8. Configuration of Properties for PCC Using the Web UI
The Web UI connects to the Platform and indirectly to an EC or ECSA that is running a REST interface.
In order to use the PCC in the Web UI you need to configure access to the REST interface, i e host, port etc. Optionally, you may also configure the WEB UI to use HTTPS
Setting up the HTTPS environment
To set up a working HTTPS environment for PCC (when REST is running on an EC/ECSA on a separate host):
Create a keystore for the Platform in the Platform Container.
$ keytool -keystore platform.keys -genkey -keyalg RSA
When first name is required, enter the host name for the Platform. This will become the CN, Common Name.
Create a keystore for the EC/ECSA in the Execution Container.
$ keytool -keystore ec.keys -genkey -keyalg RSA
When first name is required, enter the host name for the EC.
Set the following properties on container level in the Execution Container:
mz.httpd.security
Set the value of this property totrue
(default value isfalse
) to enable encryption.$ mzsh topo set 'topo://container:<container>/val:common."mz.httpd.security"' true
mz.httpd.security.keystore
Use this property to set the keystore path, which must be absolute.$ mzsh topo set 'topo://container:<container>/val:common."mz.httpd.security.keystore"' <keystore path>
mz.httpd.security.keystore.password
Use this property to set the password for the keystore, as selected inkeytool
.$ mzsh topo set 'topo://container:<container>/val:common."mz.httpd.security.keystore.password"' \ `mzsh encryptpassword <password>`
mz.httpd.security.key.password
Use this property to set the password for the key, as chosen inkeytool
. By default, this is the same as the keystore password. (This is the default forkeytool
).$ mzsh topo set topo://container:<container>/val:common.mz.httpd.security.key.password \ `mzsh encryptpassword <password>`
Example - Configuring keystore properties
$ mzsh topo set 'topo://container:main1/val:common."mz.httpd.security"' true $ mzsh topo set 'topo://container:main1/val:common."mz.httpd.security.keystore"' \ '${mz.home}/"keys/container.keys"' $ mzsh topo set 'topo://container:main1/val:common."mz.httpd.security.keystore.password"' \ `mzsh encryptpassword <password>` $ mzsh topo set topo://container:main1/val:common.mz.httpd.security.key.password \ `mzsh encryptpassword <password>`
Note!
After having configured the properties, this section:
# Http url to platform, e.g http://localhost:9000 if [ -z "${MZ_PLATFORM+x}" ]; then MZ_PLATFORM="http://localhost:9000" export MZ_PLATFORM
in the
$MZ_HOME/bin/mzsh
file needs to be updated to statehttps
instead ofhttp
for both the Platform and the ECs.Restart the EC/ECSA.
Run
openssl
against the EC/ECSA$ openssl s_client -connect <ec-host>:<port>
From the printout, copy the text from "-----BEGIN CERTIFICATE----" to "-----END CERTIFICATE" and paste into a file that you save as
cert.pem
.
Move the file to the Platform and import the certificate to the platform keystore:
$ keytool -import -alias mkey -keystore platform.keys -file cert.pem
Set the properties listed in step 5 in the Platform Container.
Set the following properties in the Platform Container:
javax.net.ssl.trustStore
Use the same value as for
mz.httpd.security.keystore
.$ mzsh topo set topo://container:<container>/val:common.javax.net.ssl.trustStore \ '${mz.home}/"keys/container.keys"'
javax.net.ssl.trustStorePassword
Use the same value as for
mz.httpd.security.keystore.password
but unencrypted.$ mzsh topo set topo://container:<platform container>/val:common.javax.net.ssl.trustStorePassword <password>
Example - Setting java.net.ssl properties
$ mzsh topo set 'topo://container:main1/val:common.javax.net.ssl.trustStore' \ '${mz.home}/"keys/container.keys"' $ mzsh topo set topo://container:main1/val:common.javax.net.ssl.trustStorePassword <password>
Note!
The
javax.net.ssl.trustStorePassword
password must not be encrypted.
Configuring the Platform for SSL
To use SSL, set the Platform property mz.pcc.restful.usesecure.
$ mzsh topo set topo://container:<container>/val:common.mz.pcc.restful.usesecure true
Valid values for using the secure connection are true
, yes
, 1
. Any other value, or if the argument is excluded, will mean that you have no secure connection.
Setting up access to REST for PCC in the Web UI
This section describes how to set up access to the REST interface for using PCC in the Web UI, which includes Usage Management and Policy Control.
- Set the following Platform properties:
mz.pcc.restful.host
The name of the Execution Container host where the REST interface runs.$ mzsh topo set topo://container:<container>/pico:platform/val:config.properties.mz.pcc.restful.host <hostname>
mz.pcc.restful.port
Set this property to the same value asec.httpd.port
for the EC/ECSA that you want to use for reading/writing to the Data Repository.$ mzsh topo set topo://container:<container>/pico:platform/val:config.properties.mz.pcc.restful.port \ `mzsh topo get --format data-only topo://container:<container>/pico:<pico>/val:config.properties.ec.httpd.port`
- Restart the Platform.
The Web UI can now be accessed at: http://<platform host>:<web interface port>/mz/
by connecting to the port stated by the Platform property mz.wi.port
Note!
PCC Proxy is a supported feature, in fact, Proxy is the default way to access PCC UIs for a online web application hosted with URL - {host}:{port}/mz/.