(Optional) Configure Spring Insight for SSL

You can configure Spring Insight Operations so that Insight Agents connect to Insight Dashboard securely through SSL. The Insight Agent and Insight Dashboard complete a handshake that includes establishing trust and negotiating data encryption parameters. The data that they exchange for the duration of the connection is encrypted and secured from eavesdropping or tampering.

SSL uses public key encryption, which requires creating certificates (keys), keystores, and truststores. These procedures use the keytool utility included with the Sun JDK to create self-signed certificates and stores. Self-signed means that the certificates you generate are not signed by a Certificate Authority, such as VeriSign or Thawte.

  1. Set Up SSL for Spring Insight Dashboard.

    Configure Spring Insight Dashboard so that Insight Agents can connect securely through SSL.

  2. Set up SSL for Spring Insight Agent.

    Perform these steps for each tc Server instance that is running Spring Insight Agent.

Set Up SSL for Spring Insight Dashboard

If you already have keystores, you can use them in this procedure instead of generating new ones. This procedure uses the keytool utility included with the Sun JDK to create self-signed certificates and stores. If you prefer to use a CA-signed certificate, purchase one from a CA such as VeriSign or Thawte. For help creating a Certificate Signing Request (CSR) and importing the signed certificate and trusted certificates into your keystore, see the documentation for keytool.

You can use another SSL toolset, such as OpenSSL. See the documentation for your toolset for the correct commands to use in the following procedures.

Procedure

  1. Change to the directory where you want to create the keystore, for example CATALINA_BASE/conf.

  2. If you do not already have a keystore file, create one with the following command:

    prompt$ keytool -genkey -alias dashboard -keyalg RSA -keystore dashboard.keystore
  3. Enter the requested information at the prompts.

    This information is encoded into the certificate the command creates. Make a note of the key password for use in later commands.

    The command creates the file dashboard.keystore containing one entry with the alias dashboard.

  4. Export the dashboard certificate.

    prompt$ keytool -export -alias dashboard -keystore dashboard.keystore -file dashboard_cert
  5. At the prompt, enter the keystore password.

    The file dashboard_cert is created in the current directory. You will need this file later when you create truststores for the Agents.

  6. Edit CATALINA_BASE/insight/insight.properties and change the dashboard.jms.bind.uri property to use the SSL scheme.

    dashboard.jms.bind.uri: ssl://localhost:20234
  7. Set the Java system properties to specify the location of the dashboard.keystore file and the keystore password.

    It is easiest to do this in the CATALINA_BASE/bin/setenv.sh script. Edit the setenv.sh script and add these lines above the JAVA_OPTS=... line.

    SSL_KEYSTORE="/full/path/to/dashboard.keystore" # e.g. "$CATALINA_BASE/conf/dashboard.keystore"
    SSL_KEYSTORE_PW="keystore_password"
    SSL_OPTS="-Djavax.net.ssl.keystore=$SSL_KEYSTORE -Djavax.net.ssl.keystorePassword=$SSL_KEYSTORE_PW"
  8. Add the SSL_OPTS environment variable to the JAVA_OPTS variable.

    JAVA_OPTS="$JVM_OPTS $AGENT_PATHS $JAVA_AGENTS $JAVA_LIBARARY_PATH $SSL_OPTS"

To enable the changes, restart the tc Runtime instance.

Set Up SSL for Spring Insight Agents

Set up SSL for Insight Agents so that they can connect securely to Insight Dashboard. Complete this procedure for each tc Server instance that is running Spring Insight Agent.

Prerequisites

  • Complete the steps in Set Up SSL for Spring Insight Dashboard.

  • Copy the dashboard_cert certificate file you exported in the previous procedure onto each Agent host computer, or make it available on a network drive or a thumb drive.

Procedure

  1. Change to the directory where you want to create the Insight Agent keystore and truststore files, for example, CATALINA_BASE/conf.

  2. Create a keystore for the agent, if one does not already exist.

    keytool -genkey -alias agent -keyalg RSA -keystore agent.keystore
  3. When prompted, enter the requested information.

    The identification information is encoded into the Agent's certificate. Make a note of the keystore password you create for later steps. The command creates the agent.keystore file in the current directory.

  4. Create a truststore and import the dashboard public certificate.

    keytool -import -alias dashboard -keystore agent.truststore -f /full/path/to/dashboard_cert
  5. Edit CATALINA_BASE/insight/insight.properties and change the dashboard.jms.connect.uri property to use the SSL scheme.

    dashboard.jms.connect.uri: ssl://dashboardHost:20234
  6. Set the Java system properties to specify the location of the agent.keystore file, the location of the agent.truststore file, and the keystore password.

    It is easiest to do this in the CATALINA_BASE/bin/setenv.sh script. Edit the setenv.sh script and add the following lines before the JAVA_OPTS=... line.

    SSL_KEYSTORE="/full/path/to/agent.keystore" # e.g. "$CATALINA_BASE/conf/agent.keystore"
    SSL_TRUSTSTORE="/full/path/to/agent.trustore" # e.g. "$CATALINA_BASE/conf/agent.truststore"
    SSL_KEYSTORE_PW="keystore_password"
    SSL_OPTS="-Djavax.net.ssl.keystore=$SSL_KEYSTORE -Djavax.net.ssl.truststore=$SSL_TRUSTSTORE \
        -Djavax.net.ssl.keystorePassword=$SSL_KEYSTORE_PW"
  7. Add the SSL_OPTS environment variable to the JAVA_OPTS variable.

    JAVA_OPTS="$JVM_OPTS $AGENT_PATHS $JAVA_AGENTS $JAVA_LIBARARY_PATH $SSL_OPTS"

To enable these changes, restart the tc Runtime instance.