CA SPECTRUM AP Office Hours Transcript - June 9th, 2016,  2.00PM - 3.00PM (AEST) Sydney Time

Document created by tarpa01 Employee on Jun 9, 2016Last modified by SamCreek on Dec 17, 2016
Version 4Show Document
  • View in full screen mode

Tarun Pamu to Everyone: Hello Everyone...Welcome to Spectrum Office Hours

Tarun Pamu to Everyone:  please free to ask any question

Widjaja Sangtoki to Everyone: Nagesh can you explore more about DeXchange?

Jiangang to Everyone: 1st is spectrum 10.2 already available?

Nagesh Jaiswal to Everyone: @Widjaja It is an event which happens every year. We invite all the customers in Europe region who are using IM products. We do demos and roadmap sessions. Gives an opportunity to customers to ask questions and understand our strategy.

Nagesh Jaiswal to Everyone: @Jiangang, It will be available by end of the year

Nagesh Jaiswal to Everyone: We will start Beta Trail for 10.2 in month of August

Jiangang to Everyone: we use now Spectrum10.1.1 which use the Apache, can I use our old https certificate without to make new key paar?

Nagesh Jaiswal to Everyone: @Jiangang, I have made a note of your question. I will have to check with Architects. And then will get back to you.

Jiangang to Everyone:  The old certificate was generated from the old tomcat access

Widjaja Sangtoki to Everyone: @Jiangang, I believe if you reuse the keystore file, you still can reuse that

Andy to Everyone:  potentially looking at upgrading a customer from an older 9.x to version 10.1 .. what would you say are the key factors to be aware of when planning an upgrade?

andy to Everyone: what are the main challenges (if any) are other people facing when upgrading ?

Jiangang to Everyone: The upgrade from 9.x to 10.1 and to 10.1.1 was successful, but we lose the https access

Mohammed Alfakhrany to Everyone: @Andy, I would say that you would need to ensure that you're on a 64-bit OS

Mohammed Alfakhrany to Everyone: @Andy, since 10.x is 64 bit only

Jiangang to Everyone: Yes, Windows2008R2 64Bit

andy to Everyone: aware of that one which is a given

Jiangang to Everyone: The certificate works well if I do not use and activate the Apache

Mohammed Alfakhrany to Everyone: @Andy, 10.1 supports direct upgrad e from 9.4.2.1 or higher versions. If you are on 9.3.x or 9.4.x, first upgrade to 9.4.2.1 or  9.4.3 or 10.0

Widjaja Sangtoki to Everyone: @Jiangang, are you refering to Apache Web Server or Apache Tomcat? Spectrum uses Apache Tomcat

Jiangang to Everyone: The Apache was inbeded to OneClick-Install for MODSecurity-Activation since version 10.0.

Nagesh Jaiswal to Everyone:  @ Andy Some helpful links of Upgrade. CA Spectrum Upgrade Content: https://communities.ca.com/docs/DOC-231165637, Upgrade Documentation: https://docops.ca.com/ca-spectrum/10-1/en/installing-and-upgrading/upgrading-ca-spectrum

Mohammed Alfakhrany to Everyone: @Andy, what version are you upgrading from?

Widjaja Sangtoki to Everyone: @Jiangang, I think you are talking Apache Webserver..and you use MODSecurity to integrate with Apache Tomcat. Am I right?

Widjaja Sangtoki to Everyone: @Jiangang Spectrum is not coming with Apache WebServer

Widjaja Sangtoki to Everyone: @Jiangang  but only Apache Tomcat

Jiangang to Everyone: from 9.3 HotFix03 to Version 10.1

andy to Everyone: No sure currently .. i'm yet to get that info from the customer, so not sure what version, or whether they have a distributed scenario or whether they are looking to consolidate and reduce SS's .. how easy is it to
merge data .. would it be using the import export tool ?

Mohammed Alfakhrany to Everyone: @Andy, You can use Modelling Gateway to import from multiple SpectroSERVERs and then export to a single Spectro SERVER

Widjaja Sangtoki to Everyone: @Jiangang, if you have both Apache WebServer and Apache Tomcat on Spectrum machine, somebody has installed Apache WebServer and integrated to Apache Tomcat.. That means
somebody has customized this environment

Jiangang to Everyone: Thanks for Document-Link, I red it about the Modsecurity parts

andy to Everyone: cool - cheers

Mohammed Alfakhrany to Everyone: @Andy, rule of thumb is that previous 32bit versions supported up to 200k models, but now 10.x supports up to 1million models

Jiangang to Everyone: No, till version9 there was only tomcat. After version 10 there is a Apache inbeded.

Jiangang to Everyone: I am sure no one has touch the apache in our system.

Widjaja Sangtoki to Everyone: @Jiangang, so you have installed Apache HTTP server 2.4.12 package?

