APM 10.7 - How to configure ETC with 1 APM EM Provider - An example
Article ID: 210425
Updated On:
Products
Issue/Introduction
Below is an example how to configure ETC to use:
TEST 1: Using http + default ports (8080+8081)
TEST 2: Using https + default ports (8444,8443)
Environment
APM 10.7 SP3 and latest HOTFIXES
Resolution
ETC Overview
Server details for this example:
Master:
1 ETC + 2 Setups, APM 10.7HF77, home dir = /Introscope107HF77
EM+WV lvntest010777.bpc.broadcom.net
Providers:
EM+WV lvntest004384.bpc.broadcom.net
Enable ETC
Go Master ETC
Open EM-HOME/config/IntroscopeEnterpriseManager.properties
Set introscope.apmserver.teamcenter.master=true
TEST 1: Using http + default ports (8080+8081)
Register APM Setup to ETC
EM+WV lvntest004384.bpc.broadcom.net
http://lvntest004384.bpc.broadcom.net:8080
1) Go to Master ETC, create system security token
ATC > Security > Create > Generate New Token, select type=system and “Never expires”
3bb73559-82a3-4741-8c7a-42368168bf7f
IMPORTANT: You need a token for each Provider
2) Go each of the provider (apm MOM/standalone EM) and register it with the ETC
ETC URL=http://lvntest010777.bpc.broadcom.net:8081
ETC Webview=http://lvntest010777.bpc.broadcom.net:8080
EM Webview=http://lvntest004384.bpc.broadcom.net:8080
EM API URL=http://lvntest004384.bpc.broadcom.net:8081
ETC Security Token=3bb73559-82a3-4741-8c7a-42368168bf7f
Click Test Configuration
Click Register
Restart provider (in this case EM standalone).
Check Provider in ETC
Verification in ETC
TEST 2: Using https + default ports (8444,8443)
NOTE: Starting from SP3 you need to create your own self-signed certificates on the EMs to use https/ssl, from README files:
"If you use HTTPS to connect WebView to Enterprise Manager's REST API
(introscope.webview.enterprisemanager.rest.base property in IntroscopeWebView.properties) you might encounter errors like this in the WebView log:
Unable to establish connection with remote resource at https://example.com:8444/apm/appmap/private/metric/batch!
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching example.com found
This error indicates that the Enterprise Manager is using the self-signed certificate installed by the product's installer and WebView is rejecting it as invalid. You must install
your own valid certificates with the correct host name into the Enterprise Manager's
key store. As a workaround, you can create a self-signed certificate for your EM
server name. For more information, see
1) Enable https
In ETC
Target Server: EM+WV lvntest010777.bpc.broadcom.net
Steps:
a) create self-signed certificate
cd /Introscope107HF77/config/internal/server
"/Introscope107HF77/jre/bin/keytool" -genkey -keyalg RSA -alias lvntest010777 -keystore "/Introscope107HF77/config/internal/server/keystore" -storepass password -keypass password -validity 7300 -dname "CN=lvntest010777.bpc.broadcom.net"
"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest010777 -keystore "/Introscope107HF77/config/internal/server/keystore" -storepass password -keypass password
"/Introscope107HF77/jre/bin/keytool" -export -alias lvntest010777 -keystore keystore -storepass password -file lvntest010777.crt
"/Introscope107HF77/jre/bin/keytool" -importcert -keystore "/Introscope107HF77/jre/lib/security/cacerts" -alias lvntest010777 -file "/Introscope107HF77/config/internal/server/lvntest010777.crt" -storepass changeit
"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest010777 -keystore "/Introscope107HF77/jre/lib/security/cacerts" -storepass changeit
b) vi /Introscope107HF77/config/IntroscopeEnterpriseManager.properties
uncomment:
introscope.enterprisemanager.webserver.jetty.configurationFile=em-jetty-config.xml
c) vi /Introscope107HF77/config/em-jetty-config.xml
update certAlias, replace caapm with lvntest010777
..
<Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
<Set name="certAlias">lvntest010777</Set>
<Set name="validateCerts">false</Set>
..
d) vi /Introscope107HF77/config/IntroscopeWebView.properties
uncomment:
introscope.webview.jetty.configurationFile=webview-jetty-config.xml
set:
introscope.webview.enterprisemanager.webserver.tcp.port=8444
introscope.webview.enterprisemanager.rest.base=https://lvntest010777.bpc.broadcom.net:8444/apm/appmap
e) vi /Introscope107HF77/config/webview-jetty-config.xml
Update certAlias, replace caapm with lvntest010777
..
<Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
<Set name="certAlias">lvntest010777</Set>
<Set name="validateCerts">false</Set>
f) Restart EM/Webview
g) Verify that there are no errors in ETC UI and logs
In Provider
Target server: EM+WV lvntest004384.bpc.broadcom.net
Steps:
a) create self-signed certificate:
cd /Introscope107HF77/config/internal/server
"/Introscope107HF77/jre/bin/keytool" -genkey -keyalg RSA -alias lvntest004384 -keystore "/Introscope107HF77/config/internal/server/keystore" -storepass password -keypass password -validity 7300 -dname "CN=lvntest004384.bpc.broadcom.net"
"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest004384 -keystore "/Introscope107HF77/config/internal/server/keystore" -storepass password -keypass password
"/Introscope107HF77/jre/bin/keytool" -export -alias lvntest004384 -keystore keystore -storepass password -file lvntest004384.crt
"/Introscope107HF77/jre/bin/keytool" -importcert -keystore "/Introscope107HF77/jre/lib/security/cacerts" -alias lvntest004384 -file "/Introscope107HF77/config/internal/server/lvntest004384.crt" -storepass changeit
"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest004384 -keystore "/Introscope107HF77/jre/lib/security/cacerts" -storepass changeit | grep lvntest
b) vi /Introscope107HF77/config/IntroscopeEnterpriseManager.properties
uncomment:
introscope.enterprisemanager.webserver.jetty.configurationFile=em-jetty-config.xml
c) vi /Introscope107HF77/config/em-jetty-config.xml
update certAlias, replace caapm with lvntest004384
..
<Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
<Set name="certAlias">lvntest004384</Set>
<Set name="validateCerts">false</Set>
..
d) vi /Introscope107HF77/config/IntroscopeWebView.properties
uncomment:
introscope.webview.jetty.configurationFile=webview-jetty-config.xml
set:
introscope.webview.enterprisemanager.webserver.tcp.port=8444
introscope.webview.enterprisemanager.rest.base=https://lvntest004384.bpc.broadcom.net:8444/apm/appmap
e) vi /Introscope107HF77/config/webview-jetty-config.xml
Update certAlias, replace caapm with lvntest004384
..
<Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
<Set name="certAlias">lvntest004384</Set>
<Set name="validateCerts">false</Set>
f) Restart EM/Webview
g) Verify that there are no errors in ETC UI https+8443 and logs
2) Register Providers to Master ETC
Go to the provider (http://lvntest004384.bpc.broadcom.net:8443) and register it with the ETC
ETC URL=https://lvntest010777.bpc.broadcom.net:8444
ETC Webview=https://lvntest010777.bpc.broadcom.net:8443
EM Webview=https://lvntest004384.bpc.broadcom.net:8443
EM API URL=https://lvntest004384.bpc.broadcom.net:8444
ETC Security Token=be2dff5d-c8f2-433f-bd58-71534e17396a
Click Test Configuration
In the Provider log you will get this message, this is normal and expected. You must add ETC certificate to Provider and Provider certificate to ETC:
3/08/21 09:14:21.713 PM UTC [INFO] [btpool0-0] [Manager.AppMap] Registration to Master failed.I/O error on POST request for "https://lvntest010777.bpc.broadcom.net:8444/apm/appmap/private/internal/follower": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Step by Step solution:
+++++++++++++++++++
Go to ETC:
scp /Introscope107HF77/config/internal/server/lvntest010777.crt [email protected]:/Introscope107HF77/config/internal/server/
Go to lvntest004384:
cd /Introscope107HF77/config/internal/server
"/Introscope107HF77/jre/bin/keytool" -importcert -keystore "/Introscope107HF77/jre/lib/security/cacerts" -alias lvntest010777 -file "/Introscope107HF77/config/internal/server/lvntest010777.crt" -storepass changeit
"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest010777 -keystore "/Introscope107HF77/jre/lib/security/cacerts" -storepass changeit
"/Introscope107HF77/jre/bin/keytool" -importcert -keystore "/Introscope107HF77/config/internal/server/keystore" -alias lvntest010777 -file "/Introscope107HF77/config/internal/server/lvntest010777.crt" -storepass password
"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest010777 -keystore "/Introscope107HF77/config/internal/server/keystore" -storepass password
scp /Introscope107HF77/config/internal/server/lvntest004384.crt [email protected]lvntest010777.bpc.broadcom.net:/Introscope107HF77/config/internal/server/
Go to ETC:
cd /Introscope107HF77/config/internal/server
"/Introscope107HF77/jre/bin/keytool" -importcert -keystore "/Introscope107HF77/jre/lib/security/cacerts" -alias lvntest004384 -file "/Introscope107HF77/config/internal/server/lvntest004384.crt" -storepass changeit
"/Introscope107HF77/jre/bin/keytool" -list -alias lvntest004384 -keystore "/Introscope107HF77/jre/lib/security/cacerts" -storepass changeit
Restart ETC and Provider
+++++++++++++++++++
Click Test Configuration again
Click Register
Restart provider
Login to ETC and check provider and ETC, verify there is no error in Master and Provider logs
Additional Information
See also:
"SSLHandshakeException: unable to find valid certification path to requested target" on every ETC Provider log
https://knowledge.broadcom.com/external/article/210423
Attachments
Feedback
