VA on Capacity Management modules

Document ID : KB000103920
Last Modified Date : 02/07/2018
Show Technical Document Details
Introduction:
How to fix SSL/TLS TLSv1.0  Vulnerability
Environment:
CCC 2.9.4 on Linux \ Windows
Instructions:

To allow secure access to Capacity Command Center and Data Manager, you need to configure HTTPS access to these applications. Once set up, you will be able to synchronize groups between Current Capacity Reporter (CCR) and CCC/DM. For more information about how to configure CCR to allow group synchronization between CCR and CCC/DM, see Export the CCR Certificate From the CCR Machine and Import the CCR Certificate Into a Client Machine.

As a pre-requisite, ensure that Capacity Command Center (CCC) and Data Manager (DM) are already deployed on the machine and follow the below steps:
1.    Generate a key pair. 
       a.    Open a command prompt and navigate to the \jre\bin directory of your Capacity Command Center installation. For example:
               cd "C:\Program Files\CA\Capacity Command Center 2.9.4\jre\bin"
       b.    Execute the following command:
              keytool -genkeypair -alias capman -keyalg RSA -validity 3650 -keystore C:\keystore.jks
              Enter your keystore password. The default keystore password is 'changeit'. Answer the questions that appear on the screen.
              Note: To the question 'What is your first and last name?', provide your host name or IP address. 
       c.   The keystore.jks file is created under C:\.


2.    Generate a certificate:
       a.    From the same \jre\bin location indicated above, execute the following command:
               keytool -export -alias capman -keystore C:\keystore.jks -rfc -file C:\capmancertificate.cer
       b.    Enter your keystore password. The default keystore password is 'changeit'.
              The certificate file is created at the specified location (C:\capmancertificate.cer)

3.    (Optional) Validate the key using the following command:
       keytool -list -keystore C:\keystore.jks
       The command returns the keystore type, the keystore provider, the content of your keystore and the SHA-1 fingerprint of your certificate.

4.    Update the SSL connector settings in the Tomcat configuration file: 
       a.    Open the following file in a text editor:\Capacity Command Center 2.x\ApacheTomcat\conf\server.xml.
       b.    Uncomment the section for connector port 8443, and add the highlighted keys and values as shown below:
              keystoreFile=”<Complete keystore file path>”  keystorePass=”<password>”                                           ciphers="TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
      c.    Save the server.xml file.

5.    Update the web.xml file for Data Manager:
       a.    Open the following file in a text editor: C:\Program Files\CA\Capacity Command Center 2.x\ApacheTomcat\webapps\DM\WEB-INF\web.xml.
       b.    Copy and paste the following lines into this file. Ensure they are copied before the closing </web-app> tag:
              <security-constraint>   
             <web-resource-collection>       
             <web-resource-name>dm</web-resource-name>       
             <url-pattern>/*</url-pattern>   
             </web-resource-collection>   
             <user-data-constraint>     
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>   
             </user-data-constraint>
             </security-constraint>

             For example:
     c.    Save the web.xml file.


6.    Update the web.xml file for Capacity Command Center:
       a.    Open the following file in a text editor: C:\Program Files\CA\Capacity Command Center 2.x\ApacheTomcat\webapps\ccc\WEB-INF\web.xml.
       b.    Copy and paste the following lines into this file. Ensure they are copied before the closing </web-app> tag:
              <security-constraint>
              <web-resource-collection>      
              <web-resource-name>ccc</web-resource-name>      
              <url-pattern>/*</url-pattern>  
              </web-resource-collection>  
              <user-data-constraint>
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
              </user-data-constraint>
              </security-constraint>
        
        For example:
 
 c.    Save the web.xml file.

7.    Update the config.txt file for Data Manager:
       a.    Open the following file in a text editor:
              \Capacity Command Center 2.x\ApacheTomcat\webapps\DM\WEB-INF\classes\config.txt.
       b.    Change the following value from http to https:
              ccc_data_update_url = https://localhost:8443/ccc/rest/update
       c.    Save the config.txt file.

8.    Depending on the certificates you are using, you may need to import an intermediate certificate and/or root certificate. Follow these steps to import additional certificates into the cacerts file:
       a.    Make a backup copy of the cacerts file. Its default location is <CCC_Installation_Folder>\jre\lib\security.
       b.    Open a command prompt and navigate to the \jre\bin directory of your Capacity Command Center installation. For example:
              cd "C:\Program Files\CA\Capacity Command Center 2.9.4\jre\bin"
       c.    Run this command:
              keytool.exe -import -alias capman -keystore ..\lib\security\cacerts -file <Full_Path_Generated_Certificate_file>
       d.    Type the password "changeit" for the keystore at the "Password" prompt, and press Enter.     
       e.    Type "y" at the “Trust this certificate?” prompt, and press Enter.

9.    Restart the Apache Tomcat service.