Update the web server configuration to enable SSL on the Portal server
These instructions apply to Apache version 2.4.xx and the steps should be taken on the designated Web server (the Portal server). the path mentioned in the sample commands assumes default installation path on Linux and Windows.
Create the directory where the certificate and private key files will be located on the portal. Use the chmod command to ensure that only the root account can make changes to this folder as both the key file and certificate will be installed in this folder.
On Linux: Use the chmod command to ensure that only the root account can make changes to this folder as both the key file and certificate will be installed in this folder.
Example:
# cd /opt/apache/conf/ # mkdir ssl_cert # chmod 744 ssl_cert/
On Windows: Create folder
ssl_certinsideC:\opt\apache\conf\.
Copy the certificate files, typically generated via a certificate authority (CA), to a folder in the Web server's Apache configuration folder.
Linux:
cp -p server.* /opt/apache/conf/ssl_cert/
Windows:
C:\opt\apache\conf\ssl_cert
Note:
Configuration files shipped with IT Analytics licensed modules may use path names with recommended folder names. To use folders with different names, be sure to update all references to the recommended name in the default configuration files.
Stop the Apache and Tomcat services. From a terminal console, enter the following commands.
Linux
/opt/aptare/bin/tomcat-agent stop /opt/aptare/bin/tomcat-portal stop /opt/aptare/bin/apache stop
Windows
C:\opt\aptare\utils\stopagent.bat C:\opt\aptare\utils\stopportal.bat C:\opt\aptare\utils\stopapache.bat
Make a copy of the
httpd.conffile.Linux:
cp -p /opt/apache/conf/httpd.conf /opt/apache/conf/original-httpd.conf
Windows:
Copy C:\opt\apache\conf\httpd.conf as C:\opt\apache\conf\original-httpd.conf
Update the Apache configuration file
httpd.confto enable SSL.Linux:
/opt/apache/conf/httpd.confWindows:
C:\opt\apache\conf\httpd.confUn-comment the following lines by removing the highlighted # character.
#LoadModule ssl_module modules/mod_ssl.so #Include conf/extra/httpd-ssl.conf
When configuring SSL on a Portal server, it is recommended to either disable http or redirect http protocol traffic to https.
To disable all http protocol connections, edit
httpd.conffile and remove the VirtualHost sections.To redirect all connection attempts on the http protocol to the Portal user interface, edit
httpd.conffile, remove all entries of VirtualHost section of portal configuration and add following lines in same VirtualHost section:ServerName itanalyticsportal.<domainname> Redirect permanent / https://itanalyticsportal.<domainname>/ IF WILLING TO HAVE INITIAL CONNECTIONS BE ANSWERED using HTTP, but redirecting that traffic to HTTPS: ServerName itanalyticsagent.<domainname> Redirect permanent / https://itanalyticsagent.<domainname>/
Make a copy of the
http-ssl.conffile.Linux:
cp -p /opt/apache/conf/extra/httpd-ssl.conf /opt/apache/conf/extra/original-httpd-ssl.conf
Windows:
Copy C:\opt\apache\conf\extra\httpd-ssl.conf as C:\opt\apache\conf\extra\original-httpd-ssl.conf
Update the Apache SSL configuration file.
Linux: /opt/apache/conf/extra/httpd-ssl.conf
Windows: C:\opt\apache\conf\extra\httpd-ssl.conf
For each active virtual host section in the Apache SSL configuration file (
httpd-ssl.conf), ensure that declaration lines beginning with the following are un-commented (they do not have a # at the beginning of the line), and adjust the SSLCertificateFile and SSLCertificateKeyFile sections to point to the respective certificate and private key files referenced in Step 2.SSLCertificateFile <Provide the path of SSL certificate file> SSLCertificateKeyFile <Provide the path of SSL key file>
Example:
SSLCertificateFile /opt/apache/conf/ssl_cert/server.crt
SSLCertificateKeyFile <Provide the path of SSL key file> /opt/apache/conf/ssl_cert/server.key
Note:
If you have a CA issued certificate, ensure you add the SSLCertificateChainFile < Provide the path of Certificate chain file > entry uncommented in
httpd-ssl.conf.Run the deployCert utility as root user on the Portal server to save the SSL certificates configured with Apache in java keystore
itanalytics.jks.Use this as a prerequisite to configure single sign-on and syslog over SSL.
Linux portal command location: /opt/aptare/utils/deployCert.sh update
Windows portal command location: C:\opt\aptare\utils>deployCert.bat update
Linux only: Verify the Apache configuration is valid.
# export LD_LIBRARY_PATH=/opt/apache/ssl/lib:$LD_LIBRARY_PATH # /opt/apache/bin/apachectl -t
If this message occurs:
httpd: Syntax error on line 23 of /opt/apache/conf/httpd.conf: Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot open shared object file: No such file or directory.
Resolve Syntax Error by linking libraries:
cd /usr/lib # ln -s /opt/apache/ssl/lib/libssl.so.1.0.0 libssl.so.1.0.0 # ln -s /opt/apache/ssl/lib/libcrypto.so.1.0.0 libcrypto.so.1.0.0
Change the application URL in
portal.propertiesto https instead of http. Theportal.propertiesfile is located here:Linux:
/opt/aptare/portalconf/portal.propertiesWindows:
C:\opt\aptare\portalconf\portal.propertiesStart Apache and both Tomcat (Portal and Data Collector) services.
Linux
/opt/aptare/bin/apache start /opt/aptare/bin/tomcat-portal start /opt/aptare/bin/tomcat-agent start
Windows
C:\opt\aptare\utils\startapache.bat C:\opt\aptare\utils\startagent.bat C:\opt\aptare\utils\startportal.bat
Refer to the following sections in the IT Analytics Administrator Guide that are relevant for your environment. The instructions above accomplish SSL Implementation for Both the Portal and Data Collection.
SSL Implementation for the Portal only
SSL Implementation for data collection only
SSL Implementation for both portal and data collection