Download - Sip Twp Config
-
8/3/2019 Sip Twp Config
1/8
Configuring SIP to Use Secure Socket Layer (SSL)
Protocol for HTTPS
Whitepaper
H
Version 1.0
February 8, 2002
-
8/3/2019 Sip Twp Config
2/8
Table of Contents
INTRODUCTION............................................................................................................. 3
REQUIRED SOFTWARE JSSE .................................................................................. 4
INSTALLATION AND CONFIGURATION OF JSSE................................................ 4
SIP CONFIGURATION .................................................................................................. 5
JVM STARTUP CONFIGURATION...................................................................................... 6
LDAP AUTHENTICATION PROVIDER ............................................................................... 6SIPCONFIG GUI............................................................................................................... 6SIP GENERIC MODULE .................................................................................................... 8
-
8/3/2019 Sip Twp Config
3/8
Introduction
Service Information Portal (SIP) has been designed to work in a distributed environmentand to provide your customers with valuable information about the performance and
current status of systems and services within a managed environment.
In some configurations, communication between SIP and backend management stationsand/or LDAP servers uses SSL as depicted below. This document will describe theconfiguration necessary for SIP to use Secure Socket Layer (SSL) when communicating
with various backend systems.
Browser
SIP Server
Backend ManagementStations / LDAP Servers
SSL
SSL
SSL
HTTP
The following services already support the use of SSL:
LDAP
SIP Generic Module through https requests
The following hp OpenView products do not currently support https/SSL usage in theircommunication with SIP, but may support it in the future. Checkhttp://openview.hp.com
for updated information on these products.
hp OpenView internet services (http://openview/hp.com/products/internetservices )
hp OpenView reporter (http://openview.hp.com/products/reporter )
-
8/3/2019 Sip Twp Config
4/8
Required Software JSSE
The 1.3 JavaTM JDK/JRE from Sun does not provide an implementation of the SSLprotocol for use by applications. Instead a separate package from Sun is available named
Java Secure Socket Extension (JSSE).
JSSE is a reference implementation of SSL for JavaTM. It implements the SSL (SecureSocket Layer) and TLS (Transport Layer Security) protocols, and includes functionalityfor data encryption, server authentication, message integrity, and optional client
authentication.
JSSE for 1.3 JavaTM is available for download from the Sun web site athttp://java.sun.com/products.
Note: JSSE has been integrated into the JavaTM 2 SDK, Standard Edition (J2SDK), v 1.4,which is currently a Beta release.
Installation and Configuration of JSSE
Step 1: Download the JSSE implementation from the Sun web site and unpack thedownload file. Follow the primary installation instructions as contained within the file
INSTALL.txt which is provided as part of the JSSE download.
Make sure the new jar files (jcert.jar, jnet.jar, jsse.jar) are installed in the jre/lib/extdirectory. For example on Windows the jar files might be installed inC:\jdk1.3\jre\lib\ext. On HP-UX the path would be /opt/java1.3/jre/lib/ext. The exact
location depends on the installation directory of your JDK.
As noted in the INSTALL.txt file, it is important that the file java.security located injre\lib\security contains the following line
security.provider.#=com.sun.net.ssl.internal.ssl.Provider
where the # is replaced with the appropriate integer value based on the number of
providers configured.
For example the following might be set:
## List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.rsajca.Provider
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
-
8/3/2019 Sip Twp Config
5/8
Step 2: In order for SIP to communicate with a backend management station or LDAPserver, the CA certificate must be installed and available for use on the SIP system. This
is the CA certificate that was used to sign the certificate installed on the backendmanagement station or LDAP server.
SIP Server
Backend ManagementStations / LDAP Servers
Server certificate
CA certificateCA Authority
Installed
ProvidesInstalled
Signs
The following JavaTM keytool commands can be used as an example to load a CA
certificate into the jssecacerts file on the SIP server.
For Unix:
"$JAVA_HOME/bin/keytool" -import -file "cacertificatefilename" \
keystore "$JAVA_HOME/jre/lib/security/jssecacerts" trustcacerts \
-noprompt -storepass changeme -alias "youraliasname"
For Windows:
"%JAVA_HOME%\bin\keytool" -import -file "cacertificatefilename" \
keystore "%JAVA_HOME%\jre\lib\security\jssecacerts" trustcacerts \
-noprompt -storepass changeme -alias "youraliasname"
SIP Configuration
Once JSSE is configured and the CA certificates have been loaded as necessary for eachbackend management station and LDAP Server, the JVM that runs SIP must be
configured with the appropriate parameters to use at startup. Finally various SIPcomponents can be configured to take advantage of the new SSL functionality.
