You can generate unsigned SSL certificates on the server and add them to the JRE's trusted list of certificates to enable SSL on a XP Performance Advisor host agent. The advantage with this method
is that it does not need a Certificate Authority (CA) signed certificate. The client takes the public key from the server and stores it in a keystore, and then places the keystore in the JRE’s trusted site list. This enables the XP Performance Advisor host agent to establish a SSL connection to secure the data transfer.
To enable SSL on a XP Performance Advisor host agent:
1. Navigate to thebinfolder in the JRE location defined by yourJAVA_HOMEvariable.
2. Generate keystore on the Tomcat server:
<%JAVA_HOME%>\bin>keytool -genkey -alias tomcat -keyalg RSA -keystore <%HPSS_HOME>\hpss\pa\tomcat\conf\keystore
3. When prompted, provide the password aschangeit.
4. When prompted for the first name and last name, enter the fully-qualified domain name of your management station. For example,abc.domain.company.com.
5. For the rest of the fields, enter appropriate values in the order mentioned: Division, Company (your company name), City, State, and Country.
NOTE:
The Country field can accept only two characters.
6. Enablehttpsfor your XP Performance Advisor management station by editing theserver.xml
file in the<PA_Install folder>\HPSS\pa\tomcat\conffolder:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
keystoreFile="${catalina.home}/conf/keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS" />
Comment out the following lines in theserver.xmlfile, as shown below:
<!---
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000"
redirectPort="443" /> --->
The keystore location is provided by the Tomcat server.
7. Start the Tomcat server in theSSLmode:
https://[server name].[domain name]/paorhttps://[IP address]/pa
8. On the XP Performance Advisor host agent, download theInstallCertprogram from the
following location:http://blogs.sun.com/andreas/resource/InstallCert.java. NOTE:
JavaC is required to compile the InstallCert program on the host agent server. When you compile the program, ensure that it is named as InstallCert.
9. To retrieve the public key from the XP Performance Advisor management station and create a keystore, type:
<%JAVA_HOME%>\bin\javaC InstallCert
<Fully_Qualified_Name_for_Management_Station>:443
Example of a DNS,abc.domain.company.net.
The following status messages appear whileInstallCertcreates the Keystore:
Loading KeyStore /opt/java6/jre/lib/security/cacerts... Opening connection to abc.domain.company.net:443... Starting SSL handshake...
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker. java:975) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker. java:123) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:449) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl. java:1029) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1056) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1040) at InstallCert.main(InstallCert.java:87)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191) at sun.security.validator.Validator.validate(Validator.java:218) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl. java:126) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManager Impl.java:209) at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:182) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker. java:967)... 8 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder. java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)... 14 more Server sent 1 certificate(s):
1 Subject CN=abc.domain.company.net, OU=DDD, O=LL, L=Bangalore, ST=Karnataka, C=IN Issuer CN=abc.domain.company.net, OU=DDD, O=LL, L=Bangalore, ST=Karnataka, C=IN sha1 8b 41 4e 8e 10 d8 6a e7 c1 e7 60 0c 7a 40 40 e3 dc d6 49 d9
10. When prompted to select the certificate to be added to the trusted keystore, look through the list of certificates displayed and enter the serial number of the certificate you want to add. For example, enter1if you want the first certificate in the list to be added to the trusted keystore. If
you do not want to proceed, typeqto quit.
