Configuring HTTPS
The following procedure is used to configure HTTPS:
Task A Prepare Certificates
Procedure
|
1.
|
Create a temporary directory (such as /opt/mycerts) and execute the following commands within it. |
|
2.
|
Copy the cacerts file from the JDK to the file ssl.keystore. |
For JDK8:
cp $JAVA_HOME/jre/lib/security/cacerts ssl.keystore
For JDK11:
cp $JAVA_HOME/lib/security/cacerts ssl.keystore
|
3.
|
If you have a signed certificate: |
|
a.
|
If your certificate is from a well-known CA whose root certificate is already in $JAVA_HOME/jre/lib/security/cacerts, it is in ssl.keystore. |
If it is not, add your CA's root certificate to the ssl.keystore:
keytool -importcert -file CA_ROOT.crt -keystore \
ssl.keystore -alias CA_ROOT
|
b.
|
If you have a signed certificate .pem file and the private .key file that was used to generate the certificate request, copy or rename them to server.crt and server.key respectively. |
|
4.
|
If you don’t have a CA signed certificate and need a self-signed certificate, generate a self-signed certificate (and its associated private key): |
openssl req -x509 -sha256 -nodes -days 1826 -newkey \
rsa:2048 -keyout server.key -out server.crt
|
5.
|
If you are using a self-signed certificate, import the new certificate into ssl.keystore: |
keytool -importcert -file server.crt -keystore \
ssl.keystore -alias MySelfSigned -storepass changeit
|
6.
|
Copy the server.crt file to ssl.pem: |
cp server.crt ssl.pem
|
7.
|
Create a PKCS #12 format file that contains your keypair: |
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
|
8.
|
Convert it to a JKS format keystore: |
keytool -importkeystore -srckeystore server.pkcs12 -srcstoretype pkcs12 -srcstorepass changeit -destkeystore server.keystore -deststoretype jks -deststorepass changeit
|
9.
|
Copy the files into your Manager installation: |
cp ssl.keystore ssl.pem DS_DATA/engineUpdate/shared
cp server.crt server.key ssl.keystore server.keystore \
DS_DATA/certs
|
10.
|
If you are enabling SSL on both a standalone Director and standalone Broker (both installed on different hosts), the previous step must be followed for each individual Manager installation. Also, while enabling SSL on a standalone Broker, after following the steps listed above, the standalone Director’s server.crt must also be imported to the ssl.keystore of the standalone Broker: |
keytool -importcert -file dserver.crt -keystore ssl.keystore \
-alias MySelfSignedDir -storepass changeit
Here, the dserver.crt is the server.crt from the standalone Director.
|
11.
|
Copy the latest ssl.keystore and ssl.pem files on standalone Director and Broker's directory. |
cat dserver.crt server.crt<Broker server.crt> > ssl.pem
Task B Enable HTTPS/SSL on the Manager
Procedure
|
1.
|
Edit the DS_DATA/conf/server.xml file: |
|
a.
|
Comment out or remove the two connector elements for ports 8000 and 8080. |
|
b.
|
Uncomment the two connectors for ports 8443 and 8043. |
|
c.
|
Add SSLPassword="changeit" (or your keystore password value) to the 8043 and 8443 connectors. |
|
2.
|
If already installed, stop your Manager, open the |
DS_DATA/conf/installation.properties file, and set DSConfigureOnStartup=true.
|
3.
|
Start the Manager, and perform a Manager Install. On the Local Configuration step, you must see your new HTTPS values. Make sure to enable SSL. Complete the install and restart the Manager. |
|
4.
|
If you have already installed Drivers from this GridServer installation, you must edit their driver.properties files to use the new HTTPS URL before they use SSL. Engines reconfigure themselves to use the new secure reinstallation; the Director URLs in all Engine Configurations change to https://host:sslport. |
Task C Configure the Manager
Procedure
|
1.
|
In the Administration Tool, go to Admin > System Admin > Manager Configuration > Security. |
|
2.
|
You can set any or all of the SSL parameters on this page to true. |
|
3.
|
To configure the keystore passwords, change the passwords under the Miscellaneous heading. |
|
4.
|
Under HTTPS Communication, set SSL Port to 8043. |
Task D Configure the Clients
Procedure
|
1.
|
If you already installed Drivers and Engines from this TIBCO GridServer® installation, you must change their properties files to point to the new HTTPS URL before they use SSL. Configure the following: |
Optional Task: Change the Default Value Keystore Password
You must do the following changes before you make changes in the certificate and restart the Manager:
-
Change the value in the Administration Tool at Admin > System Admin > Manager Configuration > Security > Miscellaneous > Manager Keystore Password (for manager.keystore) and SSL Keystore Password (for server.keystore).
-
In the server.xml file, add the keystorePass="yournewpassword" parameter to the 8043 and 8443 connectors.
-
When reconfiguring the Manager (Primary Director and Broker, or Primary Director) to SSL Broker (Standalone or Failover), under the DS_DATA/conf location, you must make the following additional changes:
|
a.
|
Rename director.properties to broker.properties. |
|
b.
|
Edit broker.properties and make the following changes: |
|
—
|
Replace "/messageserver[@name\="Director"]" with "/messageserver[@name\="Broker"]" |
|
—
|
Remove the following line, if it exists: |
/messageserver[@name\="Director"]/plugin[@class\="DirectorInfoPlugin"]/property[@name\="AuthenticateManager"]=False