How set up CA UCM v3.2+, ADA v9.2+ and NFA v9.1+ Single Sign-On with SSL Certificate
Step 1. Prepare the SSL Certificate
A. Generate the certificate request in IIS Manager and obtain a certificate that a trusted Certificate Authority has signed or generate a self-signed certificate
B. Install/Import the signed certificate into IIS Manager (Only for certificates signed by Certificate Authority)
C. Determine whether the root Certificate Authority certificate and signed certificates are listed in the IIS “Trusted Root Certification Authorities Certificates” for the Local Computer.
Import both the root Certificate Authority and the signed certificates if they are not in the list. (Only for CA certificates)
Note: See the following document for more information on viewing certificates: How To View Certificates with the MMC Snap In
D. Export the self-signed certificate using the MMC Snap. (Only for Self-Signed certificates)
Note: The exported certificate will be used in Step 6.
Example, certificate is saved in c:\certs\hostnameselfsigned.cer
E. Export the singed certificate in pfx format from IIS Manager
Note: The exported pfx certificate will be used in Step 4.
Example: c:\certs\server.company.com.pfx
Note: Remember the password as they will be used in Step 7.
In this example we will certificatepass as the password
Step 2. Configure the IIS Application
Configure an SSL Port.
By default, IIS does not have a binding for HTTPS. This can continue to be modified from within the server manager. Navigate to the Default Website in IIS
Under actions, select “Bindings”
Click on Add to put in a new site binding:
Note: Do not disable http-port 80 binding. The Product will not work properly if http is disabled
Step 3. Modified the DataSource XML
ADA XML Path: C:\CA\Portal\SSO\webapps\sso\configuration\SuperAgent.xml
NFA XML Path: C:\CA\NFA\Portal\SSO\webapps\sso\configuration\ReporterAnalyzer.xml
UCM XML Path: C:\CA\Portal\sso\webapps\sso\configuration \voipmonitor.xml
NFA Example:
<?xml version="1.0" encoding="utf-8" ?>
<Configuration>
SingleSignOnEnabled>True</SingleSignOnEnabled
SingleSignOnProductCodera</SingleSignOnProductCode
SignInPageProductTitle![CDATA[NetQoS<sup<font class="Superscript">®</font</sup> ReporterAnalyzer<sup<font class="Superscript">™</font</sup>]]</SignInPageProductTitle
SignInPageProductDescription>Network Traffic Analysis</SignInPageProductDescription
SignInPageProductDefaultUrl
<Scheme>https</Scheme>
<Port>443</Port>
PathAndQuery>/ra/default.aspx</PathAndQuery
</SignInPageProductDefaultUrl
SingleSignOnWebServiceUrl
<Scheme>http</Scheme>
<Port</Port>
<PathAndQuery>/ReporterDataSource/SingleSignOnWS.asmx</PathAndQuery>
</SingleSignOnWebServiceUrl
</Configuration>
Modify the Scheme (from http to https) and enter 443 for the Port, the entry is blank by default).
Step 4. Create jetty keystore file from exported pfx certificate ( Step 1. E)
ADA keystore file path: C:\CA\Portal\Jetty-7.2.0\etc\keystore
NFA keystore file path: C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore
UCM keystore file path: C:\CA\Portal\Jetty\etc\keystore
A. Rename the existing jetty keystore file
C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore
B. Import command to create a new jetty keystore file:
NFA Example:
keytool -importkeystore -srckeystore c:\certs\server.company.com.pfx -srcstoretype pkcs12 -destkeystore C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore -deststoretype JKS
Enter destination keystore password:(keystorefilepass)
Note: Create a new password. In this example we will use keystorefilepass as the password
Re-enter new password:(keystorefilepass)
Enter source keystore password:(certificatepass)
Note: This is the password created in Step 1e
Entry for alias 872ebff7-035d-449d-9751-110ea8b83e74 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Note: Remember the password as they will be used in later steps.
C. Verify that the keystore file lists the imported certificate.
Note: This step also validates the password entered in above step.
