How set up CA UCM v3.2+, ADA v9.2+ and NFA v9.1+ Single Sign-On with SSL Certificate

Step 1. Prepare the SSL Certificate

A.  Generate the certificate request in IIS Manager and obtain a certificate that a trusted Certificate Authority has signed or generate a self-signed certificate

B.  Install/Import the signed certificate into IIS Manager (Only for certificates signed by Certificate Authority)

C.  Determine whether the root Certificate Authority certificate and signed certificates are listed in the IIS “Trusted Root Certification Authorities Certificates” for the Local Computer.

Import both the root Certificate Authority and the signed certificates if they are not in the list. (Only for CA certificates)

Note: See the following document for more information on viewing certificates: How To View Certificates with the MMC Snap In

D.  Export the self-signed certificate using the MMC Snap. (Only for Self-Signed certificates)

Note: The exported certificate will be used in Step 6.

Example, certificate is saved in c:\certs\hostnameselfsigned.cer

E.  Export the singed certificate in pfx format from IIS Manager

Note: The exported pfx certificate will be used in Step 4.

Example: c:\certs\server.company.com.pfx

Note: Remember the password as they will be used in Step 7.

In this example we will certificatepass as the password

Step 2. Configure the IIS Application

Configure an SSL Port.

By default, IIS does not have a binding for HTTPS. This can continue to be modified from within the server manager. Navigate to the Default Website in IIS

Under actions, select “Bindings”

Click on Add to put in a new site binding:

Note: Do not disable http-port 80 binding. The Product will not work properly if http is disabled

Step 3. Modified the DataSource XML

ADA XML Path: C:\CA\Portal\SSO\webapps\sso\configuration\SuperAgent.xml

NFA XML Path: C:\CA\NFA\Portal\SSO\webapps\sso\configuration\ReporterAnalyzer.xml

UCM XML Path: C:\CA\Portal\sso\webapps\sso\configuration \voipmonitor.xml

NFA Example:

<?xml version="1.0" encoding="utf-8" ?>

<Configuration>

SingleSignOnEnabled>True</SingleSignOnEnabled

SingleSignOnProductCodera</SingleSignOnProductCode

SignInPageProductTitle![CDATA[NetQoS<sup<font class="Superscript">®</font</sup> ReporterAnalyzer<sup<font class="Superscript">™</font</sup>]]</SignInPageProductTitle

SignInPageProductDescription>Network Traffic Analysis</SignInPageProductDescription

SignInPageProductDefaultUrl

<Scheme>https</Scheme>

<Port>443</Port>

PathAndQuery>/ra/default.aspx</PathAndQuery

</SignInPageProductDefaultUrl

SingleSignOnWebServiceUrl

<Scheme>http</Scheme>

<Port</Port>

<PathAndQuery>/ReporterDataSource/SingleSignOnWS.asmx</PathAndQuery>

</SingleSignOnWebServiceUrl

</Configuration>

Modify the Scheme (from http to https) and enter 443 for the Port, the entry is blank by default).

Step 4. Create jetty keystore file from exported pfx certificate ( Step 1. E)

ADA keystore file path: C:\CA\Portal\Jetty-7.2.0\etc\keystore

NFA keystore file path: C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore

UCM keystore file path: C:\CA\Portal\Jetty\etc\keystore

A.  Rename the existing jetty keystore file

C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore

B.  Import command to create a new jetty keystore file:

NFA Example:

keytool -importkeystore -srckeystore c:\certs\server.company.com.pfx -srcstoretype pkcs12 -destkeystore C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore -deststoretype JKS

Enter destination keystore password:(keystorefilepass)

Note: Create a new password. In this example we will use keystorefilepass as the password

Re-enter new password:(keystorefilepass)

Enter source keystore password:(certificatepass)

Note: This is the password created in Step 1e

Entry for alias 872ebff7-035d-449d-9751-110ea8b83e74 successfully imported.

Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

Note: Remember the password as they will be used in later steps.

C.  Verify that the keystore file lists the imported certificate.

Note: This step also validates the password entered in above step.

NFA Example:

keytool -list -keystore C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore -storepass keystorefilepass

Output example:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

872ebff7-035d-449d-9751-110ea8b83e74, Oct 8, 2013, PrivateKeyEntry,

Certificate fingerprint (MD5): EB:E7:82:5F:40:12:54:1C:18:9D:F9:58:FE:55:CE:FF

Step 5. Determine whether the root Certificate Authority certificate is in the Java trusted certificate keystore (Only for CA certificates)

ADA cacerts path: C:\CA\jre\lib\security\cacerts

NFA cacerts path: C:\Program Files\Java\jre6\lib\security\cacerts

UCM cacerts path: C:\CA\jre7\lib\security\cacerts

Note: In the NFA example below the trusted keystore (cacerts) is configured with the default password; changeit

