Vous êtes sur la page 1sur 8

Configuring SIP to Use Secure Socket Layer (SSL) Protocol for HTTPS

Whitepaper

Version 1.0 February 8, 2002

Table of Contents
INTRODUCTION............................................................................................................. 3 REQUIRED SOFTWARE JSSE .................................................................................. 4 INSTALLATION AND CON FIGURATION OF JSSE................................................ 4 SIP CONFIGURATION .................................................................................................. 5 JVM STARTUP CONFIGURATION ...................................................................................... 6 LDAP AUTHENTICATION PROVIDER ............................................................................... 6 SIPCONFIG GUI............................................................................................................... 6 SIP GENERIC MODULE .................................................................................................... 8

Introduction
Service Information Portal (SIP) has been designed to work in a distributed environment and to provide your customers with valuable information about the performance and current status of systems and services within a managed environment. In some configurations, communication between SIP and backend management stations and/or LDAP servers uses SSL as depicted below. This document will describe the configuration necessary for SIP to use Secure Socket Layer (SSL) when communicating with various backend systems.

SSL

HTTP SSL

Browser SIP Server

SSL

Backend Management Stations / LDAP Servers

The following services already support the use of SSL: LDAP SIP Generic Module through https requests The following hp OpenView products do not currently support https/SSL usage in their communication with SIP, but may support it in the future. Check http://openview.hp.com for updated information on these products. hp OpenView internet services (http://openview/hp.com/products/internetservices) hp OpenView reporter (http://openview.hp.com/products/reporter)

Required Software JSSE


The 1.3 Java T M JDK/JRE from Sun does not provide an implementation of the SSL protocol for use by applications. Instead a separate package from Sun is available named Java Secure Socket Extension (JSSE). JSSE is a reference implementation of SSL for Java T M. It implements the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols, and includes functionality for data encryption, server authentication, message integrity, and optional client authentication. JSSE for 1.3 Java T M is available for download from the Sun web site at http://java.sun.com/products. Note: JSSE has been integrated into the Java T M 2 SDK, Standard Edition (J2SDK), v 1.4, which is currently a Beta release.

Installation and Configuration of JSSE


Step 1: Download the JSSE implementation from the Sun web site and unpack the download file. Follow the primary installation instructions as contained within the file INSTALL.txt which is provided as part of the JSSE download. Make sure the new jar files (jcert.jar, jnet.jar, jsse.jar) are installed in the jre/lib/ext directory. For example on Windows the jar files might be installed in C:\jdk1.3\jre\lib\ext. On HP-UX the path would be /opt/java1.3/jre/lib/ext. The exact location depends on the installation directory of your JDK. As noted in the INSTALL.txt file, it is important that the file java.security located in jre\lib\security contains the following line
security.provider.#=com.sun.net.ssl.internal.ssl.Provider

where the # is replaced with the appropriate integer value based on the number of providers configured. For example the following might be set:
# # List of providers and their preference orders (see above): # security.provider.1=sun.security.provider.Sun security.provider.2=com.sun.rsajca.Provider security.provider.3=com.sun.net.ssl.internal.ssl.Provider

Step 2: In order for SIP to communicate with a backend management station or LDAP server, the CA certificate must be installed and available for use on the SIP system. This is the CA certificate that was used to sign the certificate installed on the backend management station or LDAP server.
Provides
CA certificate

Installed

CA Authority

Signs SIP Server Installed

Server certificate

Backend Management Stations / LDAP Servers

The following JavaT M keytool commands can be used as an example to load a CA certificate into the jssecacerts file on the SIP server. For Unix:
"$JAVA_HOME/bin/keytool" -import -file "cacertificatefilename" \ keystore "$JAVA_HOME/jre/lib/security/jssecacerts" trustcacerts \ -noprompt -storepass changeme -alias "youraliasname"

For Windows:
"%JAVA_HOME%\bin\keytool" -import -file "cacertificatefilename" \ keystore "%JAVA_HOME%\jre\lib\security\jssecacerts" trustcacerts \ -noprompt -storepass changeme -alias "youraliasname"

SIP Configuration
Once JSSE is configured and the CA certificates have been loaded as necessary for each backend management station and LDAP Server, the JVM that runs SIP must be configured with the appropriate parameters to use at startup. Finally various SIP components can be configured to take advantage of the new SSL functionality.

