SUMMARY
Follow the steps below to configure Single Sign-On with HTTPS for ADA , NFA and UCM
Step 1. Generate and Install the SSL Certificate
Follow steps in section A for signed certificates and section B for self-signed certificates
A. Steps for signed certificates
Note: The team that creates and enforces security policies for your organization can probably assist you with these steps.
• Generate the certificate request in IIS Manager and obtain a Signed certificate.
See the following link: How to create a certificate request
• Install the signed certificate in IIS Manager Server Certificates
See the following link: How to install a server certificate
• Verify that the certificate is properly installed
Example:
Open the certificate and select the Certification Path as shown below.
Select each certificate displayed in the Certification Path list and ensure that the Certificate status field shows “This certificate is OK”.
Note: Contact the certificate provider if Certificate Status field displays errors.
• To ensure that image graphs in NFA reports are properly included with the Print or Schedule report features, import the Certificate Authority root certificate in the IIS “Trusted Root Certification Authorities Certificates” for the Local Computer on the ADA, NFA or UCM Console server.
In the above certificate example the “CA Root Cert Auth” certificate displayed in the Certification Path must be imported to the IIS “Trusted Root Certification Authorities Certificates” for the Local Computer.
See the “Adding certificates to the Trusted Root Certification Authorities store for a local computer” section in the following link:
Manage Trusted Root certificates
B. Steps for self-signed certificates.
Generate and export the self-signed certificate.
See the following link:
How to create and export a self-signed certificate
Note: The exported certificate will be used in Step 6 B.
In the steps below we will use c:\certs\nfaserver.cer as the exported certificate
Step 2. Export the certificate in PFX format from IIS Manager
See the following link for more information:
How to export a certificate in PFX format
Note: Remember the password as it will be used in Step 5 and 10.
In the steps below we will use c:\certs\nfaserver.pfx as the exported certificate with certificatepass as the password
Step 3. Configure the HTTPS port IIS Application
By default, IIS does not have a binding for HTTPS. Navigate to the Default Website in IIS -> Under actions, select “Bindings”
Click on Add in Site Bindings
Select the signed certificate in the SSL certificate pull down menu list
Note: Do not disable http-port 80 binding. The Product will not work properly if http is disabled.
Step 4. Edit the product configuration XML file and change SignInPageProductDefaultUrl Scheme from http to https and enter 443 for the Port. The port field is blank by default.
ADA XML Path: InstallDirectory\Portal\SSO\webapps\sso\configuration\SuperAgent.xml
NFA XML Path: InstallDirectory\Portal\SSO\webapps\sso\configuration\ReporterAnalyzer.xml
UCM XML Path: InstallDirectory\Portal\SSO\webapps\sso\configuration\voipmonitor.xml
NFA Example:
<?xml version="1.0" encoding="utf-8" ?>
<Configuration>
<SingleSignOnEnabled>True</SingleSignOnEnabled>
<SingleSignOnProductCode>ra</SingleSignOnProductCode>
SignInPageProductTitle><![CDATA[NetQoS<sup><font class="Superscript">®</font></sup> ReporterAnalyzer<sup><font class="Superscript">™</font></sup>]]></SignInPageProductTitle>
<SignInPageProductDescription>Network Traffic Analysis</SignInPageProductDescription>
<SignInPageProductDefaultUrl>
<Scheme>https</Scheme>
<Port>443</Port>
<PathAndQuery>/ra/default.aspx</PathAndQuery>
</SignInPageProductDefaultUrl>
<SingleSignOnWebServiceUrl>
<Scheme>http</Scheme>
<Port></Port>
<PathAndQuery>/ReporterDataSource/SingleSignOnWS.asmx</PathAndQuery>
</SingleSignOnWebServiceUrl>
</Configuration>
Step 5. Create jetty keystore file from exported PFX certificate (Step 2)
ADA keystore file path: InstallDirectory\Portal\Jetty-7.2.0\etc\keystore
NFA keystore file path: InstallDirectory\Portal\Jetty-7.2.0\etc\keystore
NFA 9.3.2+ keystore file path: InstallDirectory\Portal\Jetty\etc\keystore
UCM keystore file path: InstallDirectory\Portal\Jetty\etc\keystore
A. Rename the existing jetty keystore file
NFA Example:
C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore
B. Keytool import command to create the new jetty keystore file with the PFX certificate as the source:
NFA Example:
keytool -importkeystore -srckeystore c:\certs\nfaserver.pfx -srcstoretype pkcs12 -destkeystore C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore -deststoretype JKS
Enter destination keystore password:(keystorepass)
Note: This step creates a new password. In this example we will use keystorepass as the password
Re-enter new password:(keystorepass)
Enter source keystore password:(certificatepass)
Note: This is the pfx file password in Step 2
Remember both passwords as they will be used in later steps.