Enter certificate to add to trusted keystore or 'q' to quit: [1] 1
[ [
Version: V3
Subject: CN=abc.domain.company.net, OU=DDD, O=HP, L=Bangalore, ST=Karnataka, C=IN Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 1411298176915703502346802734730704356880612979218182895970816727779187945 149582666416445547999322034149267926984967610807371334687676782962762126027475315088 3507406309763444970887025464942157425503289549888492292375448413263491057791755450401 3939149915813549081414122317874479255648900483427026074354516347429
public exponent: 65537
Validity: [From: Thu Jun 26 14:16:19 IST 2008, To: Wed Sep 24 14:16:19 IST 2008]
Issuer: CN=abc.domain.company.net, OU=DDD, O=LL, L=Bangalore, ST=Karnataka, C=IN SerialNumber: [ 4863575b] ] Algorithm: [SHA1withRSA] Signature: 0000: 38 89 5D 02 D3 C7 86 59 90 3D 9C 57 61 41 ED 16 8.]....Y.=.WaA.. 0010: BF D0 55 4B 7E AA 04 9F BD 84 AF 22 75 D8 E8 E0 ..UK..."u... 0020: 2D 0D 38 32 76 21 22 D4 5D FA 82 5E 5D 44 DA F4 -.82v!".]..^]D.. 0030: 21 A2 39 26 CF 57 32 E3 EE D2 D6 4A 72 A6 18 BF !.9&.W2....Jr... 0040: FD 92 FC 10 A0 B9 F7 30 3E A1 13 ED 96 9F B2 0C ...0>... 0050: 4E 74 2F B2 AB 1E 03 CC A0 3D 01 8B 80 D1 00 14 Nt/...=... 0060: E6 2A E5 43 AA AC 62 51 26 FE 7B 07 AE 67 A2 55 .*.C..bQ&....g.U 0070: 77 59 50 B2 71 84 20 F7 17 08 1D C3 D0 70 46 CF wYP.q. ...pF. ]
Added certificate to keystore 'jssecacerts' using alias 'abc.domain.company.net-1'
11. Move the keystore you selected in step 10 to the following location:<%JAVA_HOME%>/bin/ jre/lib/security dir # mv jssecacerts /opt/java6/jre/lib/security/
12. Use theInstallCertprogram to verify if the new trusted site is working properly.
# cp jssecacerts /opt/java6/jre/lib/security/
# /opt/java6/bin/java InstallCert abc.domain.company.net:443 Loading KeyStore jssecacerts...
Opening connection to abc.domain.company.net:443... Starting SSL handshake...
No errors, certificate is already trusted Server sent 1 certificate(s):
1 Subject CN=abc.domain.company.net, OU=DDD, O=LL, L=Bangalore, ST=Karnataka, C=IN Issuer CN=abc.domain.company.net, OU=DDD, O=LL, L=Bangalore, ST=Karnataka, C=IN sha1 8b 41 4e 8e 10 d8 6a e7 c1 e7 60 0c 7a 40 40 e3 dc d6 49 d9
13. When prompted to select the certificate to be added to the trusted keystore, look through the list of certificates displayed and enter the serial number of the certificate that you want to add. If you do not want to proceed, typeqto quit.
Enter certificate to add to trusted keystore or 'q' to quit: [1] q
KeyStore not changed
14. Modify thepaxp_service.propertiesto use SSL.
Replacehttpwithhttpsand the IP address of the management station with its fully-qualified
domain name.
ManagementStation.Hostname=abc.domain.company.net Protocol=https
15. Start the XP Performance Advisor host agent service: In the Windows host agent:
1. Go to the Services dialog box.
2. Right-clickHP XP Performance Advisor Hostagent.
3. ClickStartin the drop down list. In the UNIX host agent:
In the command prompt window, type/opt/xppa/hostagent/sbin/xppa start.
IMPORTANT:
To enable SSL on a XP Performance Advisor Windows host agent, complete the following steps in addition to the above mentioned steps:
1. Stop the XP Performance Advisor host agent service: • Go to the Services dialog box.
• Right-click HP XP Performance Advisor Hostagent. • Click Stop in the drop down list.
2. Copy the following jar files, sunpkcs11.jar, sunjce_provider.jar, and dnsns.jar- contents from %JAVA_HOME%\lib\ext to the <Installed HA dir>\xppa\hostagent
folder.
3. Start the XP Performance Advisor host agent services. • Go to the Services dialog box.
• Right-click HP XP Performance Advisor Hostagent. • Click Start in the drop down list.