Vinod Subramaniam

Securing HCS 8.0.0-00 for Encrypted Communications using Self-Signed Certificates

Blog Post created by Vinod Subramaniam on May 13, 2014

A.     Securing HCS 8.0.0-00 for Encrypted Communications using Self-Signed Certificates

 

1.      Securing Common Component

 

a. Create a self-signed certificate

 

[root@RHEL64-2 bin]# ./hcmds64ssltool -key /root/certs/`hostname`.pem -cert /root/certs/`hostname`.cert -csr /root/certs/`hostname`.csr -certtext /root/certs/`hostname`.txt -validity 3650 -dname "CN=$(hostname),OU=SAN,O=ADP,L=Alpharetta,ST=GA,C=US"

 

KAPM06764-I The hcmds64ssltool command ended successfully.

 

b. Stop all HCS 8.0 Services

 

[root@RHEL64-2 bin]# /opt/HiCommand/Base64/bin/hcmds64srv -stop

KAPM05017-I Succeeded in stopping of service. service-name=HCS Tuning Manager REST Application Service

KAPM05017-I Succeeded in stopping of service. service-name=HiCommand Performance Reporter

KAPM05017-I Succeeded in stopping of service. service-name=HiCommand Suite TuningManager

KAPM05017-I Succeeded in stopping of service. service-name=HBase 64 Storage Mgmt Common Service

KAPM05017-I Succeeded in stopping of service. service-name=HCS Device Manager Web Service

KAPM05017-I Succeeded in stopping of service. service-name=HBase 64 Storage Mgmt SSO Service

KAPM05017-I Succeeded in stopping of service. service-name=HBase 64 Storage Mgmt Web SSO Service

KAPM05017-I Succeeded in stopping of service. service-name=HBase 64 Storage Mgmt Web Service

KAPM06439-I The HiRDB service has stopped.

 

c. Ensure you can ping the hostname locally as well as from clients

[root@RHEL64-2 bin]# ping RHEL64-2

PING RHEL64-2.gs.lab (172.17.237.129) 56(84) bytes of data.

64 bytes from RHEL64-2.gs.lab (172.17.237.129): icmp_seq=1 ttl=64 time=0.031 ms

64 bytes from RHEL64-2.gs.lab (172.17.237.129): icmp_seq=2 ttl=64 time=0.040 ms

64 bytes from RHEL64-2.gs.lab (172.17.237.129): icmp_seq=3 ttl=64 time=0.034 ms

64 bytes from RHEL64-2.gs.lab (172.17.237.129): icmp_seq=4 ttl=64 time=0.039 ms

d. Edit /opt/HiCommand/Base64/uCPSB/httpsd/conf/user_httpsd.conf file

 

BEFORE [ # ----- Uncomment ]

 

[root@RHEL64-2 bin]# more /opt/HiCommand/Base64/uCPSB/httpsd/conf/user_httpsd.conf

ServerName RHEL64-2

Listen 22015

Listen [::]:22015

#Listen 127.0.0.1:22015

SSLDisable

#Listen 22016

#Listen [::]:22016

#<VirtualHost *:22016>

#  ServerName RHEL64-2

#  SSLEnable

#  SSLProtocol SSLv3 TLSv1 TLSv11 TLSv12

#  SSLRequiredCiphers AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHA

#  SSLRequireSSL

#  SSLCertificateKeyFile "/opt/HiCommand/Base64/uCPSB/httpsd/conf/ssl/server/httpsdkey.pem"

#  SSLCertificateFile "/opt/HiCommand/Base64/uCPSB/httpsd/conf/ssl/server/httpsd.pem"

#  SSLCACertificateFile "/opt/HiCommand/Base64/uCPSB/httpsd/conf/ssl/cacert/anycert.pem"

#</VirtualHost>

#HWSLogSSLVerbose On

 

 

AFTER [ # ----- Comment ]

 

[root@RHEL64-2 bin]# more /opt/HiCommand/Base64/uCPSB/httpsd/conf/user_httpsd.conf

ServerName RHEL64-2

# Listen 22015

# Listen [::]:22015

Listen 127.0.0.1:22015

SSLDisable

Listen 22016

#Listen [::]:22016

<VirtualHost *:22016>

ServerName RHEL64-2

SSLEnable

SSLProtocol SSLv3 TLSv1 TLSv11 TLSv12

SSLRequiredCiphers AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHA

SSLRequireSSL

SSLCertificateKeyFile "/root/certs/RHEL64-2.pem"

