Securing the Hyperic Server

The Hyperic Server includes a default self-signed SSL certificate in its keystore; the same certificate is shipped with every Hyperic Server. Because this certificate is so readily available, anyone who connects to your particular Hyperic Server (assuming an out-of-the-box configuration) using HTTPS cannot in reality trust the certificate. Although this is adequate in the testing phase of your application, in production you typically want to configure Hyperic Server more securely. This section describes the basics steps for securing the Hyperic Server when connecting to it over HTTPS.

Note

It is assumed that you understand basic SSL concepts such as certificates, public and private keys, keystores, and truststores. It is also assumed that you know how to get a certificate from a trusted certificate authority or how to generate your own. The main focus in this section is how to update the Hyperic Server configuration so that the server uses your certificate.

  1. Obtain a certificate from a trusted certificate authority (CA) such as Verisign or create your own.

    Use the keytool command-line tool, provided in the Sun JDK, to generate a certificate. The keytool link also tells you how to get a certificate from a CA.

  2. Install the certificate into the Hyperic Server keystore. When you first install Hyperic Server, this keystore contains a self-signed certificate; replace the default certificate with your own certificate that you got from a CA or that you generated with a tool such as keytool.

    Update the Hyperic Server's default keystore file:

    • Keystore name: hyperic.keystore

    • Keystore location: INSTALL_DIR/server-4.6.X.X-EE/hq-engine/hq-server/conf directory, where INSTALL_DIR refers to the directory in which you installed Hyperic Server, such as /opt/vmware/hyperic.

    • Keystore password: hyperic.

    As with generating your own certificate, you can also use the keytool command-line tool to update a keystore.

  3. Optional Step: Change the default Hyperic Server keystore and truststore filename, location, and password by updating INSTALL_DIR/server-4.6.X.X-EE/hq-engine/hq- server/conf/server.xml. This step is unnecessary if you simply install your certificate in the default Hyperic Server keystore file, as described in the preceding step.

    In the server.xml file, edit the <Connector> element that corresponds to the SSL port, which is the port that Hyperic Server uses for HTTPS. The keystoreFile, keystorePass, truststoreFile, and truststorePass attributes identify the keystore and truststore files and their passwords. The following snippet shows the default <Connector> configuration:

    <Connector port="${server.webapp.secure.port}" 
             executor="tomcatThreadPool" maxHttpHeaderSize="8192"
             emptySessionPath="true" protocol="HTTP/1.1" SSLEnabled="true"
             scheme="https" secure="true" clientAuth="false" 
             keystoreFile="${catalina.base}/conf/hyperic.keystore"
             keystorePass="hyperic"
             truststoreFile="${catalina.base}/conf/hyperic.keystore"
             truststorePass="hyperic" 
             sslProtocol = "TLS" />

    In the preceding snippet, the variable ${catalina.base} points to the INSTALL_DIR/server-4.6.X.X-EE/hq-engine/hq-server directory.

  4. Restart the Hyperic Server for the changes to take effect.

The Hyperic Server then uses your certificate rather than the unsecure out-of-the-box certificate installed with Hyperic Server.

When you next use a browser to invoke the Hyperic user interface, the browser automatically trusts a certificate from a certificate authority (CA) such as VeriSign, or it asks whether you want to trust an unrecognized certificate, and updates its internal trust store accordingly.

If you are using the tcsadmin command-line interface to access the Hyperic Server, you need to update the truststore only on the corresponding client computer if the signing authority is not already trusted. If you do need to update the truststore, add the public key of the new certificate that you previously installed in the Hyperic Server's keystore. You do this by updating the default truststore in the client's JVM (either the JAVA_HOME/lib/security/jssecacerts or JAVA_HOME/lib/security/cacerts file) or by creating a new truststore and pointing to it using the javax.net.ssl.trustStore system property. For more information, see Customizing the Default Key and Trust Stores, Store Types, and Store Passwords.