APM 10.7 - How to configure ETC with 1 APM EM Provider - An example

book

Article ID: 210425

calendar_today

Updated On:

Products

DX Application Performance Management CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

Below is an example how to configure ETC to use:

TEST 1: Using http + default ports (8080+8081)

TEST 2: Using https + default ports (8444,8443)

Environment

APM 10.7 SP3 and latest HOTFIXES

Resolution

ETC Overview

 

Server details for this example:

 

Master:

1 ETC + 2 Setups, APM 10.7HF77, home dir = /Introscope107HF77

EM+WV  lvntest010777.bpc.broadcom.net 

 

Providers: 

EM+WV lvntest004384.bpc.broadcom.net

 

 

Enable ETC

 

Go Master ETC
Open EM-HOME/config/IntroscopeEnterpriseManager.properties
Set introscope.apmserver.teamcenter.master=true

 

TEST 1: Using http + default ports (8080+8081)

 

Register APM Setup to ETC

 

EM+WV lvntest004384.bpc.broadcom.net

http://lvntest004384.bpc.broadcom.net:8080

 

1) Go to Master ETC, create system security token

ATC > Security > Create > Generate New Token, select type=system and “Never expires”

3bb73559-82a3-4741-8c7a-42368168bf7f

 

IMPORTANT: You need a token for each Provider

 

2) Go each of the provider (apm MOM/standalone EM) and register it with the ETC

ETC URL=http://lvntest010777.bpc.broadcom.net:8081
ETC Webview=
http://lvntest010777.bpc.broadcom.net:8080

EM Webview=http://lvntest004384.bpc.broadcom.net:8080
EM API URL=
http://lvntest004384.bpc.broadcom.net:8081

ETC Security Token=3bb73559-82a3-4741-8c7a-42368168bf7f

Click Test Configuration

Click Register

Restart provider (in this case EM standalone).

Check Provider in ETC

 

Verification in ETC

 

 

TEST 2: Using https + default ports (8444,8443)

NOTE: Starting from SP3 you need to create your own self-signed certificates on the EMs to use https/ssl, from README files:

"If you use HTTPS to connect WebView to Enterprise Manager's REST API

(introscope.webview.enterprisemanager.rest.base property in IntroscopeWebView.properties) you might encounter errors like this in the WebView log:

Unable to establish connection with remote resource at https://example.com:8444/apm/appmap/private/metric/batch!

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching example.com found

This error indicates that the Enterprise Manager is using the self-signed certificate installed by the product's installer and WebView is rejecting it as invalid. You must install

your own valid certificates with the correct host name into the Enterprise Manager's

key store. As a workaround, you can create a self-signed certificate for your EM

server name. For more information, see

https://comm.support.ca.com/kb/team-center-blank-page-after-login-display-no-data-unknown-error/KB000125671  

 

1) Enable https

In ETC

Target Server: EM+WV  lvntest010777.bpc.broadcom.net 

 

Steps:

a) create self-signed certificate

cd /Introscope107HF77/config/internal/server

"/Introscope107HF77/jre/bin/keytool" -genkey -keyalg RSA -alias lvntest010777 -keystore "/Introscope107HF77/config/internal/server/keystore" -storepass password -keypass password -validity 7300 -dname "CN=lvntest010777.bpc.broadcom.net"

"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest010777 -keystore "/Introscope107HF77/config/internal/server/keystore" -storepass password -keypass password


"/Introscope107HF77/jre/bin/keytool" -export -alias lvntest010777 -keystore keystore -storepass password -file lvntest010777.crt


"/Introscope107HF77/jre/bin/keytool" -importcert -keystore "/Introscope107HF77/jre/lib/security/cacerts" -alias lvntest010777 -file "/Introscope107HF77/config/internal/server/lvntest010777.crt" -storepass changeit


"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest010777 -keystore "/Introscope107HF77/jre/lib/security/cacerts" -storepass changeit

 

b) vi /Introscope107HF77/config/IntroscopeEnterpriseManager.properties

uncomment:

introscope.enterprisemanager.webserver.jetty.configurationFile=em-jetty-config.xml

 

c) vi /Introscope107HF77/config/em-jetty-config.xml

update certAlias, replace caapm with lvntest010777

..

 <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>

 <Set name="certAlias">lvntest010777</Set>

 <Set name="validateCerts">false</Set>

..

 

d) vi /Introscope107HF77/config/IntroscopeWebView.properties

uncomment:

introscope.webview.jetty.configurationFile=webview-jetty-config.xml

set:

introscope.webview.enterprisemanager.webserver.tcp.port=8444

introscope.webview.enterprisemanager.rest.base=https://lvntest010777.bpc.broadcom.net:8444/apm/appmap

 

e) vi /Introscope107HF77/config/webview-jetty-config.xml

Update certAlias, replace caapm with lvntest010777

..