SSLCertificateFile "/root/certs/RHEL64-2.cert"

# SSLCACertificateFile "/opt/HiCommand/Base64/uCPSB/httpsd/conf/ssl/cacert/anycert.pem"

</VirtualHost>

HWSLogSSLVerbose On

 

e. Edit /opt/HiCommand/HiCommandServer/config/tuningmanager.properties

 

BEFORE

htnm.server.0.host=localhost

htnm.server.0.protocol=http
htnm.server.0.port=22015

AFTER

               htnm.server.0.host=RHEL64-2

               htnm.server.0.protocol=https

               htnm.server.0.port=22016

 

 

f. Import the self-signed server certificate from Step 1 into the java truststore

 

[root@RHEL64-2 bin]# pwd

/opt/HiCommand/Base64/uCPSB/jdk/bin

[root@RHEL64-2 bin]# keytool -import -alias `hostname`-HDVM8 -file /root/certs/`hostname`.cert -keystore ../jre/lib/security/jssecacerts -storepass `hostname`.pass

Owner: CN=RHEL64-2, OU=SAN, O=ADP, L=Alpharetta, ST=GA, C=US

Issuer: CN=RHEL64-2, OU=SAN, O=ADP, L=Alpharetta, ST=GA, C=US

Serial number: 536d55f9

Valid from: Fri May 09 15:26:01 PDT 2014 until: Mon May 06 15:26:01 PDT 2024

Certificate fingerprints:

MD5: 4C:57:48:CF:91:D1:97:4F:3A:F9:6B:ED:25:25:72:0D

         SHA1: AE:EE:C0:32:EA:54:3A:29:E2:05:63:AA:C1:3F:66:90:24:FA:E2:D8

SHA256: B3:F3:76:96:B5:3E:C1:FE:2C:AE:02:54:48:AF:24:5E:5B:73:74:C3:6C:4B:67:6D:6C:87:DF:C0:D6:42:BB:2A

Signature algorithm name: SHA256withRSA

Version: 3

Trust this certificate? [no]:  yes

Certificate was added to keystore

 

g. Check the truststore from step 6 above

 

[root@RHEL64-2 bin]# ./keytool -list -v -keystore ../jre/lib/security/jssecacerts -storepass `hostname`.pass

 

Keystore type: JKS

Keystore provider: SUN

 

Your keystore contains 1 entry

 

Alias name: rhel64-2-hdvm8

Creation date: May 9, 2014

Entry type: trustedCertEntry

 

Owner: CN=RHEL64-2, OU=SAN, O=ADP, L=Alpharetta, ST=GA, C=US

Issuer: CN=RHEL64-2, OU=SAN, O=ADP, L=Alpharetta, ST=GA, C=US

Serial number: 536d55f9

Valid from: Fri May 09 15:26:01 PDT 2014 until: Mon May 06 15:26:01 PDT 2024

Certificate fingerprints:

MD5: 4C:57:48:CF:91:D1:97:4F:3A:F9:6B:ED:25:25:72:0D

         SHA1: AE:EE:C0:32:EA:54:3A:29:E2:05:63:AA:C1:3F:66:90:24:FA:E2:D8

Signature algorithm name: SHA256withRSA

Version: 3

 

 

*******************************************

*******************************************

 

 

h. Start HCS 8 services and check status

 

[root@RHEL64-2 bin]# pwd

/opt/HiCommand/Base64/bin

 

[root@RHEL64-2 bin]# ./hcmds64srv -start

KAPM06438-I The HiRDB service has started.

KAPM05016-I Succeeded in starting of service. service-name=HBase 64 Storage Mgmt Web Service

KAPM05016-I Succeeded in starting of service. service-name=HBase 64 Storage Mgmt Web SSO Service

KAPM05016-I Succeeded in starting of service. service-name=HBase 64 Storage Mgmt SSO Service

KAPM05016-I Succeeded in starting of service. service-name=HCS Device Manager Web Service

KAPM05016-I Succeeded in starting of service. service-name=HBase 64 Storage Mgmt Common Service

KAPM05016-I Succeeded in starting of service. service-name=HiCommand Suite TuningManager

KAPM05016-I Succeeded in starting of service. service-name=HiCommand Performance Reporter

