KPI Management - Using HTTPS

Owned by Jenni Wallin
Last updated: Jun 14, 2023
2 min read

If you want to run KPI Management using HTTPS, you need to follow these steps:

Create a Keystore for the SC

  1. Start the generation sequence by entering:

    $ keytool -keystore <path to where the keystore should be placed>/kpi.keys -genkeypair -keyalg RSA -alias kpisc -ext san=ip:<your SC ip address>

    Note!

    The directory where the keys are to be placed should exist before running this command.

  2. Enter a password when prompted.

  3. When asked “What is your first and last name?” type in your SC host (localhost, for example)

  4. Leave the rest of the fields for the CN empty.

  5. When asked to verify that the CN is correct, enter yes.

  6. Enter the password for the platform when prompted.

Your keystore has now been created.

Export a Certificate from the Created Keystore

  1. Start the export sequence by entering:

    $ keytool -keystore <path to where the keystore is placed>/kpi.keys -export -rfc -alias kpisc -file <path to where the keystore is placed>/kpi.pem
  2. Enter the password for the keystore when prompted.

The certificate has now been created.

Import the Certificate into the CAcerts

The certificate should be imported on the machines that will connect to you kpisc, Spark, SC etc. Follow this procedure for each machine:

  1. Start the import sequence by entering:

    $ keytool -import -alias platform -file <path to where the keystore is placed>/kpi.pem -keystore $JAVA_HOME/jre/lib/security/cacerts -keypass <certificate password> -storepass <keystore password>e

    Note!

    You need to have root privileges to execute this command.

  2. Enter the password for the CAcert keystore when prompted.

The certificate is now imported.

Configure HTTP Properties for KPISC

Configure the following HTTP properties:

  • mz.httpd.security
    Set the value of this property to true (default value is false) to enable encryption.

    $ mzsh topo set 'topo://container:<container>/val:common."mz.httpd.security"' true

  • mz.httpd.security.keystore
    Use this property to set the keystore path, which must be absolute.

    $ mzsh topo set 'topo://container:<container>/val:common."mz.httpd.security.keystore"' <keystore path>

  • mz.httpd.security.keystore.password
    Use this property to set the password for the keystore, as selected in keytool

    $ mzsh topo set 'topo://container:<container>/val:common."mz.httpd.security.keystore.password"' \
`mzsh encryptpassword <password>`

  • mz.httpd.security.key.password
    Use this property to set the password for the key, as chosen in keytool. By default, this is the same as the keystore password. (This is the default for keytool).

    $ mzsh topo set topo://container:<container>/val:common.mz.httpd.security.key.password \
`mzsh encryptpassword <password>`

Note!

These properties are as described for general HTTP Configuration in the System Administrator's Guide. When using them for KPI Management the values entered should be as follows:

  • <keystore path> for the mz.httpd.security.keystore property should be the path to your local keystore where you created the keystore.
  • <password> for the mz.httpd.security.keystore.password and mz.httpd.security.key.password properties should be the one you set when creating the keystore.


Now you are ready to get started with KPI Management using HTTPS. 

Browser Configuration

To make the KPI Management WebUI work with HTTPS:

  1. Navigate directly to your service model in your browser by using a URL pointing out the model; https://<platform host>:8095/api/v1/model?config=<service model>.

    You will see a message saying that the certificate is not trusted and there will be a button you can click to add an exclusion for it.

  2. Add an exclusion for the certificate.

    The content will now be available for editing.

See Creating a Profile and Service Model Using the Model Builder for further information on how to create and edit your service models.