How to configure CABI 4.1 Webservice to ensure "HTTPS" only communication

Document ID : KB000010611
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

In case it is required to use webservices with "https" only communciation, it is therefore required to customize the CA Spectrum and CA Business Intelligence installation.

The default installation procedure does not cover a "https" configuration dialog by default, so a customization at native install data/file level is required.

 

Background:

For many customers it is a requirement to run their IT environment at a communication level only with encrypted data. The user access to CA Spectrum OneClick web service and also the CA Business Intelligence web service (here focus on CA Business Intelligence 4.1) will be configured https. 

Due to the need to have still "http" connector (tomcat service) available for the OC-server -> CABI service communication, it is required to configure CABI webservice for both connectors (http -and- https) - but to do an implicit redirection from http to https.

Environment:
CA Spectrum R10.* and integration to CABI 4.1 enabled for any platform/host (Linux or Windows host systems)
Instructions:

Configuration to ensure client (user) communication will first require to enable "https" Tomcat connector setup. 

Find this Technical document covering the https customization:  https://support.ca.com/us/knowledge-base-articles.tec588094.html

Ahead of this configuration it is required to keep the "http" port for the CABI Tomcat service open, due to CA Spectrum OneClick-server integration. The integration CA Spectrum OC-server to CABI does not cover a "https" setup configuration item. 

To fulfill the requirement for all client (user) communication to use secure communication the CABI Tomcat, it needs to be configured to implicitly redirect any initial http session establishment to a https service.

 

  • Stop Tomcat Service by the CABI Central Configuration Manager (CCM) GUI.
  • Edit CABI Tomcat configuration file "web.xml" - i.e. $INSTALL_ROOT\SC\CommonReporting4\tomcat\webapps\BOE\WEB-INF\web.xml 
  • Add/Modify the parameter <transport-guarantee>CONFIDENTIAL</transport-guarantee> within the </webapp> section
  • Save the web.xml and startup CABI Tomcat service again.

 

Sample "web.xml" modification:

<security-constraint xmlns="">

   <web-resource-collection>

        <web-resource-name>Restricted URLs</web-resource-name>

        <url-pattern>/*</url-pattern>

    </web-resource-collection>

    <description>

                       To use SSL for the web resources listed above, configure the

                       application server for SSL and change the transport-guarantee

                       from NONE to CONFIDENTIAL.

                       See the application server documentation and the Servlet 2.3

                       specification for additional information.

    </description>

    <user-data-constraint>

         <transport-guarantee>CONFIDENTIAL</transport-guarantee>

    </user-data-constraint>

 </security-constraint>