Setting up SSL on the server for secure client communication (Windows OS)

Ops Center Automator Installation and Configuration Guide
Version
11.0.x
Audience
anonymous
Part Number
MK-99AUT000-24

To implement secure communication between the management server and management clients, you must set up SSL on the management server.

Note: After a new installation, SSL settings are enabled. The same certificate is used as when the hcmds64ssltool command is run without any options. In the case of an upgrade installation, keep the current SSL settings.

The hcmds64ssltool command creates two types of private keys: certificate signing requests, and self-signed certificates supporting RSA ciphers and elliptic curve ciphers (ECC). The certificate signing request is created in PEM format. Although you can use this command to create a self-signed certificate, you should use a self-signed certificate for testing purposed only.

Log on as a user with Administrator permissions.

Collect the following information:

  • Requirements for the certificate signing request specified by the certificate authority.

  • Web browser version running on the management client.

    The Web browser must use X.509 PEM format and support the signature algorithm of the server certificates used on the management client (GUI).

  • Existing storage directories for private keys, certificate signing requests, and self-signed certificates, if you are recreating them.

    If a file with the same name already exists in the output location, the command does not overwrite the file. Therefore, when you recreate a private key, certificate signing request, or self-signed certificate, you must output it to a folder other than existing storage folders or delete the existing files.

  1. To create a private key (httpsdkey.pem), a certificate signing request (httpsd.csr), and a self-signed certificate (httpsd.pem) for the Common Component, use the following command:

    Common-Component-installation-folder\bin\hcmds64ssltool [/key private-key-file] [/csr certificate-signed-request-file] [/cert self-signed-certificate-file] [/certtext self-signed-certificate-content-file] [/validity expiration-date] [/sigalg RSA-server-certificate-signature-algorithm] [/eccsigalg ECC-server-certificate-signature-algorithm] [/ecckeysize ECC-private-key-size] [/ext extension-information-for-the-X.509-certificate]

    where

    • key specifies the absolute path of the private key file that is created. If you omit this option, the files are output to the default output destination path# with the file name httpsdkey.pem (for RSA) and ecc-httpsdkey.pem (for ECC).
    • csr specifies the absolute path of the certificate signing request file that is created. If you omit this option, the files are output to the default output destination path# with the file name httpsd.csr (for RSA) and ecc-httpsd.csr (for ECC).
    • cert specifies the absolute path of the self-signed certificate file that is created. If you omit this option, the files are output to the default output destination path# with the file name httpsd.pem (for RSA) and ecc-httpsd.pem (for ECC).
    • certtext specifies the absolute path of the self-signed certificate content file that is created. If you omit this option, the files are output to the default output destination path# with the file name httpsd.txt (for RSA) and ecc-httpsd.txt (for ECC).
    • validity specifies the expiration date of the self-signed certificate by using the number of days. If you omit this option, the default of 3,650 days is used.
    • sigalg specifies the signature algorithm of the RSA certificate as SHA256withRSA, or SHA1withRSA. If you omit this option, the default of SHA256withRSA is used.
    • eccsigalg specifies the signature algorithm of the ECC certificate as SHA512withECDSA, SHA384withECDSA, SHA256withECDSA, or SHA1withECDSA. If you omit this option, the default of SHA384withECDSA is used.
    • ecckeysize specifies the key size of the private key for the ECC server certificates in bits as 256 or 384. If you omit this option, the default of 384 is used.
    • ext specifies the extension information for the X.509 certificate. To set SAN (Subject Alternative Name) on the self-signed certificate and certificate signing request, specify this option. The specification method is based on the ext option of the keytool command in Java. Note, however, that the only extension that can be specified in Ops Center Automator is SAN. If you specify the ext option multiple times, the first specification takes effect.

      The following is an example of specifying the extension information.

      • To specify www.example.com as the host name:

        hccmds64ssltool /ext san=dns:www.example.com

      • To specify www.example.com and www.example.net as multiple host names:

        hccmds64ssltool /ext san=dns:www.example.com, dns:www.example.net

    This command outputs the RSA and ECC files to the specified output destination path. RSA files are output with the specified file name, and ECC files output with a prefix of "ecc-".

    #The default output destination when you omit the key, csr, cert, or certtext options is as follows:

    Common-Component-installation-folder\uCPSB11\httpsd\conf\ssl\server

  2. When prompted, enter the following information after the colon(:).
    • Server Name (management server host name) - for example, Automator-SC1.
    • Organizational Unit (section) - for example, Ops Center Automator.
    • Organization Name (company) - for example, Hitachi.
    • City or Locality Name - for example, Santa Clara.
    • State or Province Name (full name) - for example, California.
    • Country Name (2 letter code) - for example, US.