The keytool command below prints the certificates list to text file.

keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit > C:\certs\CACertsTrustedCertificatesList1.txt

If the root Certificate Authority certificate(s) is not in the output file, import the certificates as shown below:

keytool -import -file c:\certs\corp_root.cer -alias corp_root -trustcacerts -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit

Run the keytool command to print the certificates list and verify that imported certificate is in the list.

keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit > C:\certs\CACertsTrustedCertificatesList2.txt

Step 6. Import the self-signed certificate (Certificate created in Step 1 D) to Java trusted keystore (cacerts) (Only for Self-Signed certificates)

NFA Example:

keytool -import -file c:\certs\hostnameselfsigned.cer -alias hostname.ca.com -trustcacerts -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit

Verify that self-signed certificate is shown in the trusted keystore by keytool command again to prints the certificates list

keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit > C:\certs\CACertsTrustedCertificatesList3.txt

Step 7. Configure SSO with SSL Port

Launch the SsoConfig.exe to configure SSO with the SSL port.

ADA SsoConfig.exe path: C:\CA\Portal\sso\bin

NFA SsoConfig.exe path: C:\CA\NFA\Portal\SSO\bin

UCM SsoConfig.exe path: C:\CA\Portal\sso\bin

NFA Example:

SSO Configuration:

1. CA Performance Center

2. CA Network Flow Analysis

Choose an option >2

SSO Configuration/CA Network Flow Analysis:

1. LDAP Authentication

2. SAML2 Authentication

3. Performance Center

4. Single Sign-On

5. Test LDAP

6. Export SAML2 Service Provider Metadata

Choose an option >4

SSO Configuration/CA Network Flow Analysis/Single Sign-On:

Anonymous User Enabled: Disabled

Anonymous User ID: 2

Localhost User Sign-In Page Enabled: Disabled

Localhost User Enabled: Enabled

Localhost User ID: 1

Cookie Timeout Minutes: 20

Encryption Decryption Key: #$utP9%z

Encryption Algorithm: DES

Failed Sleep Seconds: 3

Remember Me Enabled: Enabled

Remember Me Timeout Days: 15

Scheme: http

Port: 8381

Virtual Directory: sso

1. Remote Value

2. Local Override

Choose an option > 2

SSO Configuration/CA Network Flow Analysis/Single Sign-On/Local Override:

1. Anonymous User Enabled:

2. Anonymous User ID:

3. Localhost User Sign-In Page Enabled:

4. Localhost User Enabled:

5. Localhost User ID:

6. Cookie Timeout Minutes:

7. Encryption Decryption Key:

8. Encryption Algorithm:

9. Failed Sleep Seconds:

10. Remember Me Enabled:

11. Remember Me Timeout Days:

12. Scheme:

13. Port:

14. Virtual Directory:

Select a Property > 12

Enter r to reset the value, u to update to new value > u

Enter \q to quit or \b to go back to previous menu

Enter new value > https

SSO Configuration/CA Network Flow Analysis/Single Sign-On/Local Override:

1. Anonymous User Enabled:

2. Anonymous User ID:

3. Localhost User Sign-In Page Enabled:

4. Localhost User Enabled:

5. Localhost User ID:

6. Cookie Timeout Minutes:

7. Encryption Decryption Key:

8. Encryption Algorithm:

9. Failed Sleep Seconds:

10. Remember Me Enabled:

11. Remember Me Timeout Days:

12. Scheme:

13. Port:

14. Virtual Directory:

Select a Property > 13

Enter r to reset the value, u to update to new value > u

Enter \q to quit or \b to go back to previous menu

Enter new value > 8382

Step 6. Backup and modified the SSO start.ini file

ADA start.ini path: C:\CA\Portal\SSO\start.ini

NFA start.ini path: C:\CA\NFA\Portal\SSO\start.ini

UCM start.ini path: C:\CA\Portal\sso\start.ini

Find the following line and remove the '#' so that it is active:

# C:\CA\NFA\Portal\SSO\etc\jetty-ssl.xml

Step 7. Create the ‘jetty-ssl.xml’ for SSO

ADA XML path: C:\CA\Portal\SSO\etc\jetty-ssl.xml

NFA XML path: C:\CA\NFA\Portal\SSO\etc\jetty-ssl.xml

UCM XML path: C:\CA\Portal\sso\etc\jetty-ssl.xml

NFA Example:

Create the jetty-ssl.xml file in “C:\CA\NFA\Portal\SSO\etc” with the following content:

Note: Replace all instances of the “***PASSWORD***” value with the passwords in use in your system.