KAPM05016-I Succeeded in starting of service. service-name=HCS Tuning Manager REST Application Service

 

[root@RHEL64-2 bin]# cd ../sbin/exec

 

[root@RHEL64-2 exec]# ls hicommand64*

hicommand64-hcs_dm hicommand64-hcs_hweb hicommand64-hcs_rest hicommand64-hcs_sso hicommand64-hcs_web

hicommand64-hcs_hsso hicommand64-hcs_pr hicommand64-hcs_rest_NoStartUp hicommand64-hcs_tm

 

 

[root@RHEL64-2 exec]# ./hicommand64-hcs_web status

./hicommand64-hcs_web status: httpsd (pid 8815) already running

 

[root@RHEL64-2 exec]# ./hicommand64-hcs_sso status

./hicommand64-hcs_sso status: hcs_sso (pid 9010) already running

 

[root@RHEL64-2 exec]# ./hicommand64-hcs_hweb status

./hicommand64-hcs_hweb status: httpsd (pid 8828) already running

 

[root@RHEL64-2 exec]# ./hicommand64-hcs_dm status

./hicommand64-hcs_dm status: hcs_dm (pid 8939) already running

 

[root@RHEL64-2 exec]# ./hicommand64-hcs_hsso status

./hicommand64-hcs_hsso status: hcs_hsso (pid 8891) already running

 

[root@RHEL64-2 exec]# ./hicommand64-hcs_pr status

./hicommand64-hcs_pr status: hcs_pr (pid 9161) already running

 

[root@RHEL64-2 exec]# ./hicommand64-hcs_rm status

-bash: ./hicommand64-hcs_rm: No such file or directory

 

[root@RHEL64-2 exec]# ./hicommand64-hcs_tm status

./hicommand64-hcs_tm status: hcs_tm (pid 9072) already running

 

[root@RHEL64-2 exec]# ./hicommand64-hcs_rest status

./hicommand64-hcs_rest status: hcs_rest (pid 9245) already running

 

i. Change the URL if necessary and stop and start HCS services again

[root@RHEL64-2 bin]# ./hcmds64chgurl -print

http://RHEL64-2:22015 Hitachi Replication Manager Hitachi Tiered Storage Manager Hitachi Device Manager

http://172.17.237.129:22015 Hitachi Tuning Manager

[root@RHEL64-2 bin]# ./hcmds64chgurl -change http://172.17.237.129:22015 https://RHEL64-2:22016

KAPM06111-I The URL was changed from "http://172.17.237.129:22015" to "https://RHEL64-2:22016".

[root@RHEL64-2 bin]# ./hcmds64chgurl -change http://RHEL64-2:22015 https://RHEL64-2:22016

KAPM06111-I The URL was changed from "http://RHEL64-2:22015" to "https://RHEL64-2:22016".

[root@RHEL64-2 bin]# ./hcmds64chgurl -print

https://RHEL64-2:22016 Hitachi Tuning Manager Hitachi Tiered Storage Manager Hitachi Device Manager Hitachi Replication Manager

[root@RHEL64-2 bin]#

 

 

 

j. Connect from a client web browser to port 22016

 

1. Ensure you can ping the HCS Server hostname

 

2. Connect using the URL below
https://RHEL64-2:22016/DeviceManager/

 

3. Add the site to trusted sites and relaunch the web browser and then import the certificate into “Trusted Root Certificate Authorities”.

 

4. Reconnect to the URL from Step 2. The error from step 2 will not appear.

 

 

 

 

2. Securing Device Manager

 

1. Create a keypair and self-signed certificate for Device Manager

 

[root@RHEL64-2 HiCommandServer]# pwd

/opt/HiCommand/HiCommandServer

 

[root@RHEL64-2 HiCommandServer]# ./HiKeytool.sh

 

2. Select Option 1 in the Menu

 

================================================================================

HiKeytool v8.0.0-00

================================================================================

1) SSL configuration for Device Manager Server

2) SSL configuration for SMI-S

3) Exit

 

>1

 

 

3. Select Option 1 again

 

