Configure SSL Options

About this page...

This page has information about configuring Hyperic components for user-managed keystores. If you do not configure the Hyperic Server and Hyperic Agents to use keystores you establish and manage, they will generate default keystores with self-signed certificates.

Hyperic recommends user-managed keystores. For more information, see About SSL in Hyperic.

The information on this pages relates to the Configure User-Managed Keystore for Server and Configure User-Managed Keystore for Agent steps in the Hyperic Installation and Startup Process.

SSL Setup for New Hyperic Installations


This section summarizes the key steps in configuring a new Hyperic 4.6 deployment for user-managed keystores. To see how these steps fit into the overall installation and startup process, see
Hyperic Installation and Startup Process.

  1. Obtain SSL certificates for the Hyperic Server and each Hyperic Agent.

  2. Set up a JKS format keystore for the Hyperic Server on its host, import the SSL certificate for it, and note the full path to the keystore and its password. When you run the Hyperic installer in -full mode, the installer prompts for this information.

  3. Setup a keystore for each Hyperic Agent on its host, import the SSL certificate for it, and configure its location and password in the agent's AgentHome/conf/agent.properties file, by setting the values of agent.keystore.path and agent.keystore.password.

    Password Requirement for Hyperic Keystores

    The Hyperic Server's keystore password and private key password must be the same — otherwise, the Hyperic Server's internal Tomcat-based server will be unable to start. For information about why, see http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. Follow the same convention for a Hyperic Agent keystore — set the password for the agent keystore be the same as the agent private key,

  4. If you plan to configure Hyperic Agents for unidirectional communication, define the keystore name using the agent.keystore.alias property.

  5. Restart each agent after editing its properties file.

SSL Setup for Upgrade Installations

Please see Hyperic Upgrade Processes.

Managed Products and SSL

In Hyperic 4.6, Hyperic plugins that connect to managed products over SSL are updated to support certificate verification. To enable management of such products by a 4.6 agent, it may be necessary to manually import the target server's certificate into the agent keystore if the server's certificate is not trusted. Affected plugins include:

Import of the managed server's certificate is necessary only if the Hyperic Agent cannot verify the certificate. If the agent's keystore contains a CA cert and the managed server's certificate has been signed by that CA, the agent will be able verify the certificate. Otherwise, you should import the certificate of the signing CA, which is preferable to simply importing the managed server's certificate. If you are not sure of all of the CAs for signed certificates, you might consider importing the certificates in your JRE cacert file, which contains certificates for a variety of common CAs.

Reconfigure Hyperic for Trusted SSL Certificates

This section has instructions for changing Hyperic's SSL certificate configuration from default, Hyperic-generated keystores to user-managed keystores.

  1. Install and configure a trusted PKC12 format keystore for Hyperic Server:

    1. Obtain an SSL certificate from your CA and install it on the Hyperic Server host.

    2. Open ServerHome/conf/hq-server.conf in a text editor.

    3. Set the value of accept.unverified.certificates to "false".

    4. Define the location of your trusted keystore with the server.keystore.path property.

    5. Define the password for your trusted keystore with the server.keystore.password property.

    6. Save your changes.

    7. Restart the Hyperic Server.

  2. For each Hyperic 4.6 Agent reporting to the Hyperic Server:

    1. Obtain an SSL certificate from your CA and install it on the Hyperic Agent host.

    2. Open AgentBundle/AgentHome/agent.properties in a text editor.

    3. Set the value of agent.setup.acceptUnverifiedCertificate to "false".

    4. Define the location of your trusted keystore with the agent.keystore.path property.

    5. Define the password for your trusted keystore with the agent.keystore.password property.

    6. Save your changes.

    7. Restart the Hyperic Agent.

Reconfigure Hyperic for Self-Signed Certificates

This section has instructions for changing Hyperic's SSL certificate configuration from user-managed keystores to default, Hyperic-generated keystores.

Default Certs Not Recommended

For best security, do not configure Hyperic to use self-signed certificates.

  1. Open ServerHome/conf/hq-server.conf in a text editor.

    1. Set the value of accept.unverified.certificates to "true".

    2. Restart the Hyperic Server.

  2. For each Hyperic 4.6 Agent reporting to the Hyperic Server:

    1. Open AgentBundle/AgentHome/agent.properties in a text editor.

    2. Set the value of agent.setup.acceptUnverifiedCertificate to "true".

    3. Save your changes.

    4. Restart the Hyperic Agent.