test

N1 Grid Service Provisioning System 5.0 Installation Guide

Enabling HTTPS Connections from the Master Server Browser Interface

By default, the N1 Grid Service Provisioning System 5.0 browser interface does not use SSL. Requests are performed over HTTP rather than HTTPS. You can enable HTTPS with an SSL Certificate. You can choose whether to have a Certifying Authority sign the certifcate or you can use a self-signed certificate.

A certificate signed by a Certifying Authority is trusted by browsers, therefore the browser does not issue a warning when a user connects to the browser interface on the Master Server. Generally, Certifying Authorities charge a fee to sign a certificate.

A self-signed certificate is available for use immediately after you generate the certificate because you do not have to wait for the Certifying Authority to sign it. However, a self-signed certificate is not trusted by the browser, so the browser issues a warning each time a user connects to the Master Server browser interface.

ProcedureHow to Generate SSL Certificates

To enable the browser interface to use SSL, you must first generate an SSL Certificate.

Steps

  1. Change to the directory in which you installed the JRE.


    % cd JAVA-HOME/bin

    JAVA-HOME is the directory where you installed the JRE. If you installed the JRE with the N1 Grid Service Provisioning System 5.0, the JRE is installed in the N1SPS5.0-home/common/jre/bin directory.

  2. Generate the certificate.


    % keytool -genkey -alias tomcat -keyalg RSA -keystore /keystore-location
-storepass password

    Set /keystore-location to the location and filename where you want to store the generated key.

    Set password to whatever password that you choose.

  3. Follow the prompts to complete.

    Do not include any punctuation in the name of your organization, otherwise the Java Certificate tool fails when attempting to generate the request. The Common Name (CN) must be set to the fully qualified host name, including the domain name, component of the URI.

ProcedureHow to Obtain a Signature for an SSL Certificate

If you want to use a Certificate signed by a Certifying Authority, follow this procedure to submit the Certificate to the Certifying Authority to be signed.

Steps

  1. Generate the Certificate Request.


    % keytool -certreq -v -alias tomcat -keyalg RSA -keystore /keystore-location

    /keystore-location is the location and filename where you stored the generated key.

  2. Send the Certificate Request to the Certifying Authority.

    Follow the instructions provided by the Certifying Authority. The Certifying Authority returns a Certificate Reply.

  3. Save the Certificate Reply to a file.

  4. Verify the Certificate Reply.


    % keytool -printcert -file certificate-reply-file

    certificate-reply-file is the filename of the Certificate Reply that you received from the Certifying Authority.

  5. Import the Certificate Reply file to the keystore file.


    % keytool -v -import -trustcacerts -keystore /keystore-location
-file certificate-reply-file -alias tomcat

    /keystore-location is the location and filename where you stored the generated key. certificate-reply-file is the filename of the Certificate Reply that you received from the Certifying Authority.

  6. Verify the imported Certificate Reply.


    % keytool -v -list -keystore /keystore-location

    /keystore-location is the location and filename where you stored the generated key.

ProcedureHow to Enable HTTPS Connections from the Master Server Browser Interface

After you have generated an SSL Certificate, and obtained a signature from a Certifying Authority if you chose to do so, you must configure the Master Server browser interface to use SSL.

Steps

  1. Stop the Master Server.


    % N1SPS5.0-MasterServer-home/server/bin/cr_server stop

    N1SPS5.0-MasterServer-home is the directory where you installed the Master Server.

  2. Move the keystore file to the Master Server home directory.


    %mv /keystore-location N1SPS5.0-MasterServer-home/server/tomcat/

    /keystore-location is the location and filename where you stored the generated key. N1SPS5.0-MasterServer-home is the directory where you installed the Master Server.

  3. Change to the directory where you moved the keystore file.


    % cd N1SPS5.0-MasterServer-home/server/tomcat/

    N1SPS5.0-MasterServer-home is the directory where you installed the Master Server.

  4. Set the ownership and permissions on the keystore file:


    %chmod 600 /keystore-location


    %chown MS_user:MS_group /keystore-location

    MS_user is the user that owns the Master Server application. MS_group is the group that owns the Master Server application. /keystore-location is the filename where you stored the generated key.

  5. Change to the directory where the Tomcat configuration files are located.


    % cd /N1SPS5.0-MasterServer-home/server/tomcat/conf

    N1SPS5.0-MasterServer-home is the directory where you installed the Master Server.

  6. In the server.xml file, uncomment the following lines. XML comments begin with <!-- and end with -->. 


    <Connector className="org.apache.catalina.connector.http.HttpConnector"
           port="8443" minProcessors="5" maxProcessors="75"
           enableLookups="true"
           acceptCount="10" debug="0" scheme="https" secure="true">
  <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
           clientAuth="false" protocol="TLS"/>
</Connector>

  7. Edit the Factory element as follows.


    <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
           clientAuth="false" protocol="TLS" 
	keystoreFile="N1SPS5.0-MasterServer-home/server/tomcat/keystore-file" keystorePass="password"/>

    N1SPS5.0-MasterServer-home/server/tomcat/keystore-file is the path to the keystore file. password is the password that you used to create the original keystore.

Requiring Users to Connect to the Master Server Browser Interface Using SSL

After you have configured the Master Server browser interface to use SSL, you can configure it further so that users must use SSL to connect to the on the N1 Grid Service Provisioning System Master Server.

ProcedureHow to Require Users to Connect to the Master Server Browser Interface Using SSL

Steps

  1. Replace the Tomcat web.xml file with the secure web.xml file.


    % cd /N1SPS5.0-MasterServer-home/server/webapp/WEB-INF


    % cp web.xml.secure web.xml

    N1SPS5.0-MasterServer-home is the directory where you installed the Master Server.

  2. Restart the Master Server.


    % N1SPS5.0-MasterServer-home/server/bin/cr_server start

    N1SPS5.0-MasterServer-home is the directory where you installed the Master Server.


    
    		

    

    

    3. 




ProcedureHow to Revert to the Original Configuration


Steps
    


  1. 

    Stop the Master Server
    


    

    


    

    % N1SPS5.0-MasterServer-home/server/bin/cr_server stop

    
    		

    

    

    
N1SPS5.0-MasterServer-home is the
directory where you installed the Master Server.
    


    2. 


  2. 

    To return to the original configuration, replace the secure web.xml file with the default web.xml file.
    


    

    


    

    % cd /N1SPS5.0-MasterServer-home/server/webapp/WEB-INF

    
    		

    

    

    

    


    

    % cp web.xml.default web.xml

    
    		

    

    

    
N1SPS5.0-MasterServer-home is the
directory where you installed the Master Server.
    


    3. 


  3. 

    Restart the Master Server.
    


    

    


    

    % N1SPS5.0-MasterServer-home/server/bin/cr_server start

    
    		

    

    

    
N1SPS5.0-MasterServer-home is the
directory where you installed the Master Server.
    


    

    


    

    
    		

    

    

    4.