C. Keytool list command to verify the imported keystore and password entered in above step.
NFA Example:
keytool -list -keystore C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore -storepass keystorepass
Step 6. Import the certificate(s) to the java trusted certificates keystore
ADA cacerts file path: InstallDirectory\jre\lib\security\cacerts
NFA cacerts file path: C:\Program Files\Java\jre6\lib\security\cacerts
NFA 9.3.1+ cacerts file path: InstallDirectory\jre\lib\security\cacerts
UCM cacerts file path: InstallDirectory\jre7\lib\security\cacerts
Follow steps in section A for signed certificates and section B for self-signed certificates
A. Steps for signed certificates
If the ADA, NFA or UCM server is using a certificate signed by a Certificate Authority (CA) that is not included in the Java cacerts keystore by default, you need to import an intermediate certificate and/or root certificate into the cacerts file for https connections work properly. These certificates are the chain certificates displayed in the Certification path in Step 1 A.
Note: The default Java cacerts file stores root certificates for the most common CAs, such as VeriSign, GoDaddy, etc.
• (Optional) The following keytool list command can be used to view the default certificates included in the java trusted certificates keystore.
Note: The default cacerts keystore password is changeit
keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit > C:\certs\CACertsTrustedCerts1.txt
Edit the output file, CACertsTrustedCerts1.txt, and search for the alias name.
• Import the root certificate and/or intermediate certificate into the Java trusted keystore (cacerts) with the keytool:
keytool -import -file c:\certs\ CARootCertAuth.cer -alias CARootCertAuth -trustcacerts -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit
• (Optional) Run the keytool command to print the certificates list and verify that imported certificate is in the list.
keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit > C:\certs\CACertsTrustedCerts2.txt
Edit the output file, CACertsTrustedCerts2.txt, and search for the alias name used in above import command.
B. Steps for self-signed certificates
• Import the self-signed certificate exported in Step 1 B to Java trusted keystore (cacerts)
NFA Example:
keytool -import -file c:\certs\nfaserver.cer -alias nfaserver -trustcacerts -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit
• (Optional) Run the keytool command to print the certificates list and verify that imported certificate is in the list.
keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit > C:\certs\CACertsTrustedCerts3.txt
Edit the output file, CACertsTrustedCerts3.txt, and search for the alias name used in above import command.
