sip twp config

8/3/2019 Sip Twp Config

1/8

Configuring SIP to Use Secure Socket Layer (SSL)

Protocol for HTTPS

Whitepaper

H

Version 1.0

February 8, 2002


2/8

Table of Contents

INTRODUCTION............................................................................................................. 3

REQUIRED SOFTWARE JSSE .................................................................................. 4

INSTALLATION AND CONFIGURATION OF JSSE................................................ 4

SIP CONFIGURATION .................................................................................................. 5

JVM STARTUP CONFIGURATION...................................................................................... 6

LDAP AUTHENTICATION PROVIDER ............................................................................... 6SIPCONFIG GUI............................................................................................................... 6SIP GENERIC MODULE .................................................................................................... 8


3/8

Introduction

Service Information Portal (SIP) has been designed to work in a distributed environmentand to provide your customers with valuable information about the performance and

current status of systems and services within a managed environment.

In some configurations, communication between SIP and backend management stationsand/or LDAP servers uses SSL as depicted below. This document will describe theconfiguration necessary for SIP to use Secure Socket Layer (SSL) when communicating

with various backend systems.

Browser

SIP Server

Backend ManagementStations / LDAP Servers

SSL

SSL

SSL

HTTP

The following services already support the use of SSL:

LDAP

SIP Generic Module through https requests

The following hp OpenView products do not currently support https/SSL usage in theircommunication with SIP, but may support it in the future. Checkhttp://openview.hp.com

for updated information on these products.

hp OpenView internet services (http://openview/hp.com/products/internetservices )

hp OpenView reporter (http://openview.hp.com/products/reporter )


4/8

Required Software JSSE

The 1.3 JavaTM JDK/JRE from Sun does not provide an implementation of the SSLprotocol for use by applications. Instead a separate package from Sun is available named

Java Secure Socket Extension (JSSE).

JSSE is a reference implementation of SSL for JavaTM. It implements the SSL (SecureSocket Layer) and TLS (Transport Layer Security) protocols, and includes functionalityfor data encryption, server authentication, message integrity, and optional client

authentication.

JSSE for 1.3 JavaTM is available for download from the Sun web site athttp://java.sun.com/products.

Note: JSSE has been integrated into the JavaTM 2 SDK, Standard Edition (J2SDK), v 1.4,which is currently a Beta release.

Installation and Configuration of JSSE

Step 1: Download the JSSE implementation from the Sun web site and unpack thedownload file. Follow the primary installation instructions as contained within the file

INSTALL.txt which is provided as part of the JSSE download.

Make sure the new jar files (jcert.jar, jnet.jar, jsse.jar) are installed in the jre/lib/extdirectory. For example on Windows the jar files might be installed inC:\jdk1.3\jre\lib\ext. On HP-UX the path would be /opt/java1.3/jre/lib/ext. The exact

location depends on the installation directory of your JDK.

As noted in the INSTALL.txt file, it is important that the file java.security located injre\lib\security contains the following line

security.provider.#=com.sun.net.ssl.internal.ssl.Provider

where the # is replaced with the appropriate integer value based on the number of

providers configured.

For example the following might be set:

## List of providers and their preference orders (see above):

#

security.provider.1=sun.security.provider.Sun

security.provider.2=com.sun.rsajca.Provider

security.provider.3=com.sun.net.ssl.internal.ssl.Provider


5/8

Step 2: In order for SIP to communicate with a backend management station or LDAPserver, the CA certificate must be installed and available for use on the SIP system. This

is the CA certificate that was used to sign the certificate installed on the backendmanagement station or LDAP server.

SIP Server

Backend ManagementStations / LDAP Servers

Server certificate

CA certificateCA Authority

Installed

ProvidesInstalled

Signs

The following JavaTM keytool commands can be used as an example to load a CA

certificate into the jssecacerts file on the SIP server.

For Unix:

"$JAVA_HOME/bin/keytool" -import -file "cacertificatefilename" \

keystore "$JAVA_HOME/jre/lib/security/jssecacerts" trustcacerts \

-noprompt -storepass changeme -alias "youraliasname"

For Windows:

"%JAVA_HOME%\bin\keytool" -import -file "cacertificatefilename" \

keystore "%JAVA_HOME%\jre\lib\security\jssecacerts" trustcacerts \

-noprompt -storepass changeme -alias "youraliasname"

SIP Configuration

Once JSSE is configured and the CA certificates have been loaded as necessary for eachbackend management station and LDAP Server, the JVM that runs SIP must be

configured with the appropriate parameters to use at startup. Finally various SIPcomponents can be configured to take advantage of the new SSL functionality.


