Page History
...
Table C-1 Configuring password encryption type elements on the Precise FocalPoint server
| Element |
|---|
...
| Description |
|---|
-i3- |
...
user | See Authenticate to CLI |
...
| Utility in the Precise CLI Utility Reference Guide. |
-i3-encrypted- |
...
password | See Authenticate to CLI |
...
| Utility in the Precise CLI Utility Reference Guide. |
- |
...
action | Always: Mandatory: Yes |
- |
...
type | Always: aes-key Mandatory: Yes AES-based encryption that uses a random symmetric key. It is recommended to update this key once a year. Security level: high |
For example:
./infra/bin/psin_cli.sh
-i3-user user-name
{-i3-password encrypted-password
| -i3-clear-password clear-password}
-action encrypt-update
-type aes-key
Distributing the new password encryption settings to all servers
For the new password encryption settings to take effect, you must distribute them to all servers by using the Precise CLI installation utility. This procedure depends on the Precise Listener being up and running on all servers; otherwise, the agents on the servers will not be able to function.
To distribute the new encryption settings to all servers1. In
- In AdminPoint, verify that the Precise Listener is up and running on all servers.
...
- Run the following command from the
...
<Precise_
...
root>folder on the Precise FocalPoint server:- Windows
- Windows
...
-
infra\bin\psin_cli.bat
-i3-user user-name
{-i3-password encrypted-password
| -i3-clear-password clear-password}
-action encrypt-distribute - UNIX
-
...
-
./infra/bin/psin_cli.sh
-i3-user user-name
{-i3-password encrypted-password
| -i3-clear-password clear-password}
-action encrypt-distribute
-
Table C-2 Distributing 2 Distributing new password encryption element settings to all servers
| Element |
|---|
...
| Description |
|---|
-i3- |
...
user | See Authenticate to CLI |
...
| Utility in the Precise CLI Utility Reference Guide. |
-i3-encrypted- |
...
password | See Authenticate to CLI |
...
| Utility in the Precise CLI Utility Reference Guide. |
- |
...
action | Always: Mandatory: Yes |
Configuring the Precise Apache Tomcat to work in HTTPS mode (SSL)
The Precise user interface is based on an Apache Tomcat server. You can configure it to work in HTTPS mode. This mode uses the Secure Socket Layer (SSL) protocol to encrypt the data that is sent from the Web browser to the Tomcat server.
To configure Precise Apache Tomcat to work in HTTPS mode1. Create
- Create a certificate keystore on the Apache Tomcat server. This file is saved in the folder
...
-
<Precise_root>\products\gui\websiteas a certificate .keystore file.
...
- Before you create the .keystore file, delete the alias Tomcat if it already exists. To delete the alias Tomcat, run the following command from
...
- the
<Precise_root>folder on the Precise FocalPoint
- the
...
- :
- :
...
Windows
...
java\JRE\bin\keytool -delete -alias tomcat -keystore products\gui\website\.keystoreInfo
...
For the password, use "
...
changeit." For the question
...
"What is your first and last
...
name," provide the server name used in the URL for the Precise GUI as the answer.
...
- UNIX
java/JRE/bin/keytool -delete -alias tomcat -keystore products/gui/website/.keystore
- UNIX
- To create your own certificate, run the following command from
...
- the
<Precise_root>folder on the Precise
- the
...
- FocalPoint:
...
Windows
java
...
\JRE
...
\bin
...
\keytool -genkey -alias tomcat -keyalg RSA -keystore products
...
\gui
...
\website
...
\.keystore -validity 3000
...
UNIX
java
...
/JRE
...
/bin
...
/keytool -genkey -alias tomcat -keyalg RSA -keystore products
...
/gui
...
/website
...
/.keystore -validity 3000Info
...
For the password, use "
...
changeit." Also, use the host as displayed in the url for the name.
...
- In the file
...
<Precise_
...
root>\products\gui\website\conf\server.xml
...
- Add comment tags around the
non-SSL <Connector>tag, where the preliminary remark is
- Add comment tags around the
...
- "
<!-- Define a non-SSL HTTP/1.1
- "
...
...->."- Remove the comment tags around
...
- the
SSL <Connector>tag, where the preliminary remark is
- the
...
- "
<!-- Define a SSL Coyote HTTP/1.1
- "
...
...->."
- Restart the Precise FocalPoint process on the UNIX server. Restart the Precise FocalPoint service and the Precise user interface service on the Windows server.
