Hitachi

JP1 Version 12 JP1/IT Desktop Management 2 Configuration Guide

A.5 Building an environment for using HTTPS with the external system linkage configuration

This section describes how to build an environment for using HTTPS connection with the external system linkage configuration and presents the commands to be used for this purpose.

Organization of this subsection

(1) Building an environment

You have to take the following steps to use HTTPS connection with the external system linkage configuration.

Obtaining certificates for SSL communication for the management server

From a Certificate Authority, obtain certificates (root certificate and SSL server certificate) for SSL communication for the management server.

The flow of obtaining certificates for SSL communication for the management server is as follows:

  1. Create a private key for the Web server (openssl.bat genrsa command).

  2. Create a Certificate Signing Request (CSR) (openssl.bat req command).

  3. Display the contents of a Certificate Signing Request (CSR) (openssl.bat req command).

    If necessary, check the contents of the Certificate Signing Request (CSR).

  4. Send the CSR to the CA.

  5. Acquire a certificate from the CA.

    Tip

    You can use the openssl.bat x509 command to check the contents of the certificate you obtained.

    Tip

    In the certificate you obtained, save the part from -----BEGINCERTIFICATE----- to -----END CERTIFICATE---- in another file (httpsd.pem file defined in httpsd.conf provided as standard).

Related Topics:

Setting up the management server

  1. Log on to the OS as a member of the Administrators group.

  2. Stop the JP1/IT Desktop Management 2 services on the management server

    Execute the following command:

    stopservice

    For details about the commands, see the JP1/IT Desktop Management 2 Administration Guide.

  3. Store an SSL server certificate and a private key in the following folder on the management server:

    JP1/IT Desktop Management 2 - Manager-installation-folder\mgr\uCPSB\httpsd\conf\ssl\server

    You have to store the following files in the above folder:

    • The SSL server certificate file: httpsd.pem

    • The private key file: httpsdkey.pem

    Note

    When you change the connection setting from HTTPS to HTTP, delete SSL server certificate and private key.

  4. Edit the configuration file to include a statement.

    The configuration file (jdn_manager_config.conf) exists in the following location:

    JP1/IT Desktop Management 2 - Manager-installation-folder\mgr\conf

    Edit the configuration file to include the following statement: RestAPIProtocol=1

    Note

    When you change the connection setting from HTTPS to HTTP, change the statement of the configuration file RestAPIProtocol=1 to RestAPIProtocol=0. Do not delete the row of RestAPIProtocol that you added.

  5. From the Windows Start menu, select All Programs, JP1_IT Desktop Management 2 - Manager, Tools, and then Setup.

  6. In the Setup window, click the Next button.

  7. In the Select a Setup view, select Settings Modification, and then click the Next button.

  8. Click the Next button until the API settings view appears.

  9. Select the Use the API check box.

  10. Click the Next button.

  11. Click the Next button until the Confirm Setup Settings view appears.

  12. In the Confirm Setup Settings view, confirm that the specified settings are correct, and then click the Next button.

    A dialog to confirm that Remote Install Manager and JP1/IT Desktop Management 2 - Asset Console have been stopped is displayed. After confirming, click the OK button. In the cluster system, make the cluster resources associated with the services displayed in the dialog offline, and then click the OK button.

  13. In the Setup for Distribution by Using Remote Install Manager view, click the OK button.

    The setup process begins, and a dialog box appears indicating that setup is in progress. When setup has finished, the Setup Complete view appears.

    Important

    When the dialog box that says "Could not start the service. Service name=JP1_ITDM2_Web Server." appears, complete the setup by clicking the OK button to close the dialog box. Then, review the SSL server certificate file and the private key file in step 3, and then directly start the service of JP1_ITDM2_Web Server. When the dialog box of "An error occurred during Setup." appears, review the RestAPIProtocol value which is set in step 4 is correct.

  14. In the Setup Complete view, click the OK button.

Note

In case of a cluster system, setup the primary server and the standby server.

