How to configure CA Business Intelligence Jaspersoft (CABI) for HTTP SSL.

How to integrate a CABI SSL based system with DX NetOps Performance Management (PM).

All Supported DX NetOps Performance Management and CA Business Intelligence Jaspersoft (CABI) releases

This steps through how to set up CABI for SSL HTTPS communication using a Self Signed Certificate.

• Steps 1 though 5 cover setting up SSL HTTPS on CABI and generating a certificate to import to PM.
• Steps 6 through 8 cover adding the CABI certificate to PM using the exported certificate from step 3.
• The instructions are Linux specific. Same steps are taken on a Windows CABI server using same commands found in similar locations on the Windows CABI host.
• PM doesn't require SSL configuration be present to import the CABI SSL Certificate.
• The CABI SSL Certificate must be imported to PM if integrated with CABI regardless of PM SSL configuration state.
• All paths referenced are default. Substitute custom home paths as needed.

1. Create a folder for keystore on CABI. Example:
   • mkdir /opt/CA/SharedComponents/CA/Business/Intelligence/keystore
2. Generate the PrivateKey running this command:
   • /opt/CA/SharedComponents/CA/Business/Intelligence/java/bin/keytool -genkey -noprompt -dname "CN=<value>, OU=<value>, O=<value>, L=<value>, S=<value>, C=<value>" -keystore /opt/CA/SharedComponents/CA/Business/Intelligence/keystore/keystore -storepass changeit -keyalg RSA -keysize 2048 -keypass changeit -ext SAN=dns:<hostNameSetInCN> -validity 7300 -alias <CABI_HostName>
3. Export the CABI certificate which will be moved to PM for import using the
   • /opt/CA/SharedComponents/CA/Business/Intelligence/java/bin/keytool -exportcert -keystore /opt/CA/SharedComponents/CA/Business/Intelligence/keystore/keystore -storepass changeit -alias <CABI_HostName> -file /opt/CA/SharedComponents/CA/Business/Intelligence/keystore/<HostName>-CABI.cer
4. Make the required edits to disable HTTP and enable HTTPS in the /opt/CA/SharedComponents/CA/Business/Intelligence/apache-tomcat/conf/server.xml file.
   
   
   • <?xml version="1.0" encoding="UTF-8" standalone="no"?><Server port="8005" shutdown="SHUTDOWN">
       <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
       <Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
       <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
       <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
       <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
       <GlobalNamingResources>
         <Resource auth="Container" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" name="UserDatabase" pathname="conf/tomcat-users.xml" type="org.apache.catalina.UserDatabase"/>
       </GlobalNamingResources>
       <Service name="Catalina">
         <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
         <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
         <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                    clientAuth="false" sslProtocol="TLS"
                     keystoreFile="/opt/CA/SharedComponents/CA Business Intelligence/keystore/keystore"
                     keystorePass="changeit" />
         <Engine defaultHost="localhost" name="Catalina">
           <Realm className="org.apache.catalina.realm.LockOutRealm">
             <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
           </Realm>
           <Host appBase="webapps" autoDeploy="true" name="localhost" startStopThreads="-1" unpackWARs="true">
             <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log" suffix=".txt"/>
           </Host>
         </Engine>
       </Service>
     </Server>
     
     
5. Restart tomcat services on the CABI server. In Linux these commands would be used.
   • /opt/CA/SharedComponents/CA\ Business\ Intelligence/apache-tomcat/bin/shutdown.sh
   • /opt/CA/SharedComponents/CA\ Business\ Intelligence/apache-tomcat/bin/startup.sh
6. Move the CABI certificate exported in step 3 to the PM Performance Center host.
   • Recommendation is to place it in the /opt/CA/jre/lib/security dir.
7. Import the CABI certificate placed in /opt/CA/jre/lib/security using this command:
   • /opt/CA/jre/bin/keytool -importcert -alias cabi -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit -file /opt/CA/jre/lib/security/<HostName>-CABI.cer
     • Note: When asked if you trust this certificate answer YES.
8. If you already have CABI integrated with PM as a Data Source, it will need to be deleted then re-added to successfully complete the process configuring the CABI Data Source for HTTPS SSL communications.
   1. NOTE: If this is not done, CABI Synchronization in PM will fail and a DS_PRODUCT_ID changed error will appear in the PC logs.
   2. Delete the CABI Data Source from Administration->Data Sources->Data Sources in the PC web UI.
   3. On the CABI host delete the following file if it exists:
      1. /opt/CA/SharedComponents/CA Business Intelligence/pcProperties
   4.  Add CABI back as a Data Source in PM, specifying HTTPS using https and port 8443.

Additional instructions for importing the PM SSL Cert to CABI are found here: Add a Certificate for SSL-Enabled NetOps Portal