...
Open the Precise application using HTTPS.
For example:https://<host>:<port>Info
...
After restarting the Precise FocalPoint, the SSL port changes to the default port added by the user during installation. If you want to use a different port, you can change the port as described in the
...
Change GUI server
...
port section in the Precise CLI Utility.
When first launching Precise in a client, a security alert is displayed with the certificate details. You should sign your certificate with a trusted root authority (such as VeriSign). Alternatively you can install the certificate on each client server that uses the Precise GUI.
...
In AdminPoint, click the Setup tab and click on Nodes in the drop-down menu
...
In the Nodes tab, click Edit to update the
...
URL of the node for which you configured the SSL, according to step 4. In addition, if you are working with the Precise Custom Portal, the following configuration must be performed.
To configure Precise Apache Tomcat to work in HTTPS mode with the Precise Custom Portal1. Export
- Export the certificate:
<i3>java\jre\bin\keytool -export -alias tomcat -file <file
...
_
...
name>.crt
-keystore <i3>products\gui\website\.keystore
...
Import the certificate:
<i3>java\jre\bin\keytool -import -file <file
...
_
...
name>.crt -alias tomcat
-storepass <changeit> -keystore <i3>\java\JRE\lib\security\cacertsInfo
...
Verify that the
...
same
<file_name>.crtis used for exporting and importing the certificate.Info
...
For the password, use "
...
changeit."
To install a certificate1. When
- When you get the certificate warning, click View certificate.
...
- Click Install certificate.
...
- Click Next.
...
- Select Place all certificates in the following store.
...
- Click Browse.
...
- Check Show physical store.
...
- Select Local Computer under Trusted root certification Authorities.
...
- Click OK, Next, and then Finish.
...
- Close and restart the Precise GUI, and verify that the warning for the certificate does not re-appear.
For general information regarding configuring HTTPS mode see Apache Tomcat server instructions found at this site: http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html
For information regarding configuring J2EE to work in HTTPS mode, see About Security Options in the Precise for J2EE User 's Guide.
For information on installing your own certificate for J2EE, see the Creating and installing certificates for SSL in the Precise Administration Guide.
Changing the session timeout for an Apache Tomcat server
For an Apache Tomcat server, you can configure the Tomcat session timeout.
To change the session timeout for an Apache Tomcat server1. Open
- Open the following file in a text editor:
...
<Precise_
...
root>\products\gui\website\webapps\i3\web.xml
...
- Change the default session timeout (180) to the required minutes. For example:
<session-config>
...
<session-timeout>180</session-timeout>
</session-config>
...
- Restart the Precise FocalPoint server.
| Anchor | ||||
|---|---|---|---|---|
|
| Info |
|---|
...
Configuring the Precise login mechanism is not required to secure a Precise system. |
Precise FocalPoint confirms the Precise authentication credentials by using the Java Authentication and Authorization Service (JAAS). The JAAS runs a login module that authenticates the password according to an internal Precise roles’ roles' table.
Because the JAAS is a common Application Programming Interface (API), you can also configure it to run a custom login module that authenticates a role’s password against an external, centralized password repository. To do so, you must first define the respective role in AdminPoint. For more information on managing roles in AdminPoint, see the Precise Administration Guide.
The login module is a Java class that implements the login module interface of the JAAS API. This API exists for the Java Runtime Application (JRE) version 1.4.2 and later. It is part of the javax.security.auth.* package.
When your own login module is ready for use, configuring the external password authentication involves the following tasks:• Updating
- Updating the Precise configuration to work with the new login module
...
- Adding the class of the new login module to the Precise CLASSPATH
To update the Precise configuration1. Log
- Log in to the Precise FocalPoint.
...
- Back up the following file:
...
<Precise_
...
root>/products/i3fp/login/jaas.config
...
- In the original file, do the following:
- Change the
...
- line.
StartPoint{com.precise.infra.login.InfraDbLdapSupportLoginModule required;};
- line.
...
- To.
To StartPoint{new login module class required;};
- To.
...
- Save and close the file.
To add the new login module class to the Precise classpath1. Log
- Log in to the Precise FocalPoint.
...
- Back up the following file:
...
<Precise_
...
root>/products/i3fp/bin/psin_i3fp_init.xml
...
- In the original file, append the path of the class of the new login module to the classpath section.
...
- Save and close the file.
...
- Restart Precise FocalPoint.
| Anchor | ||||
|---|---|---|---|---|
|
...