PeopleTools 8.51 PeopleBook: Performance Monitor

Performance Monitor Security Considerations

This chapter discusses how to:

Set up PSPPMSRV authentication.
Work with firewalls.
Set up SSL.
Set up SSL client authentication.
Protect the Performance Monitor servlets.

Setting Up PSPPMSRV Authentication

The PSPPMSRV application server process acts as the PPMI client when you record PeopleSoft performance data. To register as a client, the PSPPMSRV requires the appropriate permissions in PeopleTools Security.

Warning! Setting up PSPPMSRV authentication is required.

To set up PPMI Client Authentication:

Create a user profile using PeopleTools Security.
Add the PeopleTools Perfmon Client role to the user profile.

The PeopleTools Perfmon Client role contains the PTPMCLNT permission list.
Select PeopleTools, Performance Monitor, Administration, Global Administration and enter the user profile that you created and the associated password in the PPMI User ID and PPMI Password text boxes.

Firewall Considerations

When setting up firewalls in a Performance Monitor environment, consider:

Agent communication with the monitor servlet.
PSPPMSRV communication with the monitor servlet.
Monitor cluster members.

Agent Communication with the Monitor Servlet

If you require a forward proxy to create a "bridge" for a firewall residing between the monitored system and the monitoring system, configure your web server, application server, and Process Scheduler server accordingly.

Web Server

The process varies depending on which web server you use.

To set up a forward proxy on WebLogic:

Open the setenv.cmd file.
Set HTTP_PROXY_HTTPHOST and HTTP_PROXY_HTTPPORT, or HTTP_PROXY_ HTTPSHOST and HTTP_PROXY_HTTPSPORT.
Restart the application server and Process Scheduler domain.

To set up a forward proxy on WebSphere:

Open WebSphere Administration console at http://<machine-name>:9090/admin and login.
Expand Servers, Application Servers, server1, Process Definition, JavaVirtualMachine, CustomProperties.
Click New Key,Value pair and add the following new pairs:
- Key="http.proxyHost", Value="<forward proxy hostname>"
- Key="http.proxyPort", Value="<forward proxy HTTP port>"
- Key="https.proxyHost", Value="<forward proxy hostname>"
- Key="https.proxyPort", Value="<forward proxy HTTPS port>"
Save the configuration changes and logout.
Restart WebSphere.

Application Server

To configure forward proxy on the application server:

Open the PSAPPSRV.CFG file.
Complete the Proxy Host and Proxy Port under the [PSTOOLS] section.
Restart the application server and Process Scheduler domain.

Note. The agents do not use the Proxy Host settings in the PSAPPSRV.CFG file.

Process Scheduler

To configure forward proxy on the Process Scheduler server:

Open the PSPRCS.CFG file.
Enter the Proxy Host and Proxy Port under the [PSTOOLS] section.

Note. The agents do not use the Proxy Host settings in the PSPRCS.CFG file.

PSPPMSRV Communication with the Monitor Servlet

You can't have a firewall between the PSPPMSRV processes and the monitoring web server. When PSPPMSRV starts, it binds to the next free port that is allocated by the operating system. As such, no static port exists. This saves configuring ports for multiple PSPPMSRVs.

Monitor Cluster Members

The monitor cluster members communicate with each other on their allotted ports. If the cluster members are on different sides of a firewall, then these port numbers need to remain open for HTTP/S.

Setting Up SSL

This section discusses how to:

Set up SSL between the agents and the Performance Monitor.
Set up SSL between the Performance Monitor and PPMI clients.

Note. Setting up SSL encryption is optional.

Setting Up SSL Between Agents and Performance Monitor

This configuration encrypts data that is sent from the agents to the Performance Monitor.

To set up SSL between agents and Performance Monitor:

Install a digital root certificate on the web server.

A digital root certificate from a trusted certificate authority (CA) must be installed on the web server that is hosting the monitor URL.

Note. If the root certificate that is installed on your monitoring web server is from a nonstandard CA, then a copy of that certificate must be installed in the application server key store for the monitored databases. The agents load this certificate when they start.
Specify https for the Monitor URL.
- Select PeopleTools, Performance Monitor, Administration, Specify Monitor.
- Enter the URL that is specified for the Monitor URL beginning with https.

Setting Up SSL Between Performance Monitor and PSPPMSRV and Monitor Cluster Members

This configuration encrypts the PPMI user ID and password when it is passed to the monitor and communication between monitor cluster members. Performance data that is published by the monitor is not encrypted.

To set up SSL between Performance Monitor and PSPPMSRV and between cluster members:

Install a digital root certificate on the web server.

