Cloud Cruiser became HPE Consumption Analytics on Nov. 1st. You'll still see the old name in places while we update this site.

 

 

Consumption Analytics Documentation

Home > Cloud Cruiser 4 > Installing > Optional configurations > Configuring SSL for secure access

Configuring SSL for secure access

Table of contents
No headers

You can configure Secure Sockets Layer (SSL) access to HPE Consumption Analytics Portal.

In the following procedure, <your_keystore_filename> refers to a java keystore to hold your certificates. You can use a pre-existing one or a new one. See the java keytool documentation for more information.

Before you begin

To use SSL, you need a certificate issued by a certificate authority and a certificate chain. Instructions for downloading a certificate chain for your certificate vary and should be available from the certificate authority which issued your certificate.

To configure Cloud Cruiser server SSL

  1. Open a command prompt and run the following commands.
    Linux
    # $JAVA_HOME/bin/keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>
    # $JAVA_HOME/bin/keytool -import -alias tomcat -keystore <your_keystore_filename> -file <your_certificate_filename>

    Windows​
    %JAVA_HOME%\bin\keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>
    %JAVA_HOME%\bin\keytool -import -alias tomcat -keystore <your_keystore_filename> -file <your_certificate_filename>

  2. Open <install_dir>/conf/system.properties in a text editor and change the following properties. Remove all leading # characters to uncomment these lines.

    When setting the serverKeystoreFile property, use double slashes (\\) in the directory path to prevent the slashes from being removed when the property is saved to the server.xml file. For example:

    serverKeystoreFile=C:\\Program Files\\Cloud Cruiser\\apache-tomcat-7.0.54\\.keystore

    • Enable HTTPS.
      serverHttpsEnabled=true
    • Set the path to your keystore file and your keystore password.
      serverKeystoreFile=<path_to_your_keystore_file>
      serverKeystorePassword=<your_keystore_password>
    • (optional) Disable non-SSL (regular HTTP) access.​
      serverHttpEnabled=false
  3. Save the file.
  4. (optional) Edit the server.xml file to remove vulnerability to a POODLE man-in-the-middle attack.
    1. Open <install_dir>/apache-tomcat-7.0.54/conf/server.xml in a text editor.
    2. Comment out the element beginning with <Connector port="8080" and uncomment the element beginning with <Connector port="8443".
    3. In the element you just uncommented, replace the attribute sslProtocol="TLS" with sslEnabledProtocols="TLSv1.2".
      This restricts HPE Consumption Analytics Portal to version 1.2 of the TLS protocol.
    4. In the same element, add the attribute:
      ciphers="RSA_WITH_RC4_128_MD5,RSA_WITH_RC4_128_SHA,RSA_WITH_3DES_EDE_CBC_SHA,RSA_WITH_AES_128_CBC_SHA,DHE_RSA_WITH_AES_128_CBC_SHA,RSA_WITH_AES_128_CBC_SHA256,DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,"
      This removes support for cipher suites using Triple DES (3DES) encryption.
    5. Save the file.
  5. Restart the HPE Consumption Analytics Portal application server.

When running as a Windows service, configuration changes made to server.properties or server-template.xml will not take effect until the service is removed and re-installed using ccservice.bat .

To configure Cloud Cruiser Analytics Server SSL

  1. Shut down Cloud Cruiser Analytics Server
  2. Launch Configure Cloud Cruiser Analytics Server
    1. Check the "Use SSL for server communication" check box
    2. For "SSL certificate file", browse to the certificate (.crt) file
    3. For "SSL certificate key file", browse to the key file
    4. Click OK
  3. Start Cloud Cruiser Analytics Server
  4. On the Cloud Cruiser, navigate to Administration > Configuration > General > Analytics and set the following properties
    1. Port: 443
    2. Use SSL: YES

Cloud Cruiser Analytics Server only supports running on the default SSL port 443. Any other services or applications listening on this port must be removed or disabled or Cloud Cruiser Analytics Server must be installed on a separate server.

If using a self-signed certificate, the connection test may not pass until the certificate has been added to Trusted Root Certification Authorities store and the Java runtime's default certificate store. See Creating a self-signed SSL certificate for more information.

After adding the certificate, you must comment out the following lines in the server.xml file and then restart the Cloud Cruiser service:

<!--APR library loader. Documentation at /docs/apr.html -->
<!--Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /-->

Last modified

Tags

Classifications

This page has no classifications.
© Copyright 2018 Hewlett Packard Enterprise Development LP