Unable to assign discovery policy in SPECTRUM with eHealth Integration using SSL

book

Article ID: 52110

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Unable to assign discovery policy in SPECTRUM with eHealth Integration using SSL

Cause

When setting up the integration between eHealth and Spectrum with SSL enabled on both sides there are several steps that need to be followed in order to get this working.  SSL needs to be setup correctly between Spectrum OneClick and the eHealth Distributed Console as well as between the eHealth Distributed Console and the eHealth Backend Servers.

Environment

Release: Any
Component:

Resolution

Here are the complete set of instructions for setting up SSL with the Spectrum and eHealth integration in a distributed eHealth environment. There are two different communication pieces that need to be considered.

Backend (BE) poller setup:

Secure the BE machines. If the customer is supplying certificates from their own Root/Intermediate CA, then all certificates in the chain must be installed.

Set the NH_HTTP_PORT environment variable to match the https port in use (443,8443, etc) and restart the eHealth machine. This step is listed in the eHealth Administrators guide, but it is easy to miss. Looking at the code, it MIGHT be done by nhWebProtocol now (which was confirmed by some customers).

eHealth Distributed Console (DC) setup:

Secure the DC. Again, if the customer is supplying their own certificates all certs in the chain must be installed.

Obtain the certificates for all of the BE pollers. Install each of them using a different alias for each certificate. You should not have to re-install the root/intermediate CA certificates (unless they come from a different CA than the one used for the DC certificate).

Run the command (listed in the eHealth integration guide):

nhParameter -set webServicesProtocolAndPort <protocol>:<port>

If the customer is using the non-default password for the admin user then another variable needs to be set for DC-BE communication. This variable is re-used from report center:

nhRptCtrConfig -action setAdminWebAccess -adminUser admin -adminPassword <yourWebAdminUserPwd>

Spectrum OneClick server configuration:

Install the certificate(s) for the eHealth Distributed Console in the JRE on any OneClick server that will be integrated with the eHealth server in an Active or Passive role.

Restart Spectrum tomcat.

Create a copy of $SPECROOT/tomcat/webapps/spectrum/WEB-INF/ehlth/config/mapping-overrides.xml in $SPECROOT/custom/ehlth/config.

Edit that file and locate the <landscape-override> tag within the <root> element. Uncomment the <landscape-override> block. Create a <server-override> block for every backend server in the eHealth cluster. The <url-host-address> for each <server-override> should be the fully qualified domain name (or the address used in the certificate).

If you had already filled in the eHealth configuration page, press the Update Landscape Overrides button and close all OneClick clients (they will not have the correct URLs).

Enter the information for the Distributed Console in the eHealth configuration page. Use the fully qualified domain name for the server name.

That should complete the SSL aspect of the configuration. You can now open new OneClick client(s).

Known issues:

The URL sent in synchronized discovery execution events will not be correct. A ticket is open to correct this.

If you are trying to use nhSpectrumSetup there are more steps that need to be completed (including patching jar files).

Troubleshooting steps (in order):

1. Verify OneClick to eHealth communication

Click the Test button on the eHealth configuration.

If that fails:

a. Verify that both the httpd and http services are running on the eHealth Distributed Console

b. Check that the server name is the fully qualified domain name or the fully qualified name used for the certificate on the eHealth server.

c. Verify that all certificates in the chain for the eHealth server have been installed in the SPECTRUM OneClick server JRE.

2. Verify Distributed Console to Backend Poller communication

Select a GlobalCollection in OneClick.

Open the eHealth Discovery Policy view on the Information tab.

Click the Assign Discovery Policy b.utton (you do not actually have to assign a policy).

Select each machine from the left panel.

If all of those selections show an error dialog (other than a note that no policies exist):

a. Verify that the webServicesProtocolAndPort and setAdminWebAccess activities listed above have been completed.

b. Verify that all of the certificates for the BE pollers have been installed in the distributed console JRE.

If only some of the selections show an error dialog:

a. Verify that all of the certificates for those BE pollers have been installed in the distributed console JRE.