NFA Example:
keytool -list -keystore C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore -storepass keystorefilepass
Output example:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
872ebff7-035d-449d-9751-110ea8b83e74, Oct 8, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): EB:E7:82:5F:40:12:54:1C:18:9D:F9:58:FE:55:CE:FF
Step 5. Determine whether the root Certificate Authority certificate is in the Java trusted certificate keystore (Only for CA certificates)
ADA cacerts path: C:\CA\jre\lib\security\cacerts
NFA cacerts path: C:\Program Files\Java\jre6\lib\security\cacerts
UCM cacerts path: C:\CA\jre7\lib\security\cacerts
Note: In the NFA example below the trusted keystore (cacerts) is configured with the default password; changeit
The keytool command below prints the certificates list to text file.
keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit > C:\certs\CACertsTrustedCertificatesList1.txt
If the root Certificate Authority certificate(s) is not in the output file, import the certificates as shown below:
keytool -import -file c:\certs\corp_root.cer -alias corp_root -trustcacerts -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit
Run the keytool command to print the certificates list and verify that imported certificate is in the list.
keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit > C:\certs\CACertsTrustedCertificatesList2.txt
Step 6. Import the self-signed certificate (Certificate created in Step 1 D) to Java trusted keystore (cacerts) (Only for Self-Signed certificates)
NFA Example:
keytool -import -file c:\certs\hostnameselfsigned.cer -alias hostname.ca.com -trustcacerts -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit
Verify that self-signed certificate is shown in the trusted keystore by keytool command again to prints the certificates list
keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit > C:\certs\CACertsTrustedCertificatesList3.txt
Step 7. Configure SSO with SSL Port
Launch the SsoConfig.exe to configure SSO with the SSL port.
ADA SsoConfig.exe path: C:\CA\Portal\sso\bin
NFA SsoConfig.exe path: C:\CA\NFA\Portal\SSO\bin
UCM SsoConfig.exe path: C:\CA\Portal\sso\bin
NFA Example:
SSO Configuration:
1. CA Performance Center
2. CA Network Flow Analysis
Choose an option >2
SSO Configuration/CA Network Flow Analysis:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
Choose an option >4
SSO Configuration/CA Network Flow Analysis/Single Sign-On:
Anonymous User Enabled: Disabled
Anonymous User ID: 2
Localhost User Sign-In Page Enabled: Disabled
Localhost User Enabled: Enabled
Localhost User ID: 1
Cookie Timeout Minutes: 20
Encryption Decryption Key: #$utP9%z
Encryption Algorithm: DES
Failed Sleep Seconds: 3
Remember Me Enabled: Enabled
Remember Me Timeout Days: 15
Scheme: http
Port: 8381
Virtual Directory: sso
1. Remote Value
2. Local Override
Choose an option > 2
SSO Configuration/CA Network Flow Analysis/Single Sign-On/Local Override:
1. Anonymous User Enabled:
2. Anonymous User ID:
3. Localhost User Sign-In Page Enabled:
4. Localhost User Enabled:
5. Localhost User ID:
6. Cookie Timeout Minutes:
7. Encryption Decryption Key:
8. Encryption Algorithm:
9. Failed Sleep Seconds:
10. Remember Me Enabled:
11. Remember Me Timeout Days:
12. Scheme:
13. Port:
14. Virtual Directory:
Select a Property > 12
Enter r to reset the value, u to update to new value > u
Enter \q to quit or \b to go back to previous menu
Enter new value > https
SSO Configuration/CA Network Flow Analysis/Single Sign-On/Local Override:
1. Anonymous User Enabled:
2. Anonymous User ID:
3. Localhost User Sign-In Page Enabled:
4. Localhost User Enabled:
5. Localhost User ID:
6. Cookie Timeout Minutes:
7. Encryption Decryption Key:
8. Encryption Algorithm:
9. Failed Sleep Seconds:
10. Remember Me Enabled:
11. Remember Me Timeout Days:
12. Scheme:
13. Port:
14. Virtual Directory:
Select a Property > 13
Enter r to reset the value, u to update to new value > u
Enter \q to quit or \b to go back to previous menu
Enter new value > 8382
Step 6. Backup and modified the SSO start.ini file
ADA start.ini path: C:\CA\Portal\SSO\start.ini
NFA start.ini path: C:\CA\NFA\Portal\SSO\start.ini
UCM start.ini path: C:\CA\Portal\sso\start.ini
Find the following line and remove the '#' so that it is active:
# C:\CA\NFA\Portal\SSO\etc\jetty-ssl.xml
Step 7. Create the ‘jetty-ssl.xml’ for SSO
ADA XML path: C:\CA\Portal\SSO\etc\jetty-ssl.xml
NFA XML path: C:\CA\NFA\Portal\SSO\etc\jetty-ssl.xml
UCM XML path: C:\CA\Portal\sso\etc\jetty-ssl.xml
NFA Example:
Create the jetty-ssl.xml file in “C:\CA\NFA\Portal\SSO\etc” with the following content:
Note: Replace all instances of the “***PASSWORD***” value with the passwords in use in your system.
