If you want to run KPI Management using HTTPS, you need to follow these steps:
Create a Keystore for the SC
Start the generation sequence by entering:
$ keytool -keystore <path to where the keystore should be placed>/kpi.keys -genkeypair -keyalg RSA -alias kpisc -ext san=ip:<your SC ip address>
Note!
The directory where the keys are to be placed should exist before running this command.
- Enter a password when prompted.
- When asked “What is your first and last name?” type in your SC host (localhost, for example)
- Leave the rest of the fields for the CN empty.
- When asked to verify that the CN is correct, enter yes.
- Enter the password for the platform when prompted.
Your keystore has now been created.
Export a Certificate from the Created Keystore
Start the export sequence by entering:
$ keytool -keystore <path to where the keystore is placed>/kpi.keys -export -rfc -alias kpisc -file <path to where the keystore is placed>/kpi.pem
- Enter the password for the keystore when prompted.
The certificate has now been created.
Import the Certificate into the CAcerts
The certificate should be imported on the machines that will connect to you kpisc, Spark, SC etc. Follow this procedure for each machine:
Start the import sequence by entering:
$ keytool -import -alias platform -file <path to where the keystore is placed>/kpi.pem -keystore $JAVA_HOME/jre/lib/security/cacerts -keypass <certificate password> -storepass <keystore password>e
Note!
You need to have
root
privileges to execute this command.- Enter the password for the CAcert keystore when prompted.
The certificate is now imported.
Configure HTTP Properties for KPISC
Configure the following HTTP properties:
mz.httpd.security
Set the value of this to property totrue
(default value isfalse
) to enable encryption.$ mzsh topo set 'topo://container:<container>/val:common."mz.httpd.security"' true
mz.httpd.security.keystore
Use this property to set the keystore path, which must be absolute.$ mzsh topo set 'topo://container:<container>/val:common."mz.httpd.security.keystore"' <keystore path>
mz.httpd.security.keystore.password
Use this property to set the password for the keystore, as selected inkeytool
.$ mzsh topo set 'topo://container:<container>/val:common."mz.httpd.security.keystore.password"' \ `mzsh encryptpassword <password>`
mz.httpd.security.key.password
Use this property to set to the password for the key, as chosen inkeytool
. By default this is the same as the keystore password. (This is the default forkeytool
).$ mzsh topo set topo://container:<container>/val:common.mz.httpd.security.key.password \ `mzsh encryptpassword <password>`
Note!
These properties are as described for general HTTP Configuration for in the System Administrator's Guide. When using them for KPI Management the values entered should be as follows:
<keystore path>
for themz.httpd.security.keystore
property should be the path to your local keystore where you created the keystore.<password>
for themz.httpd.security.keystore.password
andmz.httpd.security.key.password
properties should be the one you set when creating the keystore.
Now you are ready to get started with KPI Management using HTTPS. Follow the instructions on 4.1 KPI Management Quick-Start Guide (before 8.1.2.0) for an example of how to do this.
Browser Configuration
To make the KPI Management WebUI work with HTTPS:
- Navigate directly to your service model in your browser by using a URL pointing out the model;
https://<platform host>:8095/api/v1/model?config=<service model>
.
You will see a message saying that the certificate is not trusted and there will be a button you can click to add an exclusion for it. - Add an exclusion for the certificate.
The content will now be available for editing.
See 2.4.2 Creating a Profile and Provisioning via the Web UI for further information on how to create and edit your service models.