To Page Top

(2) Commands used to acquire certificates for SSL communication

The following describes the commands used to acquire certificates for SSL communication.

The commands are stored in the following folders:

JP1/IT Desktop Management 2 - Manager-installation-folder\mgr\uCPSB\httpsd\bin

(a) Creating a private key for the Web server (openssl.bat genrsa command)

Functionality

This section describes the openssl.bat genrsa command, which creates a private key for the Web server.

Format

openssl.bat∆genrsa∆-rand∆file-name[:file-name...]∆-out∆key-file∆[512|1024|2048|4096]

Operand

-rand∆file-name[:file-name...]

Specify any file to be used for random number generation.

-out∆key-file

Specify the file to which the Web server private key is output.

512|1024|2048|4096

Specify the bit length of the Web server private key. If this operand is omitted, 2048 is assumed.

Notes

If you enter a password that is 3 characters long or less, there will be a message prompting you to enter at least 4 characters and no more than 1,023 characters. In this version, enter a password of 4 characters to a maximum of 64 characters. Please note that even if you enter a password of 65 characters or longer, it will not be an error.

Example

To create the httpsdkey.pem Web server private key: 

openssl.bat genrsa -rand C:\WINNT\NOTEPAD.EXE -out httpsdkey.pem 2048

Related Topics:

(b) Creating a Certificate Signing Request (CSR) (openssl.bat req command)

Functionality

This section describes the openssl.bat req command, which creates a Certificate Signing Request (CSR). The created CSR file is submitted to the CA, which then issues the signed certificate. The CSR is created in the format conforming to PKCS #10.

Format

openssl.bat∆req∆-new∆-sha256∆-key∆key-file∆-out∆CSR-file

Operand

-sha256

Specify the signature algorithm sha256WithRSAEncryption is used when the CSR is created.

-key∆key-file

Specify the Web server private key file.

-out∆CSR-file

Specify the file to which the created CSR is output.

Example

To create a Certificate Signing Request (CSR) by using the Web server private key file httpsdkey.pem, specify as follows: 

openssl.bat req -new -sha256 -key httpsdkey.pem -out httpsd.csr

If you have set a password when creating the private key for the Web server, you are prompted to enter the password. For the items to be set, follow the instructions from the CA to which you submit the Certificate Signing Request (CSR).

(c) Displaying the contents of a Certificate Signing Request (CSR) (openssl.bat req command)

Functionality

This section describes the openssl.bat req command, which displays the contents of a Certificate Signing Request (CSR).

Format

openssl.bat∆req∆-in∆CSR-file∆-text

Operand

-in∆CSR-file

Specify the CSR file to be displayed.

Example

To display the CSR file httpsd.csr, specify as follows: 

openssl.bat req -in httpsd.csr -text

(d) Displaying certificate contents (openssl.bat x509 command)

Functionality

This section describes the openssl.bat x509 command, which displays the contents of a certificate file. The following command displays the part of the certificate file that begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----.

Format

openssl.bat∆x509∆-in∆certificate-file∆-text

Operand

-in∆certificate-file

Specify the certificate file to be displayed.

Example

To display the certificate file httpsd.pem, specify as follows: 

openssl.bat x509 -in httpsd.pem -text

(e) Converting the certificate format (openssl.bat x509 command)

Functionality

This section describes the openssl.bat x509 command, which converts the certificate format. Use this functionality as necessary.

Format

openssl.bat∆x509∆-inform∆input-format∆-outform∆output-format∆-in∆input-file∆-out∆output-file

Operand

-inform∆input-format

Specify the input format of the certificate file before conversion. The following input formats can be specified:

  • DER

  • PEM

-outform∆output-format

Specify the input format of the certificate file after conversion. The following input formats can be specified:

  • DER

  • PEM

-in∆input-file

Specify the certificate file before conversion.

-out∆output-file

Specify the certificate file after conversion.

To Page Top

Copyright (C) 2019, 2022, Hitachi, Ltd.

Copyright (C) 2019, 2022, Hitachi Solutions, Ltd.

Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated.