Setting up SSL communications for an APM Cluster and components.

Document ID : KB000010477
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

   This knowledge document gives a simple approach to set up SSL communications with APM components.  There are other approaches that may also be successful, but are harder and potentially more troublesome to follow. The focus here is on a quick and simple set up to get the basic level of encrypted communication working.  Once in place, it is easier to implement CA Certificates.

Let's get started!

Environment:
All currently supported APM versions
Instructions:

So you want to set up SSL Communication on an APM Cluster?

 

 Step 1: Review Ports

 Here is a list of the default ports that are set up typically  in a clustered environment.

-MOM

5001 – Communication with Collector, WebView Server and Workstation/WebStart, Agents

5443 – Communication with Workstation/Webstart (SSL) and Agents (SSL)

8080 – HTTP Communication for WebView UI

8081 – HTTP Communication for APM UI

8443 – HTTP Communication for WebView UI (HTTPS) - via webview-jetty-config.xml

8444 – HTTP Communication for APM UI (HTTPS) - via em-jetty-config.xml

 -Collector

5001 – Communication with MOM and Workstation/WebStart, Agents

5443 – Communication with Workstation, Agents (SSL)

8080 – HTTP Communication for WebView UI

8081 – HTTP Communication for APM UI

8443 – HTTP Communication for WebView UI (HTTPS) - via webview-jetty-config.xml

8444 – HTTP Communication for APM UI (HTTPS) - via em-jetty-config.xml

 -WebView Server

8080 – HTTP Communication for WebView UI

8443 – HTTP Communication for WebView UI (HTTPS) - via webview-jetty-config.xml

 

 Here is a very important note that gets frequently overlooked:

 Note: Configuring MOM-collector over SSL is NOT supported.

 From https://docops.ca.com/ca-apm/10-5/en/administrating/configure-enterprise-manager/configure-enterprise-manager-communications

 This mean you CANNOT setup SSL communications between the MOM and Collector servers.  This is because the communication between these Services is proprietary and encrypted.

 

 Step 2: Checking UI Communications

Can you reach the APM UI with http://<em host name>:8081?

Fix this now if it is not working.

  1. Now open the IntroscopeEnterpriseManager.properties file into your favorite text editor

  2. Find "#introscope.enterprisemanager.webserver.jetty.configurationFile=em-jetty-config.xml"

  3. Remove the # symbol from the line and save the file and restart your EM.  It may be a good time to check and make sure that what is in the em-jetty-config.xml and the files locations are correct for your current configuration.

Can you now get to the APM UI using  https://<em host name>:8444?  Should be working with HTTPS and this mean your doing great.

 

Step 3: WebVew Set Up

Let's now take a look at the WebView configuration

Can you reach WebView with http://<em host name>:8080?

Fix this now if it is not working.

  1. Now open the IntroscopeWebView.properties file in your favorite text editor.

  2. Find "#introscope.webview.jetty.configurationFile=webview-jetty-config.xml"

  3. Remove the # symbol from the line and save the file and restart you WebView service.  It may be a good time to check and make sure that what is in the WebView-jetty-config.xml and the files locations are correct for your current configuration.

Can you now get to the APM UI using  https://<em host name>:8443?  Should be working with https and this mean your doing great.

 

 Step 4: Webstart/Webview Communications

Now we can setup the communication for Webstart/Workstation for SSL on the EM.

Can you connect to the EM with Workstation/Webstart on Port 5001?  If not check the port number or fix the issue.

We will need to open the IntroscopeEnterpriseManager.properties file

looking for:

#######################

# Port Settings

#

# ================

Under this head we will be changing a few lines.

From

introscope.enterprisemanager.enabled.channels=channel1

...

#introscope.enterprisemanager.enabled.channels=channel1,channel2

To

#introscope.enterprisemanager.enabled.channels=channel1

...

introscope.enterprisemanager.enabled.channels=channel1,channel2

Now try to communicate to the EM with Workstation/Webstart on port 5443?  It now would be a good time to review the parameters associated with this configuration.

 

Step 5: Congratulations, Wrapping Up, and Possible Next Steps

Pretty simple when we are using all the pieces provided by the APM installation.  For most folks this configuration is not secure enough for today standards.   Now that we have things working you can introduce other pieces like Certificate Authority Certificate, Change protocols, (SSL, SSL v2, TLS 1, TLS 1.1, and TLS 1.2), Keystore and Truststores.

 

Good luck with all your future SSL Communications with APM cluster components. I hope that this so-called  "slow method" brings you success

Additional Information: