ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How do I setup Insight to use HTTPS and configure it so that it can be used within AAI?

book

Article ID: 191574

calendar_today

Updated On:

Products

Automic Automation Intelligence

Issue/Introduction

If your AAI/Jaws application is setup to use HTTPS, your Insight server must be configured with HTTPS as well in order to properly configure the reporting server in the Terma website.

To configure HTTPS for AAI/Jaws see this KB article: How do I setup AAI/JAWS to use HTTPS? 

Environment

Release : 6.0

Component : AUTOMIC AUTOMATION INTELLIGENCE ENGINE

Resolution

1. Generate Self-Signed Key(If using a signed certificate and you have the keystore file (ie. .jks file) skip to step 2.

When creating the self signed key, specify the hostname, FQDN and IP address in the SAN(subject alternative name) section of the command and specify the hostname or FQDN when asked for First and Last name.

Linux Command

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore <install dir>/apache-tomcat/conf/key.bin -ext SAN=dns:<hostname>,dns:<FQDN>,ip:192.168.1.38

 

Windows Command

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore <install dir>\apache-tomcat\conf\key.bin -ext SAN=dns:<hostname>,dns:<FQDN>,ip:192.168.1.38

 

2. Update Tomcat Configuration

Linux Configuration

Add the following section after existing <Connector> element in <Install dir>/apache-tomcat/conf/server.xml.

Here you will specify the HTTPS port you wish to use, if on the same server as AAI, use a different HTTPS port.

You will also specify the path to the keystore you created in step 1 which should be in <install dir>/apache-tomcat/conf/.

You will also specify the password you used when creating the keystore.

 

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="${HTTPS_PORT}" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="${catalina.base}/conf/key.bin" keystorePass="${PASSWORD_FOR_KEY}" clientAuth="false" sslProtocol="TLS"/>

 

Windows Configuration

Add the following section after existing <Connector> element in <Install dir>apache-tomcat\conf\server.xml

 

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="${HTTPS_PORT}" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="<insight install dir>\apache-tomcat\conf\key.bin" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/>

 

3. Get and Import JAWS certificate to TermaINSIGHT server Java Keystore AND the Jasperserver Java Keystore

Linux Command

Get the cert for JAWS server:

openssl s_client -connect ${JAWS_HOSTNAME}:${JAWS_PORT} <<<'' | openssl x509 -out jawsserver.cert

 

Import the cert into the $JAVA_HOME/jre/lib/security/cacerts keystore

 

keytool -import -alias tomcat -keystore $JAVA_HOME/jre/lib/security/cacerts -file jawsserver.cert

 

Import the AAI/JAWS cer file into the Java keystore that is embedded with Jasperserver which is in <Insight Install Dir>/java/jre/libsecurity/cacerts

 

keytool -import -alias tomcat -keystore <Insight Install Dir>/java/lib/security/cacerts -file jawsserver.cert



Windows

You can get the Jaws cert over to the Insight server a few different ways. 

  • Get the public cert for the AAI server by running openssl on a Linux machine and then copy it over to Windows:
 
openssl s_client -connect ${JAWS_HOSTNAME}:${JAWS_PORT} <<<'' | openssl x509 -out jawsserver.cert
 
  • You can also use keytool to export the cert from the Jaws server’s keystore like below:
 
keytool -export -alias jawsserver -file jaws.cer -keystore "<AAI Install Dir>\jboss\standalone\configuration\jaws.keystore"
 
  • From IE go to Terma web url  http://<jaws server>:8443/terma from IE, and save the keys. And then open Internet Options -> Click Content tab -> Click Certificates Button -> Select the Entry with JAWS server host name -> Click on Export -> Follow the wizard to save the certificate. 
 
  • From  Chrome, go to https://<jaws server>:8443/terma click on the “Not Secure” message to the left of the URL and select certificates.
Click on the Details tab and select “copy to file”
 
 Select the top options and “Next” a select a name and save it. It will save as a .cer file by default which is what you want.
 

 

Import the Cert

Once you have the cert, Import the generated/exported cert to java keystore (default password for keystore is ‘changeit’):

 keytool -import -alias tomcat -keystore %JAVA_HOME%\jre\lib\security\cacerts -file jawsserver.cert

 

Also you must import the cert into the Jasperserver’s bundled java which is located in the <install dir>\java\lib\security\cacerts directory.

keytool -import -alias tomcat -keystore <Insight Install Dir>/java/lib/security/cacerts -file jawsserver.cert

 

4.    Check that the correct AAI/JAWS URL is stored on the Insight server.

The server name, port, and protocol for accessing the AAI server from Insight is set during the installation of Insight in your install parameters for Windows or Linux.