Example below the certificate password is certificatepass and jetty keystore password is keystorefilepass
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<!-- ======-->
<!-- Configure SSL for the Jetty Server -->
<!-- this configuration file should be used in combination with -->
<!-- other configuration files. e.g. -->
<!-- java -jar start.jar etc/jetty.xml etc/jetty-ssl.xml -->
<!-- ======-->
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!-- if NIO is not available, use org.eclipse.jetty.server.ssl.SslSocketConnector -->
<Call name="addConnector">
<Arg
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Set name="Port">8382</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="AcceptQueueSize">100</Set>
<Set name="Keystore"<Property name="jetty.home" default="." />/etc/keystore</Set>
<Set name="Password"> keystorefilepass </Set>
<Set name="KeyPassword">certificatepass</Set>
<Set name="truststore"<Property name="jetty.home" default="." />/etc/keystore</Set>
<Set name="trustPassword"> keystorefilepass </Set>
</New>
</Arg
</Call>
</Configure>
Step 8. Backup and edit the SSO Jetty.XML
ADA XML path: C:\CA\Portal\SSO\etc\\jetty.xml
NFA XML path: C:\CA\NFA\Portal\SSO\etc\jetty.xml
UCM XMLpath: C:\CA\Portal\sso\etc\jetty.xml
NFA Example:
Edit the “C:\CA\NFA\Portal\SSO\etc\jetty.xml” and remove the following entry
<Call name="addConnector">
<Arg
<New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
<Set name="host"<Property name="jetty.host" /</Set>
<!-- Changed: Used to be Property -->
<Set name="port"<SystemProperty name="jetty.port" default="8381"/</Set>
<Set name="maxIdleTime">300000</Set>
<Set name="Acceptors">2</Set>
<Set name="statsOn">false</Set>
<Set name="confidentialPort">8443</Set>
<Set name="lowResourcesConnections">20000</Set>
<Set name="lowResourcesMaxIdleTime">5000</Set>
</New>
</Arg
</Call>
Step 9. Backup and edit the SSO wrapper.conf
ADA wrapper path: C:\CA\Portal\SSO\conf\wrapper.conf
NFA wrapper path: C:\CA\NFA\Portal\SSO\conf\wrapper.conf
UCM wrapperpath: C:\CA\Portal\sso\conf\wrapper.conf
Edit the C:\CA\NFA\Portal\SSO\conf\wrapper.conf, search for 8381 and replace with 8382 so that it matches the port defined in jetty-ssl.xml:
wrapper.java.additional.2=-Djetty.port=8382
Step 10. Confirm that port 8382 is open if Firewall is enable
Step 11. Restart service the “CA Performance Center SSO” service and run an iisreset from the command prompt
Step 12. Verify that Data source Web console is accessible via https and that SsoConfig.exe can be launched
Note: You can check the following log files if login fails via or if SsoConfig.exe fails to launch
X:\CA\...Portal\SSO\logs\wrapper
X:\CA\..Portal\SSO\logs\SSOService.log
Step 13. Copy and Import the Data Source’s certificate to CA Performance Center’s (CAPC) java trusted keystore (cacerts)
Follow these steps for Data Sources using Self-Signed certificates and integrated with CAPC.
A. Copy the Data Sources’ self-signed certificate created in Step 1 D. to the CAPC server (example to /opt/CA/PerformanceCenter)
B. Import the self-signed certificate to CAPC’s Java trusted keystore (cacerts) with the keytool.
Example:
/opt/CA/jre/bin/keytool -import -alias garri03-vm52499.ca.com -trustcacerts -file /opt/CA/PerformanceCenter/garri03-vm52499.cer -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit
C. Run the keytool command to verify/print the newly imported certificate
Example:
/opt/CA/jre/bin/keytool -list -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit | grep -i garri03
Follow these steps for Data Sources using Signed certificates and integrated with CAPC.
A. Copy the root Certificate Authority certificate(s) identified in Step 5 to the CAPC server (example to /opt/CA/PerformanceCenter)
B. Import the Certificate Authority certificate(s) to CAPC’s Java trusted keystore (cacerts) with the keytool.
Example:
/opt/CA/jre/bin/keytool -import -alias corp_root -trustcacerts -file /opt/CA/PerformanceCenter/corp_root.cer -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit
C. Run the keytool command to verify/print the newly imported certificate(s)
Example:
/opt/CA/jre/bin/keytool -list -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit | grep -i corp
Step 14. Modify the Data Source settings on CA Performance Center/NPC and set the Web Console to the HTTPS port; Click on Test to verify connectivity and Save
Step 15: Resync the NFA data source from CAPC/NPC and verify that NFA views show data; Click on the NFA Link to ensure that NFA Portal is accessible.