Step 7. Configure Single-Sign On SSL Scheme and Port
SsoConfig.exe path: InstallDirectory\Portal\sso\bin
NFA Example:
Run the SsoConfig.exe
SSO Configuration:
1. CA Performance Center
2. CA Network Flow Analysis
Choose an option >2
SSO Configuration/CA Network Flow Analysis:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
Choose an option >4
SSO Configuration/CA Network Flow Analysis/Single Sign-On:
Anonymous User Enabled: Disabled
Anonymous User ID: 2
Localhost User Sign-In Page Enabled: Disabled
Localhost User Enabled: Enabled
Localhost User ID: 1
Cookie Timeout Minutes: 20
Encryption Decryption Key: #$utP9%z
Encryption Algorithm: DES
Failed Sleep Seconds: 3
Remember Me Enabled: Enabled
Remember Me Timeout Days: 15
Scheme: http
Port: 8381
Virtual Directory: sso
1. Remote Value
2. Local Override
Choose an option > 2
SSO Configuration/CA Network Flow Analysis/Single Sign-On/Local Override:
1. Anonymous User Enabled:
2. Anonymous User ID:
3. Localhost User Sign-In Page Enabled:
4. Localhost User Enabled:
5. Localhost User ID:
6. Cookie Timeout Minutes:
7. Encryption Decryption Key:
8. Encryption Algorithm:
9. Failed Sleep Seconds:
10. Remember Me Enabled:
11. Remember Me Timeout Days:
12. Scheme:
13. Port:
14. Virtual Directory:
Select a Property > 12
Enter u to update to new value > u
Enter new value > https
SSO Configuration/CA Network Flow Analysis/Single Sign-On/Local Override:
1. Anonymous User Enabled:
2. Anonymous User ID:
3. Localhost User Sign-In Page Enabled:
4. Localhost User Enabled:
5. Localhost User ID:
6. Cookie Timeout Minutes:
7. Encryption Decryption Key:
8. Encryption Algorithm:
9. Failed Sleep Seconds:
10. Remember Me Enabled:
11. Remember Me Timeout Days:
12. Scheme: https
13. Port:
14. Virtual Directory:
Select a Property > 13
Enter u to update to new value > u
Enter new value > 8382
Enter q to quit SsoConfig
Step 8. Backup and edit the SSO start.ini file
start.ini file path: InstallDirectory\Portal\SSO\start.ini
Edit the InstallDirectory\Portal\SSO\start.ini. Search for jetty-ssl and remove the '#' from the following line so that it is active:
NFA Example:
# D:\CA\NFA\Portal\SSO\etc\jetty-ssl.xml
Step 9. Backup and edit SSO wrapper.conf
wrapper.conf file path: InstallDirectory\Portal\SSO\conf\wrapper.conf
Edit the InstallDirectory\Portal\SSO\conf\wrapper.conf. In the following line replace ‘8381’ with ‘8382’ so that it matches the port defined in jetty-ssl.xml, described previously.
wrapper.java.additional.2=-Djetty.port=8382
Step 10. Configure the SSO jetty-.ssl.xml file
A. Copy the ‘jetty-ssl.xml’ template to the InstallDirectory\SSO\etc path
Path where the jetty-ssl.xml template is located:
ADA: InstallDirectory\Portal\Jetty-7.2.0\etc\jetty-ssl.xml
NFA: InstallDirectory\Portal\Jetty-7.2.0\etc\jetty-ssl.xml
NFA 9.3.2+: InstallDirectory\Portal\Jetty\etc\jetty-ssl.xml
UCM path: InstallDirectory\Portal\Jetty\etc\jetty-ssl.xml
SSO path where the jetty-ssl.xml should be copied to:
ADA: InstallDirectory\Portal\SSO\etc\
NFA: InstallDirectory\Portal\SSO\etc\
UCM: InstallDirectory\Portal\SSO\etc\
B. Edit the following lines in the InstallDirectory\Portal\SSO\etc\jetty-ssl.xml file as shown in the example below:
Use keystore password created in Step 5 B for both the KeyStorePasssword and TrustedStorePasword
Use the PFX certificate password created in Step 2 for the KeyManagerPassword
Set the port to 8382
Example:
<Set name="KeyStorePassword">keystorepass</Set>
<Set name="KeyManagerPassword">certificatepass</Set>
<Set name="TrustStorePassword">keystorepass</Set>
<Set name="Port">8382</Set>
Step 11. Backup and edit the SSO Jetty.XML
XML file path: InstallDirectory\Portal\SSO\etc\jetty.xml
Edit the InstallDirectory\Portal\SSO\etc\jetty.xml and remove the lines below:
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
<Set name="host"><Property name="jetty.host" /></Set>
<!-- Changed: Used to be Property -->
<Set name="port"><SystemProperty name="jetty.port" default="8381"/></Set>
<Set name="maxIdleTime">300000</Set>
<Set name="Acceptors">2</Set>
<Set name="statsOn">false</Set>
<Set name="confidentialPort">8443</Set>
<Set name="lowResourcesConnections">20000</Set>
<Set name="lowResourcesMaxIdleTime">5000</Set>
</New>
</Arg>
</Call>
Step 12. Confirm that port 8382 is open if Firewall is enable
Step 13. Restart service the “CA Performance Center SSO” service and run an iisreset from the command prompt
Step 14. Verify that Data source Web console is accessible via https and that SsoConfig.exe can be launched
Note: The following log files can be checked if login fails or if SsoConfig.exe fails to launch
InstallDirectory\Portal\SSO\logs\wrapper
InstallDirectory\Portal\SSO\logs\SSOService.log
InstallDirectory\Portal\SSO\logs\application.log (if present)
Step 15. (Optional) Configured the Data Source Web Console HTTPS protocol and port.