If you already specified the protocol https, the port used for https, and the correct hostname, FQDN, or IP that matches your certificate, this should already be set correctly.

To make sure, check the file below on the insight server:

<Insight install dir>/apache-tomcat/webapps/jasperserver-pro/WEB-INF/applicationContext-externalAuth-preAuth-mt.xml

There is a jawsBaseUrl section like below that needs to be set to https and the proper https port, if it is set to http, please update to reflect the https settings and save the file.

<property name="jawsBaseUrl">
                    <value>https://<AAI Server>:<https port>/jaws/api/</value>
                </property>


**Note** whichever hostname is in this URL should also be what is used when accessing the Term website to setup the Reporting server.

5.    Restart TermaINSIGHT application

Linux

<Insight install dir>./ctlscript.sh restart

Windows

There are two desktop icons to stop and start the Jasperserver services, double click “Stop JRS Service” and then “Start JRS Service”.


6.    Verify you can get to the Jasperserver login page via https

The link is below, use the ip, hostname, or FQDN of the server, whichever name you use to access the URL should match what you supplied as the Subject Alternative Names in your certificate.

https://<hostname>:<https port>/jasperserver-pro

You should be able to log in with the user superuser and password TermaPassword by default.


7.    Download the cert to your local desktop and Import into your Trusted Certificates(Self signed certs only).

If you are using self signed certs you must download the certs used for your AAI server and your Insight server to whichever computer you are using to access the Web URL.

From  Chrome, go to https://<aai server>:<port>/terma and https://<Insight server>:<port>/jasperserver-pro click on the red “Not Secure” message to the left of the URL and select certificates.

Click on the Details tab and select “copy to file”

Select the top options and “Next” a select a name and save it.

 

Then import both certs into Windows Trusted Certificates, you may already have the AAI/Jaws cert imported if you are able to launch the Jaws thick client.

  • Run exe from the Start menu on the client
  • Click File then click Add/Remove Snap-in
  • Choose Certificates from the list then click Add
  • In the Certificates snap-in pop-up window, select Computer Account then click Next
  • In the Select Computer pop-up window, select Local Computer then click Finish
  • Click OK to confirm Certificates (Local Computer) snap-in
  • Expand Certificates, expand Trusted Root Certification Authorities
  • Right-click Certificates, click All Tasks, and then click Import
  • On the Certificate Import Wizard Welcome page, click Next
  • Browse to the location of the saved certificate file, select the file and then click Open
  • Select Next
  • In the Certificate Store, select Place all certificates in the following store and choose Trusted Root Certification Authorities
  • Select Next then Finish

Restart all browsers.

8.    Import Self-Signed TermaINSIGHT Key into TermaUNIFY (JAWS) Java Keystore

To be able to connect to BI server from JAWS with HTTPS with self-signed cert, we have to import the self-signed cert of BI Server to java keystore in JAWS server (default password for the keystore is ‘changeit’):

 

Linux

Get the cert via the command below from the AAI/JAWS server:

openssl s_client -connect ${BI_HOSTNAME}:${BI_SSL_PORT} <<<'' | openssl x509 -out bi_server.cert

 

$JAVA_HOME/bin/keytool -import -alias bi_key -keystore $JAVA_HOME/jre/lib/security/cacerts -file bi_server.cert

 

Windows

              “%JAVA_HOME% \bin\keytool” -import -alias bi_key -keystore “%JAVA_HOME%\jre\lib\security\cacerts” -file bi_server.cert (Windows)

 

9.    Restart AAI/JAWS server

 

10. Configure the Reporter Server in the Terma website.

Open the Terma website with the same hostname/FQDN/IP as in step 4 and go to System Tools->Reporting Configuration.

  • It is very important to specify the same hostname or IP address that is in the URL in step 4 or used during your Insight installation and your https port.

  • Username and password by default are superuser and TermaPassword.
  • Follow the rest of the steps documented here.
  • If all is configured properly you should be able to go to the home page, create a new view and see the reports from Insight like below:

Additional Information

Steps to setup AAI to use HTTPS 

Attachments