1) Make KeyPair/Self-Signed Certificate

2) Set Device Manager Server Security Level

3) Generate CSR

4) Import Digitally Signed Certificate

5) Display contents of Device Manager Server KeyStore

6) Display verbose contents of Device Manager Server KeyStore

7) Delete an entry from the Device Manager Server KeyStore

8) Change Device Manager Server KeyPair/Self-Signed Certificate Keypass

9) Change Device Manager Server KeyStore Password

10) Import Certificate to Device Manager Server TrustStore

11) Display contents of Device Manager Server TrustStore

12) Display verbose contents of Device Manager Server TrustStore

13) Delete an entry from the Device Manager Server TrustStore

14) Change Device Manager Server TrustStore Password

15) Exit

 

>1

 

4. Enter the options as shown in red

 

Enter Server Name [default=RHEL64-2]:

Enter Organizational Unit [default=Device Manager Administration]:SAN

Enter Organization Name [default=RHEL64-2]:ADP

Enter your City or Locality:Alpharetta

Enter your State or Province:GA

Enter your two-character country-code [default=US]:US

Enter Key Alias [default=RHEL64-2]:RHEL64-2-HDVM-JAVA

Passwords must only contain characters (A-Z,a-z), digits (0-9) and whitespaces.

Do not enter special characters for your password!

This may render your keystore damaged or unusable!

Enter Key Password (6 characters minimum) [default=passphrase]:

Enter Key Algorithm [default=RSA]:

Enter Key Size [default=2048]:

 

Enter Signature Algorithm [default=SHA256withRSA]:

Enter number of days valid [default=365]:3650

Passwords must only contain characters (A-Z,a-z), digits (0-9) and whitespaces.

Do not enter special characters for your password!

This may render your keystore damaged or unusable!

Enter KeyStore Password (6 characters minimum) [default=passphrase]:

Creating new X500Name for

RHEL64-2...

Creating the Device Manager Server KeyPair for RHEL64-2 at:

/opt/HiCommand/HiCommandServer/keystore

<this can take up to a minute>

All done.

 

(A)nother command or E(x)it? ?x

               Exiting...

 

5. Restart HCS 8 services using the commands below

 

[root@RHEL64-2 bin]# pwd

/opt/HiCommand/Base64/bin

 

[root@RHEL64-2 bin]# ./hcmds64srv -stop ; ./hcmds64srv –start

 

[root@RHEL64-2 bin]# ./hcmds64srv -statusall

KAPM06440-I The HiRDB service has already started.

KAPM05007-I Already started service. service-name=HBase 64 Storage Mgmt Web Service

KAPM05007-I Already started service. service-name=HBase 64 Storage Mgmt Web SSO Service

KAPM05007-I Already started service. service-name=HBase 64 Storage Mgmt SSO Service

KAPM05007-I Already started service. service-name=HCS Device Manager Web Service

KAPM05007-I Already started service. service-name=HBase 64 Storage Mgmt Common Service

KAPM05007-I Already started service. service-name=HiCommand Suite TuningManager

KAPM05007-I Already started service. service-name=HiCommand Performance Reporter

KAPM05007-I Already started service. service-name=HCS Tuning Manager REST Application Service

KAPM05007-I Already started service. service-name=Tiered Storage Manager Server Service

KAPM05009-I Already stopped service. service-name=Device Manager Server Service

 

 

6. Enable SSL for Device Manager Server

 

[root@RHEL64-2 bin]# cd /opt/HiCommand/HiCommandServer/

[root@RHEL64-2 HiCommandServer]# ./HiKeytool.sh

================================================================================

HiKeytool v8.0.0-00

================================================================================

1) SSL configuration for Device Manager Server

2) SSL configuration for SMI-S

3) Exit

 

>1

 

1) Make KeyPair/Self-Signed Certificate

2) Set Device Manager Server Security Level

3) Generate CSR

4) Import Digitally Signed Certificate

5) Display contents of Device Manager Server KeyStore

6) Display verbose contents of Device Manager Server KeyStore

7) Delete an entry from the Device Manager Server KeyStore

8) Change Device Manager Server KeyPair/Self-Signed Certificate Keypass

9) Change Device Manager Server KeyStore Password

10) Import Certificate to Device Manager Server TrustStore

11) Display contents of Device Manager Server TrustStore

12) Display verbose contents of Device Manager Server TrustStore

13) Delete an entry from the Device Manager Server TrustStore

14) Change Device Manager Server TrustStore Password

15) Exit

 

>2

 

Current Device Manager Server Security Level = User Logon (Basic Authentication)

Options:

1) User Logon (Basic Authentication)

2) TLS/SSL (Secure Sockets)

Enter selection: [default=1]:2

 

Device Manager Server Security level set to: TLS/SSL Secure Socket

You must restart the Device Manager Server for this change to take effect.

