3.3.2 Setting up the SSL communication environment

Execute the command to create a private key.

Execute the following command. The command to use is different depending on the type of certificate to create. The following command creates a private key without a passphrase in PEM format. You cannot use a private key with a passphrase or one that is not in PEM format.

To create an RSA certificate

For Windows:

installation-folder-of-JP1/AJS3 for Cloud Service Applications\uCPSB\httpsd\sbin\openssl.bat genrsa -rand name-of-the-file-to-use-for-random-number-generation -out path-to-the-private-key-file bit-length-of-the-private-key

For Linux:

/opt/jp1ajs3csa/uCPSB/httpsd/sbin/openssl.sh genrsa -rand name-of-the-file-to-use-for-random-number-generation -out path-to-the-private-key-file bit-length-of-the-private-key

To create an ECDSA certificate

For Windows:

installation-folder-of-JP1/AJS3 for Cloud Service Applications\uCPSB\httpsd\sbin\openssl.bat ecparam -genkey -noout -rand name-of-the-file-to-use-for-random-number-generation -name name-of-the-elliptic-curve -out path-to-the-private-key-file

For Linux:

/opt/jp1ajs3csa/uCPSB/httpsd/sbin/openssl.sh ecparam -genkey -noout -rand name-of-the-file-to-use-for-random-number-generation[:name-of-the-file-to-use-for-random-number-generation ...] -name name-of-the-elliptic-curve -out path-to-the-private-key-file

For the execute permissions of openssl.bat and openssl.sh, please see the official OpenSSL website.

Specify the following path-to-the-private-key-file.

For Windows

Installation-folder-of-JP1/AJS3 for Cloud Service Applications\uCPSB\httpsd\conf\ssl\server\httpsdkey.pem^#

For Linux

/opt/jp1ajs3csa/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem^#

For details of the command to create a private key, see the description of the command used to obtain a certificate for SSL communication in the JP1/Automatic Job Management System 3 Configuration Guide.

#

httpsdkey.pem is the name of the private key file. You can specify any name for the private key file.

If you want to change the private key file name from httpsdkey.pem, please also change the default encryption key file name httpsdkey.pem specified in the Web server definition file (httpsd.conf) that will be configured in a later step.

To create an ECDSA certificate, convert the format of the private key.

Execute the following command.

For Windows:

installation-folder-of-JP1/AJS3 for Cloud Service Applications\uCPSB\httpsd\sbin\openssl.bat pkcs8 -topk8 -in private-key-file-before-conversion -out private-key-file-after-conversion -nocrypt

For Linux:

/opt/jp1ajs3csa/uCPSB/httpsd/sbin/openssl.sh pkcs8 -topk8 -in private-key-file-before-conversion -out private-key-file-after-conversion -nocrypt

For the execute permissions of openssl.bat and openssl.sh, please see the official OpenSSL website.

For details of the command to convert the format of a private key, see the description of the command used to obtain a certificate for SSL communication in the JP1/Automatic Job Management System 3 Configuration Guide.

Execute the command to create a certificate signing request (CSR).

Execute the following command.

For Windows:

installation-folder-of-JP1/AJS3 for Cloud Service Applications\uCPSB\httpsd\sbin\openssl.bat req -new signature-algorithm -key path-to-the-private-key-file -out path-to-the-CSR-file

For Linux:

/opt/jp1ajs3csa/uCPSB/httpsd/sbin/openssl.sh req -new signature-algorithm -key path-to-the-private-key-file -out path-to-the-CSR-file

For the execute permissions of openssl.bat and openssl.sh, please see the official OpenSSL website.

For the path-to-the-private-key-file, specify the path specified for the command to create a private key in step 1. For the path-to-the-CSR-file, specify the output folder and CSR file name that you like.

For details of the command to create a certificate signing request (CSR), see the description of the command used to obtain a certificate for SSL communication in the JP1/Automatic Job Management System 3 Configuration Guide.

Send a CSR to the CA.

When you send a CSR to the CA, it issues a server certificate and a root certificate to validate the server certificate.

Obtain server and root certificates in PEM format from the CA.

Important

Server and root certificates cannot be used if they are not in PEM format.

You can specify any names for server and root certificate files.

In the Web server definition file (httpsd.conf), which will be configured in a later step, httpsd.pem is specified as the default server certificate. If you use this file name, you do not need to change the name of the server certificate file in the Web server definition file.

And the acquired root certificate is used when you configure how a service linkage job and a service linkage monitoring job communicate via SSL.

When you use an intermediate certificate, you must combine the server and intermediate certificates in one file.

Open both certificates in your text editor and paste the content of the intermediate certificate in the server certificate in the following order.

1. Server certificate

2. Intermediate certificate

3. Cross root certificate^#

#: Only when you use a cross root certificate

Place the server certificate on the JP1/AJS3 for Cloud Service Applications server.

Place the server certificate in the following folder.

For Windows

Installation-folder-of-JP1/AJS3 for Cloud Service Applications\uCPSB\httpsd\conf\ssl\server

For Linux

/opt/jp1ajs3csa/uCPSB/httpsd/conf/ssl/server

Edit the Web server definition file (httpsd.conf) to enable SSL communication.

Uncomment the SSL communication setting section of the Web server definition file (httpsd.conf) to enable SSL communication.

The following shows a sample for Windows. In this sample, the port number for communication, the names of the server certificate and private key files, the version of TLS used for SSL communication, and the encryption types that can be used with TLS are left unchanged from the default settings (server certificate: httpsd.pem, private key: httpsdkey.pem, TLS version: TLSv1.2). Only the comment symbols (#) are deleted.

