Page History
...
- About secured Precise systems
- Installing new servers
- ConfiguringasecuredPrecisesystem
- Verifying Precise login credentials using an external password repository
- Running Precise services on Windows with a non-Administrative user
- Configuring the Single Sign On feature for Precise
- Configuring LDAP to authenticate Precise users
...
- Create a certificate keystore on the Apache Tomcat server. This file is saved in the folder
<Precise_root>\products\gui\website
as a certificate .keystore file.- Before you create the .keystore file, delete the alias Tomcat if it already exists. To delete the alias Tomcat, run the following command from the
<Precise_root>
folder on the Precise FocalPoint:Windows
java\JRE\bin\keytool -delete -alias tomcat -keystore products\gui\website\.keystore
Info For the password, use "changeit." For the question "What is your first and last name," provide the server name used in the URL for the Precise GUI as the answer.
- UNIX
java/JRE/bin/keytool -delete -alias tomcat -keystore products/gui/website/.keystore
- To create your own certificate, run the following command from the
<Precise_root>
folder on the Precise FocalPoint:Windows
java\JRE\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore products\gui\website\.keystore -validity 3000
UNIX
java/JRE/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore products/gui/website/.keystore -validity 3000
Info For the password, use "changeit." Also, use the host as displayed in the url for the name.
- Before you create the .keystore file, delete the alias Tomcat if it already exists. To delete the alias Tomcat, run the following command from the
- In the file
<Precise_root>\products\gui\website\conf\server.xml
- Add comment tags around the
non-SSL <Connector>
tag, where the preliminary remark is "<!-- Define a non-SSL HTTP/1.1 ...->
." - Remove the comment tags around the
SSL <Connector>
tag, where the preliminary remark is "<!-- Define a SSL Coyote HTTP/1.1 ...->
."
- Add comment tags around the
- Restart the Precise FocalPoint process on the UNIX server. Restart the Precise FocalPoint service and the Precise user interface service on the Windows server.
Open the Precise application using HTTPS.
For example:
https://<host>:<port>
Info After restarting the Precise FocalPoint, the SSL port changes to the default port added by the user during installation. If you want to use a different port, you can change the port as described in the Change GUI server port section in the Precise CLI Utility.
When first launching Precise in a client, a security alert is displayed with the certificate details. You should sign your certificate with a trusted root authority (such as VeriSign). Alternatively you can install the certificate on each client server that uses the Precise GUI.In AdminPoint, click the Setup tab and click on Nodes in the drop-down menu
In the Nodes tab, click Edit to update the URL of the node for which you configured the SSL, according to step 4. In addition, if you are working with the Precise Custom Portal, the following configuration must be performed.
...
For information regarding configuring J2EE to work in HTTPS mode, see About Security Options in the Precise for J2EE User Guide.
For information on installing your own certificate for J2EE, see the Creating and installing certificates for SSL on page of the Precise Administration Guide.
...
- Open the \conf\httpd.conf file in the Apache installation folder.
- Change the line with the Listen and port number to the GUI port of Precise (The port that the Precise Tomcat Web server listens to, in this example 20760). The information will become: Listen 20760
- Change the line with the ServerName and port number (in this example 20760) to the required server and GUI port.
ServerName GUI-TEST-INST.precise.com:20760 - Look for the following three lines with the proxy modules and remove the pound/hash marks (# sign) from them:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so - Change the port the Precise Tomcat Web server will listen to, for example to 20761 by adding the following entries at the end of the file, where the new port of the Tomcat is used (In this case 20761, see the following section about this port):
<Proxy *>
Order deny,allow
Allow from all
</Proxy> ProxyRequests Off ProxyPreserveHost On
ProxyPass / http://gui-test-inst.precise.com:20761/
ProxyPassReverse / http://gui-test-inst.precise.com:20761/
Verify that http://gui-test-inst.precise.com:20761 is replaced with the fully qualified domain name and port of your Precise installation. - Open the
<Precise_root>/infra/setup.xml
file and edit the <tomcat-port> tag. - Change the port of the Precise Tomcat Web server to a port that is not open to the outside world, or is behind a firewall, to prevent direct access to it. In this example, the Tomcat port will be 20761.
- Restart first the Tomcat service and then the Apache service.
...
- Change the port of the Precise Tomcat Web server to a port that is not open to the outside world, or is behind a firewall, to prevent direct access to it. In this example, the Tomcat port will be 20761.
Remember to make the change in the Precise setup.xml file - Enable the mod_proxy feature in the Apache Web server. For example, on a Debian server it is done by symlinking some files:
symsrv:/etc/apache2/mods-enabled# ls
cgid.conf cgid.load userdir.conf userdir.load
symsrv:/etc/apache2/mods-enabled# ln -s ../mods-available/proxy.* . symsrv:/etc/apache2/mods-enabled# ln –s
../mods-available/proxy_http.* .
symsrv:/etc/apache2/mods-enabled# ls
cgid.conf cgid.load proxy.conf proxy.load proxy_http.conf proxy_http.load userdir.conf userdir.load - Configure the mod_proxy feature by creating a configuration file snippet, conf.d/symi3, as described in the following code:
symsrv:/etc/apache2/mods-enabled# cd ../conf.d
symsrv:/etc/apache2/conf.d# cat > symi3
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://gui-test-inst.precise.com:20761/ ProxyPassReverse / http://gui-test-inst.precise.com:20761/
teacup:/etc/apache2/conf.d#
Verify that http://gui-test-inst.precise.com:20761 is replaced with the fully qualified domain name and port of your Precise installation.
...
Anchor | ||||
---|---|---|---|---|
|
Precise Version 9.6 can integrate with Lightweight Directory Access Protocol (LDAP). LDAP is a better option than JAAS. The following section describes how to configure LDAP.
...
Once integrated with LDAP, Precise Version 9.6 gets all users and groups from the LDAP and synchronizes them into its own database. Login passwords are authorized by LDAP, thus preventing the need to keep (and verify) the users' passwords within Precise.
...
For more information on running LDAP-sync command, see the Precise CLI Utility Reference Guide.See Authenticate to CLI Utility.