 

(A)nother command or E(x)it?x

Exiting...

[root@RHEL64-2 HiCommandServer]#

 

7. Restart HCS 8 services using the commands below

 

[root@RHEL64-2 bin]# pwd

/opt/HiCommand/Base64/bin

 

[root@RHEL64-2 bin]# ./hcmds64srv -stop ; ./hcmds64srv –start

 

[root@RHEL64-2 bin]# ./hcmds64srv -statusall

KAPM06440-I The HiRDB service has already started.

KAPM05007-I Already started service. service-name=HBase 64 Storage Mgmt Web Service

KAPM05007-I Already started service. service-name=HBase 64 Storage Mgmt Web SSO Service

KAPM05007-I Already started service. service-name=HBase 64 Storage Mgmt SSO Service

KAPM05007-I Already started service. service-name=HCS Device Manager Web Service

KAPM05007-I Already started service. service-name=HBase 64 Storage Mgmt Common Service

KAPM05007-I Already started service. service-name=HiCommand Suite TuningManager

KAPM05007-I Already started service. service-name=HiCommand Performance Reporter

KAPM05007-I Already started service. service-name=HCS Tuning Manager REST Application Service

KAPM05007-I Already started service. service-name=Tiered Storage Manager Server Service

KAPM05009-I Already stopped service. service-name=Device Manager Server Service

 

8. View and export the HDVM Server Certificate

 

[root@RHEL64-2 bin]# cd /opt/HiCommand/HiCommandServer/

[root@RHEL64-2 HiCommandServer]# ./HiKeytool.sh

 

 

 

[root@RHEL64-2 HiCommandServer]# ./HiKeytool.sh

================================================================================

HiKeytool v8.0.0-00

================================================================================

1) SSL configuration for Device Manager Server

2) SSL configuration for SMI-S

3) Exit

 

>1

 

 

1) Make KeyPair/Self-Signed Certificate

2) Set Device Manager Server Security Level

3) Generate CSR

4) Import Digitally Signed Certificate

5) Display contents of Device Manager Server KeyStore

6) Display verbose contents of Device Manager Server KeyStore

7) Delete an entry from the Device Manager Server KeyStore

8) Change Device Manager Server KeyPair/Self-Signed Certificate Keypass

9) Change Device Manager Server KeyStore Password

10) Import Certificate to Device Manager Server TrustStore

11) Display contents of Device Manager Server TrustStore

12) Display verbose contents of Device Manager Server TrustStore

13) Delete an entry from the Device Manager Server TrustStore

14) Change Device Manager Server TrustStore Password

15) Exit

 

>5

 

Listing Contents of Device Manager Server KeyStore

 

   Alias

   ==========

1) rhel64-2-hdvm-java, Fri May 09 17:13:56 PDT 2014

   MD5 Fingerprints:06:F1:E9:B1:17:7D:72:6A:0F:92:0F:87:F8:BC:D4:4E

 

 

(A)nother command or E(x)it?x

               Exiting...

[root@RHEL64-2 HiCommandServer]#

 

 

[root@RHEL64-2 HiCommandServer]# cat ./config/server.properties | grep keystore

# name of the keystore for Secure Sockets

server.https.security.keystore=keystore

server.https.keystore.data1=VfviMUsd074LatYthNudSA==

server.https.keystore.data2=VfviMUsd074LatYthNudSA==

 

[root@RHEL64-2 HiCommandServer]# ls -la | grep keystore

-rw-r--r--.  1 root sys      2192 May  9 17:13 keystore

 

[root@RHEL64-2 HiCommandServer]# ../Base64/uCPSB/jdk/bin/keytool -export -keystore ./keystore -alias  rhel64-2-hdvm-java -file /root/certs/rhel64-2-hdvm-java.cert

Enter keystore password:

Certificate stored in file </root/certs/rhel64-2-hdvm-java.cert>

 

[root@RHEL64-2 HiCommandServer]#

 

 

3.      Securing Host Data Collector

 

1. Create a self-signed certificate for HDC

[root@RHEL64-2 bin]# ./hdc_ssltool.sh -key /root/certs/`hostname`.hdc.pem -csr `hostname`.hdc.csr -keypass `hostname`.pass -storepass `hostname`.pass -cert /root/certs/`hostname`.hdc.cert -validity 3650 -dname "CN=$(hostname),OU=SAN,O=ADP,L=Alpharetta,ST=GA,C=US"

KAIG08804-I The hdc_ssltool command finished successfully.

