Tech Tip : Enable HTTPS in CCC/DM

Document created by SurendranathKS Employee on Nov 4, 2014Last modified by SurendranathKS Employee on Nov 5, 2014
Version 2Show Document
  • View in full screen mode

In order to enable HTTPS in CCC and DM, we needed to modify web.xml of individual web applications along with Tomcat server.xml. 

Below are the steps. All the modified files are attached as well.   

 

Generate Key :

C:\Program Files\CA\Capacity Command Center 2.x\jre\bin>keytool -genkey-alias tomcat -keyalg RSA (Enter hostname when asked for your name) Password : changeit Accept default password in final step.

 

Generate certificate:

C:\Program Files\CA\Capacity Command Center 2.x\jre\bin>keytool -export-alias tomcat -file tomcatcertfile.cer

 

List key to see if all is well:

C:\Program Files\CA\Capacity Command Center 2.x\jre\bin>keytool -list–keystore c:/users/dmadmin/.keystore

 

Changes to Tomcat server.xml file:

 

1.       Comment out APR library loader

<!--APR library loader. Documentation at /docs/apr.html -->

<!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>  -->

 

2.       Uncomment and edit the connector for SSL

 

<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -->

  <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="C:/Users/dmadmin/.keystore"  keystorePass="changeit" clientAuth="false" sslProtocol="TLS" />

 

 

Modify WEB.xml for DM under webapps\DM\web-inf:

 

Add the following security constraint to the web.xml.

 

<security-constraint>  
<web-resource-collection>      
<web-resource-name>dm</web-resource-name>      
<url-pattern>/*</url-pattern>  
</web-resource-collection>  
<user-data-constraint>     

<transport-guarantee>CONFIDENTIAL</transport-guarantee>  
</user-data-constraint>

</security-constraint>

 

This content can be added at end, right before </web-app>. This allows tomcat to apply the redirection from anywhere in the application

 

Modify WEB.xml for CCC under webapps\ccc\web-inf:

 

We need to add the following security constraint to the web.xml.

 

Please note the order. Exclusions come first.
<transport-guarantee>NONE</transport-guarantee>
means no ssl.
<transport-guarantee>CONFIDENTIAL</transport-guarantee> means
support SSL. Web resource names are any arbitrary
names. <security-constraint>  
<web-resource-collection>      

 

 

<web-resource-name>ccc_api</web-resource-name> 
     <url-pattern>/api/*</url-pattern>  
</web-resource-collection>  
<user-data-constraint>      
<transport-guarantee>NONE</transport-guarantee>  
</user-data-constraint>

</security-constraint> <security-constraint>  
<web-resource-collection>     

 

<web-resource-name>ccc_rest</web-resource-name>      
<url-pattern>/rest/*</url-pattern>  
</web-resource-collection>  
<user-data-constraint>      
<transport-guarantee>NONE</transport-guarantee>  
</user-data-constraint>

</security-constraint> <security-constraint> 

 

<web-resource-collection>      
<web-resource-name>ccc</web-resource-name>      
<url-pattern>/*</url-pattern>  
</web-resource-collection>  
<user-data-constraint>     

<transport-guarantee>CONFIDENTIAL</transport-guarantee>  
</user-data-constraint></security-constraint>

 

Restart Apache Tomcat service after these changes

 

Application behavior after these changes:

When you access CCC and DM using http on port 8081  it will automatically redirect you to use https. You can use directly https on port 8443 as well in the URL.API and Rest interfaces of CCC continue to work with the regular http interface.

Outcomes