<Before>

:
Listen 22265
#Listen [::]:22265
 
#Listen 22266
#Listen [::]:22266
#<VirtualHost *:22266>
#  ServerName MyServer
#  SSLEngine On
#  SSLCertificateFile "C:/Program Files/HITACHI/JP1AJS3CSA/uCPSB/httpsd/conf/ssl/server/httpsd.pem"
#  SSLCertificateKeyFile "C:/Program Files/HITACHI/JP1AJS3CSA/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem"
#  SSLProtocol +TLSv1.2
#  SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
#  SSLCipherSuite AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384
#  AllowEncodedSlashes On
#</VirtualHost>
:

<After>

:
#Listen 22265
#Listen [::]:22265
 
Listen 22266
#Listen [::]:22266
<VirtualHost *:22266>
  ServerName MyServer
  SSLEngine On
  SSLCertificateFile "C:/Program Files/HITACHI/JP1AJS3CSA/uCPSB/httpsd/conf/ssl/server/httpsd.pem"
  SSLCertificateKeyFile "C:/Program Files/HITACHI/JP1AJS3CSA/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem"
  SSLProtocol +TLSv1.2
  SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
  SSLCipherSuite AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384
   AllowEncodedSlashes On
</VirtualHost>
:

If the port number for SSL communication, the names of the server certificate and private key files, the version of TLS used for SSL communication, and the encryption types that can be used with TLS are changed from the default values in your environment, please change these settings as required.

The following shows the default values in the Web server definition file (httpsd.conf).

• Port number for SSL communication: 22266

• Name of the server certificate file: httpsd.pem

• Name of the private key file: httpsdkey.pem

• Version of TLS used for SSL communication: TLSv1.2

• Encryption types that can be used with TLSv1.3:

  - TLS_AES_128_GCM_SHA256

  - TLS_AES_256_GCM_SHA384

• Encryption types that can be used with TLSv1.2:

  - AES128-GCM-SHA256

  - AES256-GCM-SHA384

  - ECDHE-RSA-AES128-SHA256

  - ECDHE-RSA-AES256-SHA384

  - ECDHE-RSA-AES128-GCM-SHA256

  - ECDHE-RSA-AES256-GCM-SHA384

  - ECDHE-ECDSA-AES128-SHA256

  - ECDHE-ECDSA-AES256-SHA384

  - ECDHE-ECDSA-AES128-GCM-SHA256

  - ECDHE-ECDSA-AES256-GCM-SHA384

For details of the Web server definition file (httpsd.conf), please see 3.4.2 Details on the settings in the HTTP server definition file (httpsd.conf).

Edit the Web server definition file (httpsd.conf) to enable log output for SSL communication.

Uncomment the LogFormat and CustomLog sections of the Web server definition file (httpsd.conf) to enable log output for SSL communication. The following shows a sample for Windows.

<Before>

:
#LogFormat "%t %{version}c %{cipher}c %{clientcert}c" hws_ssl
#CustomLog "|\"\"C:/Program Files/HITACHI/JP1AJS3CSA/uCPSB/httpsd/sbin/rotatelogs2.exe\" \"C:/Program Files/HITACHI/JP1AJS3CSA/uCPSB/httpsd/logs/ssl\" 10240 8\"" hws_ssl
:

<After>

:
LogFormat "%t %{version}c %{cipher}c %{clientcert}c" hws_ssl
CustomLog "|\"\"C:/Program Files/HITACHI/JP1AJS3CSA/uCPSB/httpsd/sbin/rotatelogs2.exe\" \"C:/Program Files/HITACHI/JP1AJS3CSA/uCPSB/httpsd/logs/ssl\" 10240 8\"" hws_ssl
:

Restart the JP1/AJS3 CSA HTTP Server service.

Place the root certificate in PEM format on the destination execution host for a service linkage job and a service linkage monitoring job.

To verify the server certificate of the JP1/AJS3 for Cloud Service Applications server at the destination (execution host for a service linkage job and a service linkage monitoring job), place the root certificate of the CA that issued the server certificate of the JP1/AJS3 for Cloud Service Applications server at an arbitrary location on the destination host.

If a root certificate has already been placed on the destination host, please check whether the CA that issued the root certificate is the same as the CA from which the server certificate was obtained in step 3.

If the CA's are the same:

You can use the root certificate that is already placed as it is. You do not need to overwrite the root certificate.

If the CA's are different:

Please combine the root certificate that is already placed with the root certificate that you have obtained. In this case, please make sure that each root certificate corresponds to the relevant section of the combined root certificate so that you can replace the section appropriately when the root certificate expires. Because root certificates are encoded in Base64, you do not know which section corresponds to which root certificate when you check the combined file.

For details, please see the JP1/Base User's Guide.

Check whether the root certificate of the destination JP1/AJS3 for Cloud Service Applications server is located on the execution host for the service linkage job and the service linkage monitoring job. Additionally, ensure that the OS user executing the service linkage job and service linkage monitoring job has read permission for the root certificate.

The root certificate for the JP1/AJS3 for Cloud Service Applications server is placed to configure JP1/AJS3 for Cloud Service Applications to communicate via SSL. For details, please see 3.3.2(1) Configuring JP1/AJS3 for Cloud Service Applications to communicate over SSL.

Enable SSL communication.

Enter the following information in the connection configuration file that describes the settings of a connection between a service linkage job and a service linkage monitoring job and the corresponding JP1/AJS3 for Cloud Service Applications server.

CAFile=full-path-name-of-the-file-placed-in-step-1

When you create a new connection configuration file, you must configure it. For details of a connection configuration file, please see 3.5.1 Connection configuration file.

Allow SSL communication in your Web browser.

SSL/TLS must also be enabled in your Web browser. For the setting method, please see the documentation of your Web browser.

If SSL/TLS is disabled, the login screen will not appear even when you access the URL for SSL communication. If SSL/TLS is disabled after you log in, further operations will not be available.