How to configure SSL for CAS or ADS

Set up the report server to use secure connections with users' web browsers and to use automatically generated data or your own keys and certificates.

Before you begin

It is recommended that secure access be performed using TLSv1.1 or TLSv1.2, which are more secure than its predecessors.

If an older version of the protocol is required, configure it by setting the configuration property, connector.ssl.SSLProtocol to TLS1, SSLv3 or SSLv2 .

Note that the Apache Tomcat default is all and the acceptable values are SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 and SSLv2+SSLv3 .

If the connector.ssl.SSLProtocol property is left blank, it causes the web browser to negotiate the version of a secure protocol when connecting to the web server. For more information about secure connection configuration in Apache Tomcat, refer to http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS.

The report server implementation of SSL uses OpenSSL, so the encryption, certification, and other operations are handled as they are defined in OpenSSL.

The subdirectory server\openssl of the report server installation directory contains the OpenSSL tool, which can be used for the SSL key and certificate generation, conversions, and management. The report server installation process uses the tools in this directory to generate a self-signed SSL certificate and a key pair for the initial HTTPS server operation.

This certificate and the key pair are, by default, stored in the wwwroot/WEB-INF/ssl subdirectory of the report server installation directory. To change this path, modify the connector.ssl.SSLCertificateFile and connector.ssl.SSLCertificateKeyFile configuration properties in common.properties .

To configure your own encryption keys and register the server in the CA (certificate authority) infrastructure, the common.properties file has to be edited manually. Refer to the Apache Tomcat documentation at http://tomcat.apache.org/tomcat-5.5-doc/apr.html.

All certification procedures, such as certificate request or certificate signing, have to be handled manually by using the OpenSSL utility. For instructions on how to use the OpenSSL utility, refer to http://www.openssl.org.

The report server can connect to the network via standard HTTP or HTTPS (HTTP over SSL), both of which are supported by the report server installation process, or via other modes that can be configured manually.

The connectivity configuration settings are stored in the configuration file common.properties in the config subdirectory of the report server installation directory. The names of the configuration properties in common.properties follow the standard names used for Tomcat and OpenSSL. The format of the file is different, but the names of the configuration parameters are the same.

All of the connectivity configuration properties are set by the installation program during report server installation.

Note

Subsequent modifications to connectivity settings are possible but should be performed with great care. These settings require a thorough understanding of web server connector settings and OpenSSL.

The simplest procedure for joining the server to the certification infrastructure can be summarized as follows:

If you haven't received the key and the certificate from the issuer and you will be generating key and cert request, create the key.

keytool -genkeypair -keyalg rsa -keystore [keystorename].jks -storepass [keystorepassword] -alias [alias]

Create a certificate request using names defined in previous step:

keytool -certreq -alias [alias] -keystore [keystorename].jks -storepass [keystorepassword] -file my_new_cert.csr -validity[number of days]

Send the certificate request file (for example my_new_cert.csr) to get it signed.

Make sure your certificate is in Base64 X509 format, if not - make proper conversion:

Export private key from keystone and convert exported PKCS12 binary file to PEM format:

keytool -importkeystore -srckeystore keystore -destkeystore [path.to]pkey.p12 -srcstoretype JKS - deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]
openssl.exe pkcs12 -in [path.to]pkey.p12 -nodes -nocerts -out [path.to]pkey.pem"

Configure the following settings in the common.properties file:

  • connector.ssl.SSLCertificateFile
    Point it to the signed certificate file converted to X509 (signed_cert.cer)
  • connector.ssl.SSLCertificateKeyFile
    Point it to the key you generated using the keytool, for example pkey.pem.
  • connector.ssl.SSLCertificateChainFile
    Point it to the chain of certificates, that is chain.txt you created by joining the contents of certificate files.

Set the key password. In Windows, go to Program and Features > Uninstall a program, select Dynatrace Central Analysis Server and click Uninstall/Change.

  1. In CAS installation dialog, select Change HTTP and SSL Server settings and click Next.

  2. Select Use HTTPS (HTTP over SSL) and Use custom key and certificate, and click Next.

  3. Read the on-screen information, type and confirm the password and click Next. The key password is updated.

  4. Restart the NAM (old CAS) service.

To browse to the NAM Server site, use the fully qualified name (FQN) of the web server in the URL. When you created the keystore, you specified the FQN of the web server, so the SSL certificate is tied to that exact name.

field input

Procedure to create CSR and install certificate on VAS and ADS Server (for internal CA)

Logon to server NAM Probe server to use the openssl commands to create the private KEY and the CSR.

openssl req -new -newkey rsa:2048 -nodes -out
{servername}_ent_rt_csaa_com.csr -keyout
{servername}_ent_rt_csaa_com.key -subj
"/C=US/ST={state}/L={city}/O={organization}/OU={department}/CN={servername}"

The results from this should be 2 files:
{servername}.csr
{servername}.key

Send the {servername}.csr file to CA team to get the certificate (use Service Catalog request).

When you receive your files back from the CA team, export files to Base64 X509 format, if your CA didn't provide it in that format.

Right-click on the certificate chain file (for example, {servername}.p7b) and select Open. The certificate should open in Window's Certificates tool.

In the left pane, expand Certificates - Current User > Certificates . You will see two certificates in the right pane, one above the other, first the root certificate and then the web server.

Export each certificate into Base64 X509 by right-clicking on each certificate and selecting All Tasks > Export.

Click Next.

Enter the name of the exported file, for example, issuing.cer for the root certificate. Click Finish.

Enter the name of the exported file, for example, root.cer for the root certificate. Click Finish.

Repeat for the web server certificate ({servername}.cer).

Make a copy of the issuing.cer file and rename to “chain.txt”

Copy chain.txt, {servername}.key, and certnew.cer to the NAM Server or ADS server in a storage folder.

  • For VAS/NAM Server copy the above files to: D:\Program Files\Compuware\CAS\wwwroot\WEB-INF\ssl

  • For ADS copy the above files to: D:\Program Files\Compuware\ADS\wwwroot\WEB-INF\ssl

Configure the following settings in the common.properties file:

  • connector.ssl.SSLCertificateFile = certnew.cer
    Provided within zip from Cert Team.
  • connector.ssl.SSLCertificateKeyFile = {servername}.key
    Generated with CER on NAM Probe (old AMD).
  • connector.ssl.SSLCertificateChainFile = chain.txt
    Created above.

Restart the service, and verify everything is working.