Disabling SSL configurations in CA Performance Manager

Document ID : KB000010361
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Configuring SSL for secure socket layer HTTPS access to the CA Performance Manager (CAPM) web interface is a common requirement for production environments. Doing so can be complex and may result in unexpected down time preventing user access to the CAPM web interface.

If SSL configuration and setup takes a wrong turn it may be simpler and faster to reset back to HTTP non-SSL configurations. The cause of the problem can then be identified while the system is once more usable. Then at a later date another change order can be arranged to once again configure the SSL setup.

Background:

When a production situation occurs for broken SSL configurations, the fastest path to a working production system is often reconfiguration back to non-SSL HTTP functionality until the original problem can be diagnosed and resolved. These instructions provide the details to take that step.

Environment:
All supported CAPM environments up to and including r3.1
Instructions:

Key points:

  • Already imported SSL certificates can be ignored. No removal or deletion is needed. When this reconfiguration is completed the system won't try to read the certificates and will ignore them.
  • If able to run the SsoConfig tool successfully to edit CA Performance Center properties, it will be easier to use it to reset them to default values.
  • SsoConfig may throw errors when trying to access the properties for CA Performance Center SSO configuration. If we see this despite a running capcerfcenter_sso service it indicates SSL config is broken to the level that will require direct database edits.

 

1: The SsoConfig tool is used to configure the CA Performance Center SSO properties. It sets the values in the CAPC MySql netqosportal DB in the performance_center_properties table.

  • The default values have a priority of 0 and should never be edited or removed.
  • When configuring against SsoConfig option 1, Remote Value, the values are set with priority 1.
  • When configuring against SsoConfig option 2, Local Override, the values are set with priority 2.
  • Our goal here is removing an Priority 1 or 2 values tied to SSL configuration.

1a: The easy way via the SsoConfig tool.

  • Run the SsoConfig tool
  • Enter 1: CA Performance Center
  • Enter 3: Performance Center

Follow the instructions presented to reset the values to default. Be sure to check that values in both Remove Value and Local Override have been reset.

1b: The less easy way via direct database edits. When we examine an SSL configured system in this DB table we normally see these values set at Priority 1 or 2. Sometimes we see it set for both. If that is the case remove both. Only default should remain.

SsoConfig value edited = DB table value representation

PC->Web Site Scheme = NpcWebSiteScheme

PC->Web Site Port = NpcWebSitePort

SSO->Scheme = SsoScheme

SSO->Port = SsoPort

1b1: Open a terminal window on the CAPC server as root or the install owner. Change to the (default) /opt/CA/MySql/bin directory. Run "./mysql" to enter the mysql prompt.

1b2: Run "use netqosportal" to set the correct DB to work in.

1b3: Run a simple query against the performance_center_properties table to examine the values we need to remove:

select * from performance_center_properties;

Note the Priority 1 and 2 values we'll need to work with.

1b4: To limit the results to only Priority 1 and 2 values run the following:

select * from performance_center_properties where priority in (1,2);

1b5: To select a specific field/value use this, edit where needed:

select * from performance_center_properties where priority = 2 and propname = 'NpcWebSitePort';

1b6: To remove that same value we would run:

delete from performance_center_properties where priority = 2 and propname = 'NpcWebSitePort';

Run that once for each value requiring cleanup.

 

2: Edit the following files. All path references utilize the default /opt installation home. Edit the path to meet your environment as needed:

2a: The caperfcenter_console PC service file edits.

In the file /opt/CA/PerformanceCenter/PC/conf/wrapper.conf, ensure the following line is set to use port 8181:

wrapper.java.additional.2=-Djetty.port=8181

In the file /opt/CA/PerformanceCenter/sso/conf/wrapper.conf, ensure the following line is set to use port 8381:

wrapper.java.additional.2=-Djetty.port=8381

In the file /opt/CA/PerformanceCenter/PC/ssl.ini make the following changes.

Change this:

# Module: http

--module=https

To this:

# Module: http

--module=http

And change this:

# Module: ssl

--module=ssl

To this:

# Module: ssl

#--module=ssl

In the file /opt/CA/PerformanceCenter/PC/start.d/ssl.ini comment out all lines.

2b: The caperfcenter_sso SSO service file edits.

In the file /opt/CA/PerformanceCenter/sso/ssl.ini make the following changes.

Change this:

# Module: http

--module=https

To this:

# Module: http

--module=http

And change this:

# Module: ssl

--module=ssl

To this:

# Module: ssl

#--module=ssl

In the file /opt/CA/PerformanceCenter/sso/start.d/ssl.ini comment out all lines.

In the file /opt/CA/PerformanceCenter/sso/webapps.sso/configuration/CAPerformanceCenter.xml:

Ensure the <SignInPageProductDefaultUrl> and <SingleSignOnWebServiceUrl> sections have a <Scheme> value set to http and <Port> value set to 8181

In the file /opt/CA/PerformanceCenter/sso/webapps.sso/configuration/CADataAggregator.xml:

Ensure the <SingleSignOnWebServiceUrl> sections <Scheme> is set to http and <Port> is set to 8181.

 

3: Restart the CAPC services. Please use Knowledge Base Article TEC1382101 for correct restart order and commands.