1.6.3 Procedure to enable HTTPS connections

Before you begin

• Log in to the JP1/AO server as a user with administrator or root permissions.

• Stop the JP1/AO service.

  For non-cluster systems:

  Execute the hcmds64srv command with the stop option specified.

  For cluster systems:

  Use the cluster software to bring the service offline.

To enable HTTPS connections:

1. Open the user_httpsd.conf file from the following location:

   • If the OS of the JP1/AO server is Windows

     Common-Component-installation-folder\uCPSB11\httpsd\conf\user_httpsd.conf

   • If the OS of the JP1/AO server is Linux

     Common-Component-installation-directory/uCPSB11/httpsd/conf/user_httpsd.conf

2. Within the user_httpsd.conf file, do the following:

   • Uncomment the following lines by removing the hash [#] signs:

     #Listen 22016

     through

     #HWSLogSSLVerbose On

     with the exception of #SSLCACertificateFile and #Header set Strict-Transport-Security max-age=31536000, which must remain commented out.

     For an IPv6 environment, remove the hash mark (#) at the beginning of the lines #Listen [::]:22016.

   • Edit the following lines as required:

     ServerName in the first line

     ServerName in the <VirtualHost> tag

     SSLCertificateKeyFile

     SSLCertificateFile

     #SSLCACertificateFile

   • For the ServerName directive in the top line and the ServerName directive in the <VirtualHost> tag, specify the host name (for cluster environments, specify the logical host name) that you specified for "Common Name" in the certificate signing request. Note that host names are case sensitive.

   • For the SSLCertificateKeyFile directive, specify the absolute path of the private key file.

     Do not specify a symbolic link and junction for the path.

   • For the SSLCertificateFile directive, specify the absolute path of the server certificate.

     There are two types of server certificates: certificates signed by a certificate authority and self-signed certificates.

   • To use a certificate of the certificate authority, remove the hash mark (#) at the beginning of the line for the SSLCACertificateFile directive, and then specify the absolute path of the certificate of the certificate authority. Multiple certificates can be contained in one file by using a text editor to chain multiple PEM format certificates. Note that you must not specify a symbolic link or junction for the path.

     Important

     To block non-SSL communication from external servers to the host, comment out the lines Listen 22015 and Listen [::]:22015 by adding a hash mark (#) to the beginning of each line. After you comment out these lines, remove the hash mark (#) from the line #Listen 127.0.0.1:22015.

     When editing directives, be aware of the following:

     • Do not specify the same directive twice.
     • Do not enter a line break in the middle of a directive.
     • When specifying paths in the following directives, do not specify symbolic links or junction points.
     • When specifying certificates and private key files in the following directives, specify PEM-format files.
     • Do not edit httpsd.conf and hsso_httpsd.conf files.

     The following is an example of how to edit the user_httpsd.conf file. The numbers represent the default ports.

     ServerName host-name
     Listen [::]:22015
     Listen 22015
     #Listen 127.0.0.1:22015
     SSLEngine Off
     #Listen [::]:22016
     Listen 22016
     <VirtualHost *:22016>
     ServerName host-name
     SSLEngine On
     SSLProtocol +TLSv1.2
     SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256
     # SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
     SSLCertificateKeyFile
     "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsdkey.pem"
     SSLCertificateFile
     "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsd.pem"
     # SSLCertificateKeyFile
     "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsdkey.pem"
     # SSLCertificateFile
     "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsd.pem"
     SSLCACertificateFile
     "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/cacert/anycert.pem"
     # Header set Strict-Transport-Security max-age=31536000
     </VirtualHost>
     HWSLogSSLVerbose On
     

3. Start the JP1/AO service.
   • For non-cluster systems:

     Execute the hcmds64srv command with the start option specified.

   • For cluster systems:

     Use the cluster software to bring the service online.

4. Update the JP1/AO URL by using the hcmds64chgurl command to do the following:
   • Change the protocol from http: to https:
   • Change the port number used for secure communication.
5. If the OS of the JP1/AO server is Windows, change the URL of the shortcut file to the page displayed by performing the following operation:

   From the Start menu, select All Program, JP1_Automatic Operation, and then JP1_AO Login.

Important

If the connection between the Web browser and JP1/AO is configured incorrectly, the HBase 64 Storage Mgmt Web Service might fail to start, preventing the JP1/AO login window from appearing.