 <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>

 <Set name="certAlias">lvntest010777</Set>

 <Set name="validateCerts">false</Set>

 

f) Restart EM/Webview

g) Verify that there are no errors in ETC UI and logs

 

 

In Provider

Target server: EM+WV lvntest004384.bpc.broadcom.net

 

Steps:

a) create self-signed certificate:

cd /Introscope107HF77/config/internal/server

"/Introscope107HF77/jre/bin/keytool" -genkey -keyalg RSA -alias lvntest004384 -keystore "/Introscope107HF77/config/internal/server/keystore" -storepass password -keypass password -validity 7300 -dname "CN=lvntest004384.bpc.broadcom.net"


"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest004384 -keystore "/Introscope107HF77/config/internal/server/keystore" -storepass password -keypass password

 

"/Introscope107HF77/jre/bin/keytool" -export -alias lvntest004384 -keystore keystore -storepass password -file lvntest004384.crt


"/Introscope107HF77/jre/bin/keytool" -importcert -keystore "/Introscope107HF77/jre/lib/security/cacerts" -alias lvntest004384 -file "/Introscope107HF77/config/internal/server/lvntest004384.crt" -storepass changeit


"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest004384 -keystore "/Introscope107HF77/jre/lib/security/cacerts" -storepass changeit | grep lvntest

 

b) vi /Introscope107HF77/config/IntroscopeEnterpriseManager.properties

uncomment:
introscope.enterprisemanager.webserver.jetty.configurationFile=em-jetty-config.xml

 

c) vi /Introscope107HF77/config/em-jetty-config.xml

update certAlias, replace caapm with lvntest004384

..

 <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>

 <Set name="certAlias">lvntest004384</Set>

 <Set name="validateCerts">false</Set>

..

 

d) vi /Introscope107HF77/config/IntroscopeWebView.properties

uncomment:

introscope.webview.jetty.configurationFile=webview-jetty-config.xml

set:

introscope.webview.enterprisemanager.webserver.tcp.port=8444

introscope.webview.enterprisemanager.rest.base=https://lvntest004384.bpc.broadcom.net:8444/apm/appmap

 

e) vi /Introscope107HF77/config/webview-jetty-config.xml

Update certAlias, replace caapm with lvntest004384

..

 <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>

 <Set name="certAlias">lvntest004384</Set>

 <Set name="validateCerts">false</Set>

 

f) Restart EM/Webview

g) Verify that there are no errors in ETC UI https+8443 and logs

 

2) Register Providers to Master ETC

Go to the provider (http://lvntest004384.bpc.broadcom.net:8443) and register it with the ETC

ETC URL=https://lvntest010777.bpc.broadcom.net:8444
ETC Webview=https://lvntest010777.bpc.broadcom.net:8443

EM Webview=https://lvntest004384.bpc.broadcom.net:8443
EM API URL=https://lvntest004384.bpc.broadcom.net:8444

ETC Security Token=be2dff5d-c8f2-433f-bd58-71534e17396a

Click Test Configuration

In the Provider log you will get this message, this is normal and expected. You must add ETC certificate to Provider and Provider certificate to ETC:

 3/08/21 09:14:21.713 PM UTC [INFO] [btpool0-0] [Manager.AppMap] Registration to Master failed.I/O error on POST request for "https://lvntest010777.bpc.broadcom.net:8444/apm/appmap/private/internal/follower": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Step by Step solution:

+++++++++++++++++++

Go to ETC:

scp /Introscope107HF77/config/internal/server/lvntest010777.crt [email protected]:/Introscope107HF77/config/internal/server/


Go to lvntest004384:

cd /Introscope107HF77/config/internal/server

"/Introscope107HF77/jre/bin/keytool" -importcert -keystore "/Introscope107HF77/jre/lib/security/cacerts" -alias lvntest010777 -file "/Introscope107HF77/config/internal/server/lvntest010777.crt" -storepass changeit


"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest010777 -keystore "/Introscope107HF77/jre/lib/security/cacerts" -storepass changeit

"/Introscope107HF77/jre/bin/keytool" -importcert  -keystore "/Introscope107HF77/config/internal/server/keystore" -alias lvntest010777 -file "/Introscope107HF77/config/internal/server/lvntest010777.crt" -storepass password


"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest010777 -keystore "/Introscope107HF77/config/internal/server/keystore" -storepass password

 

scp /Introscope107HF77/config/internal/server/lvntest004384.crt [email protected]lvntest010777.bpc.broadcom.net:/Introscope107HF77/config/internal/server/


Go to ETC:

cd /Introscope107HF77/config/internal/server

"/Introscope107HF77/jre/bin/keytool" -importcert -keystore "/Introscope107HF77/jre/lib/security/cacerts" -alias lvntest004384 -file "/Introscope107HF77/config/internal/server/lvntest004384.crt" -storepass changeit


"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest004384 -keystore "/Introscope107HF77/jre/lib/security/cacerts" -storepass changeit

 

Restart ETC and Provider

+++++++++++++++++++

 

Click Test Configuration again

Click Register

Restart provider

Login to ETC and check provider and ETC, verify there is no error in Master and Provider logs

Additional Information

See also:

"SSLHandshakeException: unable to find valid certification path to requested target" on every ETC Provider log
https://knowledge.broadcom.com/external/article/210423

 

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/application-performance-management/10-7/administrating/configure-enterprise-team-center/enterprise-team-center.html

Attachments