How to Configure CORBA SSL ports

Document ID : KB000072596
Last Modified Date : 06/03/2018
Show Technical Document Details
Introduction:
We can enable secure CORBA (SSL) communication for Spectrum by going to OneClick Web Admin > Administration > SPECTRUM Configuration > CA Spectrum Secure CORBA Configuration > Use secure CORBA (SSL) for CA Spectrum communication and select Yes. There are additional Firewall rule requirements to make this SSL communication works.

You will notice that, by default, SpectroSERVER, LocServer, ArchMgr, nameserv processes are listening to random TCP ports for this SSL communication. If you have Firewall then you need to configure so that these processes are listening to predefined TCP ports. And then add rules that open communication to those ports.
Environment:
Spectrum 10.2 onward
Instructions:
To configure SpectroSERVER, LocServer, ArchMgr, nameserv processes to listen to predefined CORBA SSL port, we need to add the following argument into each CORBA parameter (orb_args).  

    Dvbroker.se.iiop_tp.scm.ssl.listener.port=<available port number>

<available port number> is the predefined port number that is available (not being used by any process). Each of above Spectrum process requires different port number.
 
Here are the steps:

A. Configure for SpectroSERVER process ($SPECROOT/SS/.vnmrc)

  1. Backup $SPECROOT/SS/.vnmrc
  2. Add above argument into orb_args parameter value, e.g.
orb_args=-Dvbroker.se.iiop_tp.scm.ssl.listener.port=14012 -Dvbroker.se.iiop_tp.scm.iiop_tp.listener.port=14002 -Dvbroker.se.iiop_tp.scm.iiop_tp.dispatcher.threadStackSize=1048576 -ORBpropStorage ../.corbarc

B. Configure for LocServer process ($SPECROOT/LS/.locrc)

  1. Backup $SPECROOT/LS/.locrc
  2. Add above argument into orb_args parameter value, e.g.
orb_args=-Dvbroker.se.iiop_tp.scm.ssl.listener.port=14014 -Dvbroker.se.iiop_tp.scm.iiop_tp.listener.port=14004 -ORBpropStorage ../.corbarc

C. Configure for ArchMgr process ($SPECROOT/SS/DDM/.configrc)

  1. Backup $SPECROOT/SS/DDM/.configrc
  2. Add above argument into orb_args parameter value, e.g.
orb_args=-Dvbroker.se.iiop_tp.scm.ssl.listener.port=14013 -Dvbroker.se.iiop_tp.scm.iiop_tp.listener.port=14003 -ORBpropStorage ../../.corbarc

D. Configure for nameserv process ($SPECROOT/lib/SDPM/partslist/NAMINGSERVICE.idb)

  1. Backup $SPECROOT/lib/SDPM/partslist/NAMINGSERVICE.idb (On Linux you have to be 'root' user). Move out the backup file from $SPECROOT/lib/SDPM/partslist directory to another backup directory (outside of Spectrum installation directory if possible) as it may interfere processd process.
  2. Add above argument into ARGV parameter value, e.g.
ARGV;$SPECROOT/bin/JavaApps/bin/nameserv -Xms128m -Xmx256m -Dvbroker.se.iiop_tp.scm.ssl.listener.port=14016 -Dvbroker.se.iiop_tp.scm.iiop_tp.listener.port=14006 -DORBpropStorage=$SPECROOT/.jcorbarc -Dvbroker.se.iiop_tp.scm.iiop_tp.manager.connectionMaxIdle=60 -Dvbroker.orb.admDir=$SPECROOT/bin/VBNS -Dborland.enterprise.licenseDir=$SPECROOT/bin/VBNS/license -Dborland.enterprise.licenseDefaultDir=$SPECROOT/bin/VBNS/license -Djava.endorsed.dirs=$SPECROOT/lib/endorsed -Dorg.omg.CORBA.ORBClass=com.inprise.vbroker.orb.ORB -Dorg.omg.CORBA.ORBSingletonClass=com.inprise.vbroker.orb.ORBSingleton com.inprise.vbroker.naming.ExtFactory;

E. Add additional Firewall rules accordingly

E.g. add rule for OneClick Server access to TCP/14012, 14013, 14014 and 14016 destination ports on SpectroSERVER machine.

F. Stop SpectroSERVER gracefully

G. Restart processd

H. Restart SpectroSERVER

I. Enable secure CORBA communication for Spectrum

Go to OneClick Web Admin > Administration > SPECTRUM Configuration > CA Spectrum Secure CORBA Configuration > Use secure CORBA (SSL) for CA Spectrum communication and select Yes.

J. Restart OneClick Server

 

Additional Information:
https://docops.ca.com/ca-spectrum/10-2-3/en/administrating/oneclick-administration/oneclick-administration-pages#OneClickAdministrationPages-CASpectrumConfigurationPage

https://docops.ca.com/ca-spectrum/10-2-3/en/administrating/distributed-spectroserver-administration/communication-across-firewalls/spectroserver-and-oneclick-web-server-communication-across-firewalls