6/8

JVM Startup Configuration

On Windows, the registry must be updated such that the Tomcat service will start with anadditional parameter. The following steps should be followed:

Step1: Run regedit.exe

Step 2: Find the registry keyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tomcat\Parameters

Step 3: Modify the registry value JVM Option Count and increase the number by 1. Indefault installations the new JVM Option Count would contain the new value of 5.

Step 4: Add a new string value named JVM Option Number 4 and enter the value"-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"

Step 5: Exit the registry editor and restart the tomcat service.

On Unix the following line in the /etc/rc.config.d/ovsip startup configuration file shouldbe modified:

TOMCAT_OPTS="-Xms$INITIAL_HEAP_SIZE Xmx$MAX_HEAP_SIZE"

The line should be expanded to contain the following:

SECURITY_PACKAGE=\

"-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"

TOMCAT_OPTS=\

"-Xms$INITIAL_HEAP_SIZE Xmx$MAX_HEAP_SIZE $SECURITY_PACKAGE"

Save the modified file and restart SIP.

LDAP Authentication Provider

If necessary, the LDAP Authentication Provider can now be configured if SSL access is

required. Please see the section Configuring Authenticationin the HP OpenViewService Information Portal 3.0 Deployment and Integration Guide.

SIPConfig GUI

The SIP Configuration Editor, SIPConfig, that provides configuration of managementstations accessible to SIP, can indicate that SSL/https should be used by SIP modules to

communicate with the management station. In order to enable this feature, you need tomodify the script that starts SIPConfig.


7/8

Before enabling this feature, you should verify that the management stations, for which

you intend to configure the use of SLL, support https access. You may need to performconfiguration changes on the management station to enable https.

For Windows the following file needs to be modified:

%SIP_HOME%\bin\SIPConfig.vbs

For Unix the following file needs to be modified:

/opt/OV/SIP/bin/SIPConfig

The following lines contain the relevant section to be modified. The following is taken

from the Windows based script file. The Unix variant is slightly different.

REM The following section should be updated if the https protocol

REM is to be used between SIP and various management stations.REM By default, the "Use https ..." button for the OVIS and ReportingStationREM types is disabled. To enable this button and indicate that https/SSL should

REM be used, an implementation of the SSL protocol must be installedREM on the SIP system. The SSL protocol does not come standard with JDK 1.3.1.REM Sun's JSSE is one such package that provides an implementation of the

REM SSL protocol. Download and install the JSSE package or other SSL provider.REM Then modify this script such that PROTOCOL_HANDLER is set to the classREM providing the SSL implementation. Check the documentation of your SSL

REM provider to determine the correct class name. The JSSE default class isREM provided below. If using JSSE, setREM PROTOCOL_HANDLER="com.sun.net.ssl.internal.www.protocol".

REM Then run SIPConfig. If SIPConfig detects that the https protocol is installed

REM on the SIP system, then the "Use https ..." button will be enabled.REMREM JSSE sample PROTOCOL_HANDLER="com.sun.net.ssl.internal.www.protocol"

PROTOCOL_HANDLER=""PROTOCOL_HANDLER_PROPERTY="java.protocol.handler.pkgs"SECURITY_PACKAGE=""

If (PROTOCOL_HANDLER"") ThenSECURITY_PACKAGE= "-D" & PROTOCOL_HANDLER_PROPERTY & "=" & PROTOCOL_HANDLER

End If

Change the line

PROTOCOL_HANDLER=""

to the following:

PROTOCOL_HANDLER="com.sun.net.ssl.internal.www.protocol"

Save the file and restart the SIP Configuration Editor. You will find that the buttons thatenable https support for various management station types can now be selected.


8/8

If https is not supported or configured properly on the management station and yousubsequently attempt to access the management station using https, SIP will not function

correctly and will most likely log errors to sip.trace and sip.log.

SIP Generic Module

URLs specified in Generic Module instances can specify the https protocol. If the URL'sdisplayMethod is "inline" or "anchor", the browser (not SIP) will access the URL. But

if the URL's displayMethod is "embedded", SIP will access the URL and interpolate the

data into the module output. If the URL's protocol is https, you must configure JSSE asdescribed above in order to make this work.

For example the following Generic module XML configuration in a SIP view could be

utilized:

sip twp config

Documents