If ADA, NFA or UCM is integrated with CAPC follow steps in section A and C for signed certificates or section B and C for self-signed certificates
If ADA, NFA or UCM is integrated with NPC go to step C.
A. Steps for Data Sources configured with signed certificates and integrated with CAPC.
• Copy the root certificate and/or intermediate certificate identified in Step 6 A to the CAPC server.
Example: /tmp/corp_root.cer
• Import the Certificate Authority certificate(s) to CAPC’s Java trusted keystore (cacerts) with the keytool command:
Example:
/CAPerformancenstallDirectory/jre/bin/keytool -import -alias corp_root -trustcacerts -file /tmp/corp_root.cer -keystore /CAPerformancenstallDirectory/jre/lib/security/cacerts -storepass changeit
Note: The default cacerts keystore password is changeit
• (Optional) Run the keytool command to verify/print the newly imported certificate(s)
Example:
/CAPerformancenstallDirectory/jre/bin/keytool -list -keystore /CAPerformancenstallDirectory/jre/lib/security/cacerts -storepass changeit | grep -i corp
• Restart each CA Performance Center service using these commands:
/sbin/service caperfcenter_sso restart
/sbin/service caperfcenter_devicemanager restart
/sbin/service caperfcenter_console restart
For more information about configuring the Single Sign-On tool with SSL certificate, see the following Single Sign-On section in the CA Performance Management wiki.
B. Steps for Data Sources configured with self-signed certificates and integrated with CAPC.
• Copy the Data Sources’ self-signed certificate created in Step 1 B. to the CAPC.
Example: /tmp/nfaserver.cer
• Import the self-signed certificate to CAPC’s Java trusted keystore (cacerts) with the keytool command:
Example:
/CAPerformancenstallDirectory/jre/bin/keytool -import -alias nfaserver -trustcacerts -file /tmp/nfaserver.cer -keystore /CAPerformancenstallDirectory/jre/lib/security/cacerts -storepass changeit
Note: The default cacerts keystore password is changeit
• (Optional) Run the keytool command to verify/print the newly imported certificate
Example:
/CAPerformancenstallDirectory/jre/bin/keytool -list -keystore /CAPerformancenstallDirectory/jre/lib/security/cacerts -storepass changeit | grep -i nfaserver
• Restart each CA Performance Center service using these commands:
/sbin/service caperfcenter_sso restart
/sbin/service caperfcenter_devicemanager restart
/sbin/service caperfcenter_console restart
For more information about configuring the Single Sign-On tool with SSL certificate, see the following Single Sign-On section in the CA Performance Management wiki.
C. Login to CAPC or NPC and edit the Data Source settings -> set the Web Console to the HTTPS and enter the https port.
NFA Data source settings example:
Note: The Host Name must be set to the name that the certificate was Issue To:
IIS Server Certificate example:
Click on Test to verify connectivity and Save.
Note: The following log files can be checked if the Test option fails
/CAPerformancenstallDirectory/PC/logs
Step 16: Resync the NFA data source from CAPC/NPC and verify that NFA views show data. Click on the NFA Link to ensure that NFA Portal is accessible.
This has also been posted in the Knowledge Base on Support.ca.com TEC1940212