Nagesh Jaiswal to Everyone: @Andy Link to YouTube video which explains how to use Modelling Gateway to export and import for Spectrum 10.0: https://www.youtube.com/watch?v=bob_upL-aog&list=PLynEdQRJawmwSUZ9YRddVw61DgsGTvEdj&index=11

Jiangang to Everyone: It is auto installed with the version 10.1 with apache ultilities, there is no need to install extra 2.4.12

Jiangang to Everyone: Thanks for the video link. Yes this is the new  feature after version 10

Widjaja Sangtoki to Everyone: @Jiangang, better to raise a call ticket with us so we can address this issue you have. I believe we need to know more details
about the environment you have set up.

Jiangang to Everyone: I am not sure whether this is an issue.  I just want to know whether  I should generate the new ssl key if I use the apache?

Jiangang to Everyone: As said, we can still use the old tomcat with the key, no problem.

Jiangang to Everyone: The apache server usage in version 10 is only for more security

Jiangang to Everyone: The new features as you show in the video presentation is to realize the modsecurity to improve the security.

Jiangang to Everyone: Similar question about the new apache server in version 10 as following:

Jiangang to Everyone: The apache is inbeded in OneClick after version 10.  Can we use our own apache on separated server?

Widjaja Sangtoki to Everyone: @Jiangang, I don't think that is supported, but we need to confirm

Jiangang to Everyone: It means we do not use the inbeded apache in OneClick, but build our own extra apache server for one click access?

Widjaja Sangtoki to Everyone: Technically if you use the Apache version it should be possible, but we will need to confirm if this has been fully ceritified

Widjaja Sangtoki to Everyone: if you use the same Apache version

Widjaja Sangtoki to Everyone: @Jiangang, if you can give me your email address.. we will communicate further to address your questions

Jiangang to Everyone : jiangang.yan@ts.fujitsu.com

Widjaja Sangtoki to Everyone: @Jiangang Thanks.. I will contact you via the email to discuss more about ModSecurity

Jiangang to Everyone: It is important to know whether w should generate new keys.

Widjaja Sangtoki to Everyone: I realized Tomcat use java keytool to generate the key, which Apache uses openssl

Jiangang to Everyone: because our old tomcat key works well.

Widjaja Sangtoki to Everyone: we will confirm internally to address your question

Jiangang to Everyone: Yes, the java keytool generate the key

Widjaja Sangtoki to Everyone: Apache uses openssl to create the key

Jiangang to Everyone: if we generate new key we should have two keys. The question is whether it is allowed and whether it is so constructed from actual Spectrum architecture

Jiangang to Everyone: actually the keytool are all from openssl.

Widjaja Sangtoki to Everyone: @Jiangang, I believe if we activate Apache HTTP  server, we just need SSL certificate implemented on Apache HTTP server only. So you don't need the Tomcat SSL cert

Jiangang to Everyone: In fact the keytool are all from open ssl.

Widjaja Sangtoki to Everyone:  Apache HTTP server will be the front end of OneClick Console as client

Widjaja Sangtoki to Everyone: Apache HTTP and Tomcat communicates locally (in the same machine)

Jiangang to Everyone: Of course there will be a plenty of confihuration possibilities with the apache security configuration, but at first it deals with the key usages which i asked for.

Widjaja Sangtoki to Everyone: @Jiangang, do you have plan to implement the Apache HTTP modsecurity in your production enviroment?

Widjaja Sangtoki to Everyone: Or currently you are at stage of testing?

Jiangang to Everyone: Yes, the new feature after version 10 is the communication in the same maschine as described in the CA Version 10.

Jiangang to Everyone: Yes, this is our goal to implement the modsecurity in version 10

Widjaja Sangtoki to Everyone: @Jiangang, thanks for your input.

Jiangang to Everyone: The security of the web access must be improved because the use has now possibilitie to use only html to access the spectrum directly, in old version the use must have JAVA Runtime.

Widjaja Sangtoki to Everyone: @Jiangang, so you are refering to Web Client, right?

Widjaja Sangtoki to Everyone: Do you have security features in your mind that you expect Spectrum to have in the future?

Jiangang to Everyone: Because the user can now use the html to spectrum, it has much more security attack possibilities, therefore we should use the modsecurity to improve the security of Spectrum Access.

Widjaja Sangtoki to Everyone: Yes, I agree

Jiangang to Everyone: Yes, the modsecurity implement many security with which the security can be improved just as a normal apche server can do.

Jiangang to Everyone:Therefore I asked the question whether we can use our own apache server, it means, with separated apache server,  and separated mod security configuration for version 10.x.

Nagesh Jaiswal to Everyone: @Jiangang, Web client is just some REST calls to the back end SS and showing in HTML client. Wanted to understand more what kind of Security Risk you think could be using Web Client.

Jiangang to Everyone: Time is over, many thanks for this webex time

Nagesh Jaiswal to Everyone:   Your  feedback on this will be helpful and we will try to incorporate

Widjaja Sangtoki to Everyone: Thanks Jiangang

Mohammed Alfakhrany to Everyone: Thanks Andy

Tarun Pamu to Everyone: @Jiangang...we will reach out to your for more details..

Jiangang to Everyone: many thanks.

Nagesh Jaiswal to Everyone: Thanks everyone for participation

Tarun Pamu to Everyone: Thanks everyone. for attneding this session.

Attachments

    Outcomes