-
8/3/2019 Sip Twp Config
6/8
JVM Startup Configuration
On Windows, the registry must be updated such that the Tomcat service will start with anadditional parameter. The following steps should be followed:
Step1: Run regedit.exe
Step 2: Find the registry keyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tomcat\Parameters
Step 3: Modify the registry value JVM Option Count and increase the number by 1. Indefault installations the new JVM Option Count would contain the new value of 5.
Step 4: Add a new string value named JVM Option Number 4 and enter the value"-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"
Step 5: Exit the registry editor and restart the tomcat service.
On Unix the following line in the /etc/rc.config.d/ovsip startup configuration file shouldbe modified:
TOMCAT_OPTS="-Xms$INITIAL_HEAP_SIZE Xmx$MAX_HEAP_SIZE"
The line should be expanded to contain the following:
SECURITY_PACKAGE=\
"-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"
TOMCAT_OPTS=\
"-Xms$INITIAL_HEAP_SIZE Xmx$MAX_HEAP_SIZE $SECURITY_PACKAGE"
Save the modified file and restart SIP.
LDAP Authentication Provider
If necessary, the LDAP Authentication Provider can now be configured if SSL access is
required. Please see the section Configuring Authenticationin the HP OpenViewService Information Portal 3.0 Deployment and Integration Guide.
SIPConfig GUI
The SIP Configuration Editor, SIPConfig, that provides configuration of managementstations accessible to SIP, can indicate that SSL/https should be used by SIP modules to
communicate with the management station. In order to enable this feature, you need tomodify the script that starts SIPConfig.
-
8/3/2019 Sip Twp Config
7/8
Before enabling this feature, you should verify that the management stations, for which
you intend to configure the use of SLL, support https access. You may need to performconfiguration changes on the management station to enable https.
For Windows the following file needs to be modified:
%SIP_HOME%\bin\SIPConfig.vbs
For Unix the following file needs to be modified:
/opt/OV/SIP/bin/SIPConfig
The following lines contain the relevant section to be modified. The following is taken
from the Windows based script file. The Unix variant is slightly different.
REM The following section should be updated if the https protocol
REM is to be used between SIP and various management stations.REM By default, the "Use https ..." button for the OVIS and ReportingStationREM types is disabled. To enable this button and indicate that https/SSL should
REM be used, an implementation of the SSL protocol must be installedREM on the SIP system. The SSL protocol does not come standard with JDK 1.3.1.REM Sun's JSSE is one such package that provides an implementation of the
REM SSL protocol. Download and install the JSSE package or other SSL provider.REM Then modify this script such that PROTOCOL_HANDLER is set to the classREM providing the SSL implementation. Check the documentation of your SSL
REM provider to determine the correct class name. The JSSE default class isREM provided below. If using JSSE, setREM PROTOCOL_HANDLER="com.sun.net.ssl.internal.www.protocol".
REM Then run SIPConfig. If SIPConfig detects that the https protocol is installed
REM on the SIP system, then the "Use https ..." button will be enabled.REMREM JSSE sample PROTOCOL_HANDLER="com.sun.net.ssl.internal.www.protocol"
PROTOCOL_HANDLER=""PROTOCOL_HANDLER_PROPERTY="java.protocol.handler.pkgs"SECURITY_PACKAGE=""
If (PROTOCOL_HANDLER"") ThenSECURITY_PACKAGE= "-D" & PROTOCOL_HANDLER_PROPERTY & "=" & PROTOCOL_HANDLER
End If
Change the line
PROTOCOL_HANDLER=""
to the following:
PROTOCOL_HANDLER="com.sun.net.ssl.internal.www.protocol"
Save the file and restart the SIP Configuration Editor. You will find that the buttons thatenable https support for various management station types can now be selected.
-
8/3/2019 Sip Twp Config
8/8
If https is not supported or configured properly on the management station and yousubsequently attempt to access the management station using https, SIP will not function
correctly and will most likely log errors to sip.trace and sip.log.
SIP Generic Module
URLs specified in Generic Module instances can specify the https protocol. If the URL'sdisplayMethod is "inline" or "anchor", the browser (not SIP) will access the URL. But
if the URL's displayMethod is "embedded", SIP will access the URL and interpolate the
data into the module output. If the URL's protocol is https, you must configure JSSE asdescribed above in order to make this work.
For example the following Generic module XML configuration in a SIP view could be
utilized: