About SSL in Hyperic

About this page...

This page has information about how SSL communications work in Hyperic. Read this page to understand Hyperic's default behaviors and SSL configuration options and tasks. For instructions on configuring SSL communications and certificates, see:

Hyperic SSL Support

Hyperic 4.6 and later supports the use of SSL communication for both server-to-agent and agent-to-server communications. Server-to-agent communication is always SSL; you cannot configure Hyperic to use plain HTTP for server-to-agent communication. You configure SSL for agent-to-server communication when you configure agent-server communications, either interactively at first agent startup, or in AgentHome/conf/agent.properties using the agent.setup.camSecure property.

The Hyperic Agent can manage products over SSL, if the product plugin supports it.

Overview of Hyperic 4.6.x SSL Configuration and Defaults

When the Hyperic 4.6.x server and a Hyperic 4.6.x Agent communicate over SSL, each component validates the other's SSL certificate.

Ideally, you should configure Hyperic components to communicate with each other via SSL at installation time. Detailed instructions are provided in Hyperic Installation and Startup Process. The key tasks are:

  • Install the Hyperic Server's keystore before installing the server.

  • When you run the Hyperic 4.6.x installer in -full mode, it offers you the option of configuring the location and password of an existing keystore on the Hyperic Server host. Choose the "user-managed keystore" option and supply the keystore path and password during the server installation dialog.

    Default Server Keystore

    If you do not configure the server to use an existing keystore, and supply its location and password during server installation, the installer will create a keystore for the server with a self-signed certificate. The keystore, named hyperic.keystore, will be in ServerHome/conf, and have the password "hyperic". The server will present the self-signed certificate when communicating with agents.

  • Install the Hyperic Agent's keystore prior to first startup — You must configure the keystore path and password (and also it alias, if you configure unidirectional agent-server communication) in the agent.properties file before starting the agent the first time.

  • Configure the Hyperic agent to use SSL when contacting the Hyperic Server — You can do so either interactively at first agent startup, or in AgentHome/conf/agent.properties using the agent.setup.camSecure property.

    Default Agent Keystore

    If you do not configure the keystore information in agent.properties before first startup, the agent will create a keystore with a self-signed certificate. If you choose to run with Hyperic-generated keystores, update the password for each Hyperic-generated keystore; edit agent.keystore.password in the agent.properties file, and restart the agent.

  • Import Managed Product Certs — In Hyperic 4.6, Hyperic plugins that connect to managed products over SSL are updated to support certificate verification. To enable management of such products by a 4.6.x agent, it may be necessary to manually import the target server's certificate into the agent keystore if the server's certificate is not trusted. For more information see Managed Products and SSL.

Reconfiguring Certs After Installation and Startup

If you did not configure user-managed keystores for Hyperic 4.6.x at initial installation, and wish to reconfigure the server and agent for user-managed keystores, see Reconfigure Hyperic for Trusted SSL Certificates on Configure SSL Options.

SSL and Hyperic Product Plugins

In Hyperic 4.6.x, Hyperic plugins that connect to managed products over SSL are updated to support certificate verification. To enable management of such products by a 4.6.x agent, it may be necessary to manually import the target server's certificate into the agent keystore if the server's certificate is not trusted. Affected plugins include:

Import of the managed server's certificate is necessary only if the Hyperic Agent cannot verify the certificate. If the agent's keystore contains a CA cert and the managed server's certificate has been signed by that CA, the agent will be able verify the certificate. Otherwise, you should import the certificate of the signing CA, which is preferable to simply importing the managed server's certificate. If you are not sure of all of the CAs for signed certificates, you might consider importing the certificates in your JRE cacert file, which contains certificates for a variety of common CAs.