    To leave a field blank, type a period (.). To select a default value visible within the brackets ([]), press the Enter key.

  3. Send the certificate signing request (httpsd.csr) to the certificate authority to apply for a server certificate.
    Note: This step is not required if you plan to use a self-signed certificate, but you should use a signed server certificate in a production environment.

    The server certificate issued by the certificate authority is usually sent by email. Ensure that you save the email and the server certificate sent by the certificate authority.

  4. Stop Ops Center Automator.
  5. Copy the private key (httpsdkey.pem) and the server certificate or the self-signed certificate (httpsd.pem) to the following folder:

    Common-Component-installation-folder\uCPSB11\httpsd\conf\ssl\server

  6. Open the user_httpsd.conf file from the following location:

    Common-Component-installation-folder\uCPSB11\httpsd\conf\user_httpsd.conf

  7. Within the user_httpsd.conf file, do the following:
    Note: When you use Ops Center Automator in a cluster environment, you must edit the user_httpsd.conf file on both the active and standby nodes.
    1. Uncomment the following lines by removing the hash [#] signs:

      #Listen 22016

      #<VirtualHost *:22016>

      through

      #</VirtualHost>

      with the exception of #SSLCACertificateFile and #Header set Strict-Transport-Security max-age=31536000, which must remain commented out.

      For an IPv6 environment, remove the hash mark (#) at the beginning of the lines #Listen [::]:22016.

      The following is an example of how to edit the user_httpsd.conf file.

      ServerName host-name
Listen [::]:22015
Listen 22015
#Listen 127.0.0.1:22015
SSLEngine Off
Listen [::]:22016
Listen 22016
<VirtualHost *:22016>
ServerName host-name
SSLEngine On
SSLProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
SSLCertificateKeyFile
"Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsdkey.pem"
SSLCertificateFile
"Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsd.pem"
SSLCertificateKeyFile
"Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsdkey.pem"
SSLCertificateFile
"Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsd.pem"
# SSLCACertificateFile
"Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/cacert/anycert.pem"
# Header set Strict-Transport-Security max-age=31536000
</VirtualHost>
#HWSLogSSLVerbose On
    2. Edit the following lines as required:

      ServerName in the first line

      ServerName in the <VirtualHost> tag

      SSLCertificateKeyFile

      SSLCertificateFile

      #SSLCACertificateFile

      When using a chained server certificate issued from a certificate authority, delete the hash sign (#) from the line "# SSLCACertificateFile", and specify the chained certificate file (created by certificate authority) by using an absolute path.

      Note: To block non-SSL communication from external servers to the management server, comment out the lines Listen 22015 and Listen [::]:22015 by adding a hash mark (#) to the beginning of each line. After you comment out these lines, remove the hash mark (#) from the line #Listen 127.0.0.1:22015.

      In addition, for a Windows cluster environment, add or edit the following line in the command_user.properties file:

      command.hostname = localhost
      The command_user.properties file is stored in the following location:
      shared-folder-name\Automation\conf

    When editing directives, be aware of the following:

    • Do not specify the same directive twice.
    • Do not enter a line break in the middle of a directive.
    • When specifying paths in the following directives, do not specify symbolic links or junction points. Paths must be specified as absolute paths.
    • When specifying certificates and private key files in the following directives, specify PEM-format files.
    • Do not edit httpsd.conf or hsso_httpsd.conf.
    • Do not remove the hash mark (#) from the beginning of the following line.
      # Header set Strict-Transport-Security max-age=31536000

    The following is an example of how to edit the user_httpsd.conf file. The numbers represent the default ports. 

    ServerName host-name
Listen [::]:22015
Listen 22015
#Listen 127.0.0.1:22015
SSLEngine Off
Listen [::]:22016
Listen 22016
<VirtualHost *:22016>
ServerName host-name
SSLEngine On
SSLProtocol +TLSv1.2 +TLSv1.3
SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
SSLCertificateKeyFile
"Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsdkey.pem"
SSLCertificateFile
"Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/server-certificate-or-self-signed-certificate-file"
SSLCertificateKeyFile
"Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsdkey.pem"
SSLCertificateFile
"Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsd.pem"
SSLCACertificateFile
"Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/cacert/certificate-file-from-certificate-authority"
# Header set Strict-Transport-Security max-age=31536000
</VirtualHost>
#HWSLogSSLVerbose On
  8. Start Ops Center Automator.
  9. Update the Ops Center Automator URL by using the hcmds64chgurl to do the following:
    • Change the protocol from http: to https:
    • Change the port number used for secure communication.
  10. If you use Common Services, run the setupcommonservice command to apply the change.
SSL is now implemented on the Ops Center Automator server.