2. Edit hdcbase.properties and enable ssl

 

[root@RHEL64-2 config]# pwd

/opt/HiCommand/HDC/Base/config

[root@RHEL64-2 config]# ls

hdcbase.properties javaconfig.properties logger.properties

 

 

BEFORE

 

#Fri May 09 10:06:48 PDT 2014

hdc.common.rmi.ssl.serverPort=22105

hdc.common.rmi.serverPort=22099

hdc.service.localport=22110

hdc.service.rmi.registryIPAddress=

hdc.service.fileCleanup.startTime=2300

hdc.common.rmi.registryPort=22098

hdc.ssl.secure=1

hdc.ssl.ciphers=TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA

hdc.adapter.esx.timeout=1200

hdc.adapter.adapterProcessNum=1

hdc.common.rmi.ssl.registryPort=22104

hdc.common.http.serverPort=22100

hdc.common.https.serverPort=22106

hdc.adapter.localport=22111,22112,22113,22114,22115,22116,22117,22118,22119,22120

 

AFTER

 

#Fri May 09 10:06:48 PDT 2014

hdc.common.rmi.ssl.serverPort=22105

hdc.common.rmi.serverPort=22099

hdc.service.localport=22110

hdc.service.rmi.registryIPAddress=

hdc.service.fileCleanup.startTime=2300

hdc.common.rmi.registryPort=22098

hdc.ssl.secure=3

hdc.ssl.ciphers=TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA

hdc.adapter.esx.timeout=1200

hdc.adapter.adapterProcessNum=1

hdc.common.rmi.ssl.registryPort=22104

hdc.common.http.serverPort=22100

hdc.common.https.serverPort=22106

hdc.adapter.localport=22111,22112,22113,22114,22115,22116,22117,22118,22119,22120

 

 

 

3. Stop and start the host data collector

 

[root@RHEL64-2 bin]# pwd

/opt/HiCommand/HDC/Base/bin

 

[root@RHEL64-2 bin]# ./controlservice.sh

Usage: controlservice {start | stop | state}

 

[root@RHEL64-2 bin]# ./controlservice.sh stop

KAIG07010-I The service Host Data Collector Base Service stopped.

 

[root@RHEL64-2 bin]# ./controlservice.sh start

KAIG07009-I The service Host Data Collector Base Service started

 

[root@RHEL64-2 bin]# ./controlservice.sh state

KAIG07011-I The service Host Data Collector Base Service is already started.

 

 

4. Edit hostdatacollectors.properties

 

[root@RHEL64-2 config]# pwd

/opt/HiCommand/HiCommandServer/config

 

BEFORE

 

 

# IP address and port number used for the RMI registry of host data collector.

# e.g.: hdc.rmiregistry=192.168.1.1:22098,192.168.1.2:22098,192.168.1.3:22098

hdc.rmiregistry=127.0.0.1:22098

 

# IP address and port number used for the RMI server of host data collector.

# e.g.: hdc.rmiserver=192.168.1.1:22099,192.168.1.2:22099,192.168.1.3:22099

hdc.rmiserver=127.0.0.1:22099

 

# IP address and port number used for the class loader of host data collector.

# e.g.: hdc.classloader=192.168.1.1:22100,192.168.1.2:22100,192.168.1.3:22100

hdc.classloader=127.0.0.1:22100

 

# Maximum wait time for responses from host data collectors (milliseconds).

hdc.request.timeout=1800000

 

# Whether to use SSL/TLS to communicate with the host data collector.

hdc.usessl=false

 

AFTER

 

 

# IP address and port number used for the RMI registry of host data collector.

# e.g.: hdc.rmiregistry=192.168.1.1:22098,192.168.1.2:22098,192.168.1.3:22098

hdc.rmiregistry=127.0.0.1:22104

 

# IP address and port number used for the RMI server of host data collector.

# e.g.: hdc.rmiserver=192.168.1.1:22099,192.168.1.2:22099,192.168.1.3:22099

hdc.rmiserver=127.0.0.1:22105

 

