8. Configuration of Properties for PCC Using the Web UI

Owned by Jenni Wallin
Last updated: Aug 01, 2022 by Former user (Deleted)
3 min read

The Web UI connects to the Platform and indirectly to an EC or ECSA that is running a REST interface. 

In order to use the PCC in the Web UI you need to configure access to the REST interface, i e host, port etc. Optionally, you may also configure the WEB UI to use HTTPS


Setting up the HTTPS environment

To set up a working HTTPS environment for PCC (when REST is running on an EC/ECSA on a separate host):
 

  1. Create a keystore for the Platform in the Platform Container. 

    $ keytool -keystore platform.keys -genkey -keyalg RSA

     

  2. When first name is required, enter the host name for the Platform. This will become the CN, Common Name.
     

  3. Create a keystore for the EC/ECSA in the Execution Container.

    $ keytool -keystore ec.keys -genkey -keyalg RSA

     

  4. When first name is required, enter the host name for the EC.
     

  5. Set the following properties on container level in the Execution Container:

    • mz.httpd.security
      Set the value of this property to true (default value is false) to enable encryption.

      $ mzsh topo set 'topo://container:<container>/val:common."mz.httpd.security"' true

    • mz.httpd.security.keystore
      Use this property to set the keystore path, which must be absolute.

      $ mzsh topo set 'topo://container:<container>/val:common."mz.httpd.security.keystore"' <keystore path>

    • mz.httpd.security.keystore.password
      Use this property to set the password for the keystore, as selected in keytool

      $ mzsh topo set 'topo://container:<container>/val:common."mz.httpd.security.keystore.password"' \
`mzsh encryptpassword <password>`

    • mz.httpd.security.key.password
      Use this property to set the password for the key, as chosen in keytool. By default, this is the same as the keystore password. (This is the default for keytool).

      $ mzsh topo set topo://container:<container>/val:common.mz.httpd.security.key.password \
`mzsh encryptpassword <password>`

    Example - Configuring keystore properties

    $ mzsh topo set 'topo://container:main1/val:common."mz.httpd.security"' true
$ mzsh topo set 'topo://container:main1/val:common."mz.httpd.security.keystore"' \
'${mz.home}/"keys/container.keys"'
$ mzsh topo set 'topo://container:main1/val:common."mz.httpd.security.keystore.password"' \
`mzsh encryptpassword <password>`
$ mzsh topo set topo://container:main1/val:common.mz.httpd.security.key.password \
`mzsh encryptpassword <password>`

    Note!

    After having configured the properties, this section:

    # Http url to platform, e.g http://localhost:9000
if [ -z "${MZ_PLATFORM+x}" ]; then
    MZ_PLATFORM="http://localhost:9000"
    export MZ_PLATFORM

    in the $MZ_HOME/bin/mzsh file needs to be updated to state https instead of http for both the Platform and the ECs.

  6. Restart the EC/ECSA.
     

  7. Run openssl against the EC/ECSA

    $ openssl s_client -connect <ec-host>:<port>

     

  8. From the printout, copy the text from "-----BEGIN CERTIFICATE----" to "-----END CERTIFICATE" and paste into a file that you save as cert.pem.
     

  9. Move the file to the Platform and import the certificate to the platform keystore:

    $ keytool -import -alias mkey -keystore platform.keys -file cert.pem

     

  10. Set the properties listed in step 5 in the Platform Container.


  11. Set the following properties in the Platform Container: 

    • javax.net.ssl.trustStore
      Use the same value as for mz.httpd.security.keystore .

      $ mzsh topo set topo://container:<container>/val:common.javax.net.ssl.trustStore \
'${mz.home}/"keys/container.keys"'

    • javax.net.ssl.trustStorePassword

      Use the same value as for mz.httpd.security.keystore.password but unencrypted.

      $ mzsh topo set topo://container:<platform container>/val:common.javax.net.ssl.trustStorePassword <password>

      Example - Setting java.net.ssl properties

      $ mzsh topo set 'topo://container:main1/val:common.javax.net.ssl.trustStore' \
'${mz.home}/"keys/container.keys"'
$ mzsh topo set topo://container:main1/val:common.javax.net.ssl.trustStorePassword <password>

      Note!

      The javax.net.ssl.trustStorePassword password must not be encrypted.

Configuring the Platform for SSL

To use SSL, set the Platform property mz.pcc.restful.usesecure.

$ mzsh topo set topo://container:<container>/val:common.mz.pcc.restful.usesecure true

Valid values for using the secure connection are true, yes, 1. Any other value, or if the argument is excluded, will mean that you have no secure connection.

Setting up access to REST for PCC in the Web UI

This section describes how to set up access to the REST interface for using PCC in the Web UI, which includes Usage Management and Policy Control.

  1. Set the following Platform properties:

    • mz.pcc.restful.host
      The name of the Execution Container host where the REST interface runs.

      $ mzsh topo set topo://container:<container>/pico:platform/val:config.properties.mz.pcc.restful.host <hostname>

    • mz.pcc.restful.port
      Set this property to the same value as ec.httpd.port for the EC/ECSA that you want to use for reading/writing to the Data Repository.

      $ mzsh topo set topo://container:<container>/pico:platform/val:config.properties.mz.pcc.restful.port \
`mzsh topo get --format data-only topo://container:<container>/pico:<pico>/val:config.properties.ec.httpd.port`

       

  2. Restart the Platform.

The Web UI can now be accessed at: http://<platform host>:<web interface port>/mz/ by connecting to the port stated by the Platform property mz.wi.port 

Note!

PCC Proxy is a supported feature, in fact, Proxy is the default way to access PCC UIs for a online web application hosted with URL - {host}:{port}/mz/.