A digital root certificate from a trusted CA must be installed on the web server that is hosting the monitor URL.
Specify HTTPS for the PPMI URL.
- Select PeopleTools, Performance Monitor, Administration, Global Administration.
- Enter the URL that is specified for the PPMI URL beginning with https. If you elect to use PSPPMSRV as the PPMI client, only the communication from the PSPPMSRV to the PPMI servlet is encoded.
Specify HTTPS for the member servlet URLs in the Global Administration page.

Note. If the root certificate that is installed on your monitoring web server is from a nonstandard CA, then a copy of that certificate must be installed in the application server key stores for the monitoring databases.

Setting Up SSL Client Authentication

SSL client authentication validates that the client is trusted by the server.

Note. Setting up SSL client authentication is optional.

To set up SSL client authentication:

Set up SSL (as described in the previous section).
Set up your own certificate authority.

Remove all other certificate authorities from the monitoring web server's key store. All certificates that are signed by this authority will be trusted by the monitoring web server.
Configure the monitoring web server so that client authentication is required and HTTP requests are disabled.

Note. This configuration prevents web browser connections to the web server unless the browser has loaded the client certificate. In particular, the Ping buttons that you use when you set up the PPMI URL and the Monitor URL require the browser to have a trusted client certificate loaded.
Configure Client Authentication on all elements that must access the monitoring system through HTTPS.

The following internal elements must have client certificates in their key stores. Each of these certificates must be signed by your certificate authority. The client authentication ensures that the data that an element receives is authentic in that no third-party could have inserted any incorrect data.

Element	Description
Agents	Configuring client authentication ensures that performance information that is sent between agents and the monitoring system is authentic.
Monitor cluster members	Monitor cluster members exchange information regularly. Configuring client authentication ensures that performance information that is sent between the cluster members is authentic.
Integration gateway	The gateway makes HTTP/S requests to notify the monitoring system of configuration changes. Configuring client authentication ensures that configuration notifications that are sent through the gateway are authentic.
PSPPMSRV	PSPPMSRV instances make HTTP/S requests to register with the monitoring servlet. Configuring client authentication ensures that the registration process is authentic.
PIA to Integration Gateway	During notification of configuration changes, PIA makes an HTTP/S request to the gateway. Configuring client authentication ensures that data that is sent between PIA and the gateway is authentic.

The following client certificates are used by these elements. The PSPPMSRV instances and the Monitor Cluster members use the same certificate.

Certificate	Description
Agent certificate	This certificate resides in the key store in the database of the monitored system. The agents use this certificate.
Monitor certificate	This certificate resides in the key store in the database of the monitoring system. PSPPMSRV instances and monitor cluster members use this certificate.
Integration gateway certificate	This certificate resides in the monitoring system gateway. This certificate is used during notification of configuration changes.
PIA to Integration Gateway Certificate	This certificate resides in the key store in the database of the monitoring system. PIA uses this certificate to make a request to the gateway.

The following table describes where each certificate is configured.

Certificate	Procedure
Agent certificate	Create a client certificate in the key store in the monitored database, using the Digital Certificates page (PeopleTools, Security, Security Objects, Digital Certificates). The certificate type must be "Local Node" and the alias must be "PerfMon".
Monitor certificate	Create a client certificate in the key store in the monitoring database, using the Digital Certificates page (PeopleTools, Security, Security Objects, Digital Certificates). The certificate type must be "Local Node" and the alias must be "PerfMon".
Integration Gateway certificate	Create a client certificate in the key store for gateway, using the pskeymanager utility. Edit the integrationGateway.properties file to include the certificate alias and encrypted certificate password in the ig.certificateAlias and ig.certificatePassword properties.
PIA to Integration Gateway Certificate	Create a client certificate in the key store in the monitoring database, using the Digital Certificates page (PeopleTools, Security, Security Objects, Digital Certificates). The certificate type must be "Local Node" and the alias must be the name of the default local node (messaging node) in the monitoring database. Discover the name of the local node by selecting PeopleTools, Integration Broker, Node Definitions. Click Search and find the node marked as the default local node. Note. While the alias of the certificate must be the same as the name of the default local node, the name of the certificate does not have to match. In particular, the certificate name can't contain the underscore character. Configure the Integration Broker Gateway URL to use HTTPS.

Protecting the Performance Monitor Servlets

If you do not intend to use the Performance Monitor servlets, and you want to make sure that they are not exposed to hackers, you can disable the servlets permanently.

To disable the servlets, edit the web.xml file in the Portal Web-Application and remove the servlet definitions and servlet mappings for the monitor and PPMI servlet.