# IP address and port number used for the class loader of host data collector.

# e.g.: hdc.classloader=192.168.1.1:22100,192.168.1.2:22100,192.168.1.3:22100

hdc.classloader=127.0.0.1:22106

 

# Maximum wait time for responses from host data collectors (milliseconds).

hdc.request.timeout=1800000

 

# Whether to use SSL/TLS to communicate with the host data collector.

hdc.usessl=true

 

 

 

5. Import the HDC Server certificate into the HDVM truststore

[root@RHEL64-2 HiCommandServer]# ./HiKeytool.sh

================================================================================

HiKeytool v8.0.0-00

================================================================================

1) SSL configuration for Device Manager Server

2) SSL configuration for SMI-S

3) Exit

 

>1

 

 

1) Make KeyPair/Self-Signed Certificate

2) Set Device Manager Server Security Level

3) Generate CSR

4) Import Digitally Signed Certificate

5) Display contents of Device Manager Server KeyStore

6) Display verbose contents of Device Manager Server KeyStore

7) Delete an entry from the Device Manager Server KeyStore

8) Change Device Manager Server KeyPair/Self-Signed Certificate Keypass

9) Change Device Manager Server KeyStore Password

10) Import Certificate to Device Manager Server TrustStore

11) Display contents of Device Manager Server TrustStore

12) Display verbose contents of Device Manager Server TrustStore

13) Delete an entry from the Device Manager Server TrustStore

14) Change Device Manager Server TrustStore Password

15) Exit

 

>10

 

Preparing to import certificate to Device Manager Server truststore.

Enter the alias of certificate:RHEL64-2.hdc

Enter the location of the certificate which is imported to truststore. [default=/opt/HiCommand/HiCommandServer/RHEL64-2.hdc.cer]:/root/certs/RHEL64-2.hdc.cert

Beginning import...

 

The specified certificate imported to Device Manager Server truststore.

 

(A)nother command or E(x)it?x

Exiting...

 

 

 

6. Restart HCS 8 services using the commands below

 

[root@RHEL64-2 bin]# pwd

/opt/HiCommand/Base64/bin

 

[root@RHEL64-2 bin]# ./hcmds64srv -stop ; ./hcmds64srv –start

 

[root@RHEL64-2 bin]# ./hcmds64srv -statusall

KAPM06440-I The HiRDB service has already started.

KAPM05007-I Already started service. service-name=HBase 64 Storage Mgmt Web Service

KAPM05007-I Already started service. service-name=HBase 64 Storage Mgmt Web SSO Service

KAPM05007-I Already started service. service-name=HBase 64 Storage Mgmt SSO Service

KAPM05007-I Already started service. service-name=HCS Device Manager Web Service

KAPM05007-I Already started service. service-name=HBase 64 Storage Mgmt Common Service

KAPM05007-I Already started service. service-name=HiCommand Suite TuningManager

KAPM05007-I Already started service. service-name=HiCommand Performance Reporter

KAPM05007-I Already started service. service-name=HCS Tuning Manager REST Application Service

KAPM05007-I Already started service. service-name=Tiered Storage Manager Server Service

KAPM05009-I Already stopped service. service-name=Device Manager Server Service

 

 

4.      Securing HTNM REST API Server

 

1. Create a self-signed certificate

 

[root@RHEL64-2 bin]# ./htmssltool -key /root/certs/`hostname`.rest.pem -csr /root/certs/`hostname`.rest.csr -cert /root/certs/`hostname`.rest.cert -certtext /root/certs/`hostname`.rest.cert.txt -validity 3650 -dname "CN=$(hostname),OU=SAN,O=ADP,L=Alpharetta,ST=GA,C=US"

KATR10021-I The htmssltool command finished successfully.

 

2. Edit htnm_httpsd.conf and stop and start the webservice

 

[root@RHEL64-2 config]# pwd

/opt/jp1pc/htnm/Rest/config

 

[root@RHEL64-2 config]# ls

htnm_httpsd.conf user.properties

 

[root@RHEL64-2 config]# vi htnm_httpsd.conf

 

[root@RHEL64-2 config]# more htnm_httpsd.conf

ServerName RHEL64-2

#Listen 24221

#Listen [::]:24221

#SSLDisable

Listen 24222

#Listen [::]:24222

SSLEnable

SSLProtocol TLSv12

SSLRequiredCiphers AES256-SHA256

SSLRequireSSL

SSLCertificateFile /root/certs/RHEL64-2.rest.cert

SSLCertificateKeyFile /root/certs/RHEL64-2.rest.pem

#SSLCACertificateFile /opt/jp1pc/htnm/HBasePSB/httpsd/conf/ssl/cacert/anycert.pem

HWSLogSSLVerbose On

 

 

[root@RHEL64-2 bin]# pwd

/opt/jp1pc/htnm/bin

 

[root@RHEL64-2 bin]# ls

exec htmrestctrl  htmsrv  htmssltool

 

[root@RHEL64-2 bin]# ./htmsrv stop -webservice

KATR10029-I A service will now stop. (service = Tuning Manager - Agent REST Web Service)

KATR10029-I A service will now stop. (service = Tuning Manager - Agent REST Application Service)

 

[root@RHEL64-2 bin]# ./htmsrv start -webservice

KATR10028-I A service will now start. (service = Tuning Manager - Agent REST Application Service)

KATR10028-I A service will now start. (service = Tuning Manager - Agent REST Web Service)

 

[root@RHEL64-2 bin]# ./htmsrv status -all

KATR10032-I The specified service is already running. (service = Status Server, serviceid=PT1RHEL64-2)

KATR10032-I The specified service is already running. (service = Name Server, serviceid=PN1001)

KATR10032-I The specified service is already running. (service = Master Manager, serviceid=PM1001)

KATR10032-I The specified service is already running. (service = Master Store, serviceid=PS1001)

KATR10032-I The specified service is already running. (service = Correlator, serviceid=PE1001)

KATR10032-I The specified service is already running. (service = Trap Generator, serviceid=PC4RHEL64-2)

KATR10032-I The specified service is already running. (service = View Server, serviceid=PP1RHEL64-2)

KATR10032-I The specified service is already running. (service = Action Handler, serviceid=PH1RHEL64-2)

KATR10032-I The specified service is already running. (service = Agent Store, serviceid=0S1RHEL64-2)

KATR10032-I The specified service is already running. (service = Agent Collector, serviceid=0A1RHEL64-2)

KATR10032-I The specified service is already running. (service = Agent Store, serviceid=DS1VSP_53086[RHEL64-2])

KATR10032-I The specified service is already running. (service = Agent Collector, serviceid=DA1VSP_53086[RHEL64-2])

KATR10032-I The specified service is already running. (service = Tuning Manager - Agent REST Application Service)

KATR10032-I The specified service is already running. (service = Tuning Manager - Agent REST Web Service)

 

 

 

5. Securing HiCommand CLI

 

1. Download the HDVM truststore file to the client where the CLI is installed using the URL below. When prompted enter username and password that you use to login to Device Manager

 

http://172.17.237.129:2001/service/HiCommandCerts

 

2. Edit /opt/HiCommand/HiCommandCLI/HiCommandCLI and include the below two lines

 

HDVM_CLI_CERTS_PATH=/root/certs; export HDVM_CLI_CERTS_PATH

HDVM_CLI_JRE_PATH=/opt/HiCommand/Base64/uCPSB/jdk/jre/bin; export HDVM_CLI_JRE_PATH

 

3. Edit HiCommandCLI.properties

 

[root@RHEL64-2 HiCommandCLI]# pwd

/opt/HiCommand/HiCommandCLI

 

[root@RHEL64-2 HiCommandCLI]# cat HiCommandCLI.properties | grep -v ^# | grep -v ^$

HiCommandCLI.logfile=/tmp/diag.log

HiCommandCLI.diaglevel=INFO

HiCommandCLI.tracefile=/tmp/traffic.log

HiCommandCLI.serverurl=https://localhost:2443/service

secure=true

user=system

 

 

 

 

4.      Edit java.security

 

[root@RHEL64-2 HiCommandCLI]# cd /opt/HiCommand/Base64/uCPSB/jdk/jre/lib/security

 

[root@RHEL64-2 security]# tail java.security

# reloaded whenever a JAAS authentication is attempted.

#

# Example,

# krb5.kdc.bad.policy = tryLast

# krb5.kdc.bad.policy = tryLess:2,2000

krb5.kdc.bad.policy = tryLast

com.rsa.crypto.default.random=HMACDRBG256

ssl.SocketFactory.provider=com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl

com.rsa.ssl.compatibility.socketshutdown.permitnoclosenotify=enabled

Outcomes