JVM Startup Configuration


On Windows, the registry must be updated such that the Tomcat service will start with an additional parameter. The following steps should be followed: Step1: Run regedit.exe Step 2: Find the registry key HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services\Tomcat\Parameters Step 3: Modify the registry value JVM Option Count and increase the number by 1. In default installations the new JVM Option Count would contain the new value of 5. Step 4: Add a new string value named JVM Option Number 4 and enter the value
"-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"

Step 5: Exit the registry editor and restart the tomcat service. On Unix the following line in the /etc/rc.config.d/ovsip startup configuration file should be modified:
TOMCAT_OPTS="-Xms$INITIAL_HEAP_SIZE Xmx$MAX_HEAP_SIZE"

The line should be expanded to contain the following:


SECURITY_PACKAGE=\ "-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol" TOMCAT_OPTS=\ "-Xms$INITIAL_HEAP_SIZE Xmx$MAX_HEAP_SIZE $SECURITY_PACKAGE"

Save the modified file and restart SIP.

LDAP Authentication Provider


If necessary, the LDAP Authentication Provider can now be configured if SSL access is required. Please see the section Configuring Authentication in the HP OpenView Service Information Portal 3.0 Deployment and Integration Guide.

SIPConfig GUI
The SIP Configuration Editor, SIPConfig, that provides configuration of management stations accessible to SIP, can indicate that SSL/https should be used by SIP modules to communicate with the management station. In order to enable this feature, you need to modify the script that starts SIPConfig.

Before enabling this feature, you should verify that the management stations, for which you intend to configure the use of SLL, support https access. You may need to perform configuration changes on the management station to enable https. For Windows the following file needs to be modified: %SIP_HOME%\bin\SIPConfig.vbs For Unix the following file needs to be modified: /opt/OV/SIP/bin/SIPConfig The following lines contain the relevant section to be modified. The following is taken from the Windows based script file. The Unix variant is slightly different.
REM REM REM REM REM REM REM REM REM REM REM REM REM REM REM REM REM The following section should be updated if the https protocol is to be used between SIP and various management stations. By default, the "Use https ..." button for the OVIS and ReportingStation types is disabled. To enable this button and indicate that https/SSL should be used, an implementation of the SSL protocol must be installed on the SIP system. The SSL protocol does not come standard with JDK 1.3.1. Sun's JSSE is one such package that provides an implementation of the SSL protocol. Download and install the JSSE package or other SSL provider. Then modify this script such that PROTOCOL_HANDLER is set to the class providing the SSL implementation. Check the documentation of your SSL provider to determine the correct class name. The JSSE default class is provided below. If using JSSE, set PROTOCOL_HANDLER="com.sun.net.ssl.internal.www.protocol". Then run SIPConfig. If SIPConfig detects that the https protocol is installed on the SIP system, then the "Use https ..." button will be enabled. JSSE sample PROTOCOL_HANDLER="com.sun.net.ssl.internal.www.protocol" PROTOCOL_HANDLER="" PROTOCOL_HANDLER_PROPERTY="java.protocol.handler.pkgs" SECURITY_PACKAGE="" If (PROTOCOL_HANDLER<>"") Then SECURITY_PACKAGE= "-D" & PROTOCOL_HANDLER_PROPERTY & "=" & PROTOCOL_HANDLER End If

Change the line


PROTOCOL_HANDLER=""

to the following:
PROTOCOL_HANDLER="com.sun.net.ssl.internal.www.protocol"

Save the file and restart the SIP Configuration Editor. You will find that the buttons that enable https support for various management station types can now be selected.

If https is not supported or configured properly on the management station and you subsequently attempt to access the management station using https, SIP will not function correctly and will most likely log errors to sip.trace and sip.log.

SIP Generic Module


URLs specified in Generic Module instances can specify the https protocol. If the URL's displayMethod is " inline " or "anchor ", the browser (not SIP) will access the URL. But if the URL's displayMethod is "embedded ", SIP will access the URL and interpolate the data into the module output. If the URL's protocol is https, you must configure JSSE as described above in order to make this work. For example the following Generic module XML configuration in a SIP view could be utilized:
<ModuleInstance classid="mymoduleid" id="module4"> <Generic> <Submodule> <URL displayMethod="embedded" href="https://server.acme.com/doc.html"> </Submodule> </Generic> </ModuleInstance>