21.4.5 SSL communication setup procedure (when the server certificate for manager host is used for Web Console server)
This subsection describes the SSL communication setup procedure to be performed when the server certificate for the manager host is used for the Web Console server.
The following figure shows an overview of setup operations on individual hosts.
The setup operation on a host involves not only the setup of the JP1/AJS3 components installed in the host but also the setup of communication-destination components.
Perform this operation on all the hosts constituting the JP1/AJS3 system. If SSL communication is enabled for some hosts and disabled for other hosts, an error will occur in the communication between hosts.
- Organization of this subsection
(1) Setup to enable JP1/AJS3 - Manager to communicate in SSL
The procedure for the setup to enable JP1/AJS3 - Manager to communicate in SSL is the same as the setup procedure for the manager/agent configuration. For details, see 21.4.2(1) Setup to enable JP1/AJS3 - Manager to communicate in SSL.
(2) Setup to enable JP1/AJS3 - Web Console to communicate in SSL
The following describes the setup operation to enable JP1/AJS3 - Web Console to communicate in SSL:
(a) Setting for the SSL encryption of the communication with the manager host
The setup to enable JP1/AJS3 - Web Console to communicate with the manager host in SSL is the same as the setup to be performed when different server certificates are used for the manager host and Web Console server. For details, see 21.4.3(2)(a) Setting for the SSL encryption of the communication between the manager host and Web Console server.
(b) Setting for the SSL encryption of the communication with the client host
The following describes the setup procedure to enable JP1/AJS3 - Web Console to communicate with the client host in SSL:
-
Copy the private key and server certificate for the manager host into a folder of JP1/AJS3 - Web Console.
Copy the private key and server certificate (into the folder of JP1/AJS3 - Web Console) obtained by the setup operation to enable JP1/AJS3 - Manager to communicate in SSL.
The following shows the copy-destination folder of JP1/AJS3 - Web Console:
- In Windows:
-
JP1/AJS3 - Web-Console-installation-folder\uCPSB\httpsd\conf\ssl\server
- In Linux:
-
/opt/jp1ajs3web/uCPSB/httpsd/conf/ssl/server
-
Edit the HTTP server definition file (httpsd.conf) to enable SSL communication.
In the httpsd.conf file, cancel comments in the SSL communication setting section to enable SSL communication.
An example of changing the httpsd.conf file in Windows is shown below. In this example, the defaults are used for the communication port number, the server certificate file name, the private key file name, the version of TLS used for SSL communication, and the cipher types usable for TLS. Note that the default server certificate file is httpsd.pem, the default private key file is httpsdkey.pem, and the default TLS version is TLSv1.2. Only the comment lines beginning with a hash mark (#) have been edited.
Before change
... Listen 22252 #Listen [::]:22252 #Listen 22253 #Listen [::]:22253 #<VirtualHost *:22253> # ServerName MyServer # SSLEngine On # SSLCertificateFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsd.pem" # SSLCertificateKeyFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem" # SSLProtocol +TLSv1.2 # SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384 # SSLCipherSuite AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384 # AllowEncodedSlashes On #</VirtualHost> ...
After change
... #Listen 22252 #Listen [::]:22252 Listen 22253 #Listen [::]:22253 <VirtualHost *:22253> ServerName MyServer SSLEngine On SSLCertificateFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsd.pem" SSLCertificateKeyFile "C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem" SSLProtocol +TLSv1.2 SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384 SSLCipherSuite AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384 AllowEncodedSlashes On </VirtualHost> ...
If the port number for SSL communication, name of server certificate file, name of the private key file, the version of TLS used for SSL communication, and the cipher types usable for TLS have been changed in the environment being used, also change the settings in the httpsd.conf file to adjust to the environment.
The following table lists the defaults settings in the httpsd.conf file.
Table 21‒15: Defaults in the httpsd.conf file No.
Item
Default
1
SSL communication port number
22253
2
Server certificate file name
httpsd.pem
3
Private key file name
httpsdkey.pem
4
Version of TLS used for SSL communication
TLSv1.2
5
Cipher types usable for TLSv1.3
-
TLS_AES_128_GCM_SHA256
-
TLS_AES_256_GCM_SHA384
6
Cipher types usable for TLSv1.2
-
AES128-GCM-SHA256
-
AES256-GCM-SHA384
-
ECDHE-RSA-AES128-SHA256
-
ECDHE-RSA-AES256-SHA384
-
ECDHE-RSA-AES128-GCM-SHA256
-
ECDHE-RSA-AES256-GCM-SHA384
-
ECDHE-ECDSA-AES128-SHA256
-
ECDHE-ECDSA-AES256-SHA384
-
ECDHE-ECDSA-AES128-GCM-SHA256
-
ECDHE-ECDSA-AES256-GCM-SHA384
For details about the httpsd.conf file, see 3.4.5 Details on the settings in the HTTP server definition file (httpsd.conf) (for Windows) or 13.3.5 Details on settings in the HTTP server definition file (httpsd.conf) (for Linux).
-
-
Edit the HTTP server definition file to enable the SSL communication log output.
In the httpsd.conf file, release the LogFormat and CustomLog settings from the comment status to enable the SSL communication log output. An example of changing the httpsd.conf file in Windows is shown below.
Before change
... #LogFormat "%t %{version}c %{cipher}c %{clientcert}c" hws_ssl #CustomLog "|\"\"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/sbin/rotatelogs2.exe\" \"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/logs/ssl\" 10240 8\"" hws_ssl ...
After change
... LogFormat "%t %{version}c %{cipher}c %{clientcert}c" hws_ssl CustomLog "|\"\"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/sbin/rotatelogs2.exe\" \"C:/Program Files/HITACHI/JP1AJS3WEB/uCPSB/httpsd/logs/ssl\" 10240 8\"" hws_ssl ...
-
Restart the JP1/AJS3 HTTP Server service.
(3) Setup to enable JP1/AJS3 - Agent to communicate in SSL
The procedure for the setup to enable JP1/AJS3 - Agent to communicate in SSL is the same as the setup procedure for the manager/agent configuration. For details, see 21.4.2(2) Setup to enable JP1/AJS3 - Agent to communicate in SSL.
(4) Setup to enable JP1/AJS3 - View to communicate in SSL
The procedure for the setup to enable JP1/AJS3 - View to communicate in SSL is the same as the setup procedure for the manager/agent configuration. For details, see 21.4.2(3) Setup to enable JP1/AJS3 - View to communicate in SSL.
(5) Setup to enable the Web GUI to communicate in SSL
The setup to enable the Web GUI to communicate in SSL is the same as the setup to be performed when different server certificates are used for the manager host and Web Console server. For details, see 21.4.3(5)(a) Setup to enable the Web GUI to communicate in SSL.
(6) Setup to enable the user application to communicate in SSL
The setup to enable the user application to communicate in SSL is the same as the setup to be performed when different server certificates are used for the manager host and Web Console server. For details, see 21.4.3(5)(b) Setup to enable the user application to communicate in SSL.
(7) Checking the connection of SSL communication
The method of checking the connection of SSL communication between components is the same as the method of checking when different server certificates are used for the manager host and Web Console server. For details, see 21.4.3(6) Checking the connection of SSL communication.