Example below the certificate password is certificatepass and jetty keystore password is keystorefilepass

<?xml version="1.0"?>

<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<!-- ======-->

<!-- Configure SSL for the Jetty Server -->

<!-- this configuration file should be used in combination with -->

<!-- other configuration files. e.g. -->

<!-- java -jar start.jar etc/jetty.xml etc/jetty-ssl.xml -->

<!-- ======-->

<Configure id="Server" class="org.eclipse.jetty.server.Server">

<!-- if NIO is not available, use org.eclipse.jetty.server.ssl.SslSocketConnector -->

<Call name="addConnector">

<Arg

<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">

<Set name="Port">8382</Set>

<Set name="maxIdleTime">30000</Set>

<Set name="Acceptors">2</Set>

<Set name="AcceptQueueSize">100</Set>

<Set name="Keystore"<Property name="jetty.home" default="." />/etc/keystore</Set>

<Set name="Password"> keystorefilepass </Set>

<Set name="KeyPassword">certificatepass</Set>

<Set name="truststore"<Property name="jetty.home" default="." />/etc/keystore</Set>

<Set name="trustPassword"> keystorefilepass </Set>

</New>

</Arg

</Call>

</Configure>

Step 8. Backup and edit the SSO Jetty.XML

ADA XML path: C:\CA\Portal\SSO\etc\\jetty.xml

NFA XML path: C:\CA\NFA\Portal\SSO\etc\jetty.xml

UCM XMLpath: C:\CA\Portal\sso\etc\jetty.xml

NFA Example:

Edit the “C:\CA\NFA\Portal\SSO\etc\jetty.xml” and remove the following entry

<Call name="addConnector">

<Arg

<New class="org.eclipse.jetty.server.nio.SelectChannelConnector">

<Set name="host"<Property name="jetty.host" /</Set>

<!-- Changed: Used to be Property -->

<Set name="port"<SystemProperty name="jetty.port" default="8381"/</Set>

<Set name="maxIdleTime">300000</Set>

<Set name="Acceptors">2</Set>

<Set name="statsOn">false</Set>

<Set name="confidentialPort">8443</Set>

<Set name="lowResourcesConnections">20000</Set>

<Set name="lowResourcesMaxIdleTime">5000</Set>

</New>

</Arg

</Call>

Step 9. Backup and edit the SSO wrapper.conf

ADA wrapper path: C:\CA\Portal\SSO\conf\wrapper.conf

NFA wrapper path: C:\CA\NFA\Portal\SSO\conf\wrapper.conf

UCM wrapperpath: C:\CA\Portal\sso\conf\wrapper.conf

Edit the C:\CA\NFA\Portal\SSO\conf\wrapper.conf, search for 8381 and replace with 8382 so that it matches the port defined in jetty-ssl.xml:

wrapper.java.additional.2=-Djetty.port=8382

Step 10. Confirm that port 8382 is open if Firewall is enable

Step 11. Restart service the “CA Performance Center SSO” service and run an iisreset from the command prompt

Step 12. Verify that Data source Web console is accessible via https and that SsoConfig.exe can be launched

Note: You can check the following log files if login fails via or if SsoConfig.exe fails to launch

X:\CA\...Portal\SSO\logs\wrapper

X:\CA\..Portal\SSO\logs\SSOService.log

Step 13. Copy and Import the Data Source’s certificate to CA Performance Center’s (CAPC) java trusted keystore (cacerts)

Follow these steps for Data Sources using Self-Signed certificates and integrated with CAPC.

A.  Copy the Data Sources’ self-signed certificate created in Step 1 D. to the CAPC server (example to /opt/CA/PerformanceCenter)

B.  Import the self-signed certificate to CAPC’s Java trusted keystore (cacerts) with the keytool.

Example:

/opt/CA/jre/bin/keytool -import -alias garri03-vm52499.ca.com -trustcacerts -file /opt/CA/PerformanceCenter/garri03-vm52499.cer -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit

C.  Run the keytool command to verify/print the newly imported certificate

Example:

/opt/CA/jre/bin/keytool -list -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit | grep -i garri03

Follow these steps for Data Sources using Signed certificates and integrated with CAPC.

A.  Copy the root Certificate Authority certificate(s) identified in Step 5 to the CAPC server (example to /opt/CA/PerformanceCenter)

B.  Import the Certificate Authority certificate(s) to CAPC’s Java trusted keystore (cacerts) with the keytool.

Example:

/opt/CA/jre/bin/keytool -import -alias corp_root -trustcacerts -file /opt/CA/PerformanceCenter/corp_root.cer -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit

C.  Run the keytool command to verify/print the newly imported certificate(s)

Example:

/opt/CA/jre/bin/keytool -list -keystore /opt/CA/jre/lib/security/cacerts -storepass changeit | grep -i corp

Step 14. Modify the Data Source settings on CA Performance Center/NPC and set the Web Console to the HTTPS port; Click on Test to verify connectivity and Save

Step 15: Resync the NFA data source from CAPC/NPC and verify that NFA views show data; Click on the NFA Link to ensure that NFA Portal is accessible.