate signing request file created in step 1 to the certificate authority (CA), and acquire an x.509 (PEM) format server certificate file and an intermediate CA certificate file.

To use a cross root intermediate CA certificate, acquire an x.509 (PEM) format file that links the intermediate CA certificate with the cross root intermediate CA certificate. For details about how to acquire linked certificates, contact the certificate authority.
Rename the server certificate file and intermediate CA certificate file acquired in step 2.

Rename them as follows:
- Server certificate file: jpcwhttpscert.pem
- Intermediate CA certificate file: jpcwhttpscacert.pem

To Page Top

(2) Preparing a certificate (creating a self-signed certificate for testing)

If you are using a multiple monitor configuration, execute this procedure on both the primary and secondary hosts separately.

Create a self-signed certificate file and a private key file on the PFM - Web Console host.

Execute the jpcwtool https create provcert command.

If you are using a cluster system, execute this procedure on the standby node.

For details about this command, see the chapter that explains commands in the manual JP1/Performance Management Reference.

To Page Top

(3) Storing files in the folder for storing encrypted communication files

Store the files necessary for encrypted communication, which were prepared in advance, in the folder for storing encrypted communication files.

Store the files in the folder for storing encrypted communication files.

If you are using a cluster system, store the files on the standby node first, and then copy these files to the active node.

The following lists the storage destination and the files to be stored.

Storage destination (folder for storing encrypted communication files)

In Windows:: PFM-Web-Console-installation-folder\CPSB\httpsd\conf\ssl\server
In UNIX:: /opt/jp1pcwebcon/CPSB/httpsd/conf/ssl/server

Files to be stored

Reading privileges with the following additional privileges are required for all files:

In Windows: Administrator privileges

In Unix: root privileges

Table 4‒18: Files to be stored (when a server certificate is used)
File name	Description
`jpcwhttpscacert.pem`	Intermediate CA certificate file
`jpcwhttpscert.pem`	Server certificate file
`jpcwhttpskey.pem`	Private key file
`jpcwhttpskeypass.dat`	Private key password file (The file is stored only when a password is specified for the private key.)

Table 4‒19: Files to be stored (when a self-signed certificate is used)
File name	Description
`jpcwhttpscert.pem`	Self-signed certificate file
`jpcwhttpskey.pem`	Private key file

To Page Top

(4) Enabling encrypted communication between a web browser and the monitoring console server

This subsection assumes that the required files have already been stored in the folder for storing encrypted communication files. For details about the required files, see 4.3.15(3) Storing files in the folder for storing encrypted communication files.

If you are using a multiple monitor configuration, execute this procedure on both the primary and secondary hosts separately.

Execute the jpcwstop command on the PFM - Web Console host to stop the services.

If you are using a cluster system, use an operation from the cluster software to stop the logical host on which PFM - Web Console is registered.
Execute the jpcwconf https enable command to enable encrypted communication.

If you are using a cluster system, execute this procedure on both the active and standby nodes.

For details about this command, see the chapter that explains commands in the manual JP1/Performance Management Reference.
Execute the jpcwstart command on the PFM - Web Console host to start the services.

If you are using a cluster system, use an operation from the cluster software to start the logical host on which PFM - Web Console is registered.

To Page Top

(5) Disabling encrypted communication between a web browser and the monitoring console server

If you are using a multiple monitor configuration, execute this procedure on both the primary and secondary hosts separately.

Execute the jpcwstop command on the PFM - Web Console host to stop the services.

If you are using a cluster system, use an operation from the cluster software to stop the logical host on which PFM - Web Console is registered.
Execute the jpcwconf https disable command to disable encrypted communication.

If you are using a cluster system, execute this procedure on both the active and standby nodes.

For details about this command, see the chapter that explains commands in the manual JP1/Performance Management Reference.
As needed, delete files from the folder for storing encrypted communication files.

For details about the folder for storing encrypted communication files, see 4.3.15(3) Storing files in the folder for storing encrypted communication files.
Execute the jpcwstart command on the PFM - Web Console host to start the services.

If you are using a cluster system, use an operation from the cluster software to stop the logical host on which PFM - Web Console is registered.

To Page Top

(6) Applying changes to encrypted communication settings to system linkage settings

If you change the settings for encrypted communication between a web browser and the monitoring console server, apply the changes to the settings of both the integrated management product (JP1/IM), the service-level management product (JP1/SLM), and the job management product (JP1/AJS3), as needed.

The Following is the procedure for applying these changes:

If operations are being monitored via linkage with an integrated management product (JP1/IM), change the settings.

Change the settings as follows, depending on the events that are set.
- If JP1 user events are set
  
  Change the URLs for the definition file for opening monitor windows, and for the definition file for the tool launcher.
- If JP1 system events are set
  
  Change the settings for encrypted communication.
For details, see the following sections in the chapter that explains how to perform operation monitoring via linkage with an integrated management product (JP1/IM) in the JP1/Performance Management User's Guide:
- The section that explains how to edit and copy definition files for linkage
- The section that explains how to configure the issuing of JP1 system events by individual PFM services
If operations are being monitored via linkage with a service-level management product (JP1/SLM), change the settings.

Change the settings so that the PFM - Web Console screen can be started from JP1/SLM.

Change the URL for PFM - Web Console that is set in the properties of the following file of JP1/SLM:
- pfmWebConsoleURL of the system definition file (jp1itslm.properties)
For details, see the manual JP1/Service Level Management.
If operations are being monitored via linkage with the job management product (JP1/AJS3), change the settings.

Change the settings in the JP1/AJS3 - Web Console environment settings file (ajs3web.conf) so that the PFM - Web Console screen can be started from JP1/AJS3.

To Page Top