Updating the Web Server Configuration to Enable SSL (Windows)
Note: These instructions apply to Apache version 2.4.6.
1. Stop the Apache and Tomcat services. From the command line, enter the following commands for a Windows server:
C:\opt\aptare\utils\stopagent.bat
C:\opt\aptare\utils\stopportal.bat
C:\opt\aptare\utils\stopapache.bat
2. Update the Apache configuration file (C:\opt\apache\conf\httpd.conf) to enable SSL:
Uncomment #LoadModule ssl_module modules/mod_ssl.so by removing the #
Uncomment #Include conf/extra/httpd-ssl.conf by removing the #
3. Update the Apache SSL configuration file (C:\opt\apache\conf\extra\httpd-ssl.conf). See
Default Apache SSL Configuration File for the sample SSL configuration file shipped with HDS installations. Note that this line may not be in your configuration.
• Disable the SSLMutex by adding a # at the beginning of the SSLMutex line (if this line is listed in your configuration).
• Enable the virtual host section or sections, depending upon your configuration.
To implement SSL for both the Portal and Data Collection, the portal server must be configured with two IP addresses, one for the Portal and one for Data Collection.
Note: To implement SSL for both the Portal and Data Collection, the portal server must be configured with two IP addresses, one for the Portal and one for Data Collection. The default SSL configuration file that ships with configurations is set up for both the Portal and Data Collector. If the configuration for either the Portal or Data Collection Agent is missing, add the host configuration information to enable SSL.
If a virtual host declaration is missing from the default configuration file, you must add the missing virtual host declaration to the configuration file.
If implementing SSL for the Portal only
a Verify there is a VirtualHost section with the IP address assigned to the Portal host. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_PORTAL:443>
ServerName hbsmportal.domainname:443
Document Root /opt/aptare/portal
b Replace IP_ADDRESS_PORTAL in the VirtualHost declaration with the IP address assigned to the Portal host.
c If the Portal VirtualHost section is not found, the configuration for the Portal VirtualHost must be added.
d If there is a configuration section for the Data Collection virtual host -- a section that begins with <VirtualHost IP_ADDRESS_DATARCVR:443> -- ensure that this section is disabled by added a # to the beginning of each line in the section.
If implementing SSL for Data Collection only
a Verify there is a VirtualHost section with the Data Receiver IP address. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_DATARCVR:443>
ServerName hbsmagent.domainname:443
DocumentRoot /opt/aptare/datarcvr
b Replace IP_ADDRESS_DATARCVR in the VirtualHost declaration with the IP address assigned to the Data Receiver.
c If the data collection VirtualHost section is not found, the configuration for the data collection VirtualHost must be added.
d If there is a configuration section for the Portal virtual host -- a section that begins with <VirtualHost IP_ADDRESS_PORTAL:443> -- ensure that this section is disabled by added a # to the beginning of each line in the section.
If implementing SSL for both the Portal and Data Collection
Note: To implement SSL for both the Portal and Data Collection, the Portal server must be configured with two IP addresses, one for the Portal and one for Data Collection.
a Verify there is a VirtualHost section with the IP address assigned to the Portal host. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_PORTAL:443>
ServerName hbsmportal.domainname:443
DocumentRoot /opt/aptare/portal
b Replace IP_ADDRESS_PORTAL in the VirtualHost declaration with the IP address assigned to the Portal host.
c Verify there is a VirtualHost section with the Data Receiver IP address. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_DATARCVR:443>
ServerName hbsmagent.domainname:443
DocumentRoot /opt/aptare/datarcvr
d Replace IP_ADDRESS_DATARCVR in the VirtualHost declaration with the IP address assigned to the Data Receiver.
4. For each active virtual host section in the configuration file, ensure that declaration lines beginning with the following are uncommented (they do not have a # at the beginning of the line):
• SSLEngine
• SSLCipherSuite
• SSLCertificateFile
• SSLCertificateKeyFile
5. If implementing SSL for Data Collection complete the following steps:
a Ensure that the Data Collector global properties
(C:\opt\aptare\datarcvrconf.collectorConfig.global.properties) file does NOT have the protocol (http or https) in the URL specified in that file.
b If using a self-signed certificate, run the InstallCert utility on the Data Collection server to allow the background data collection processes to automatically accept the unsigned, unverified certificate.
To use this tool run:
"java -classpath /opt/aptare/mbs/bin InstallCert aptareagent.put-your-domain-here.com:443"
The InstallCert utility is not shipped with HDS products. Contact the Global Support Center to obtain a copy of this utility.
Note: If you are using a self-signed certificate and the Data Collector is upgraded, the validation of the certificate may be lost and you may have to rerun the InstallCert utility for data collection to work.
c Verify that the following line is in the Portal configuration file (C:\opt\aptare\portalconf\portal.properties):
portal.trustAllCertificates=true
If not present, add it.
6. Restart Apache and both Tomcat (portal and agent) services.
C:\opt\aptare\utils\startapache.bat
C:\opt\aptare\utils\startagent.bat
C:\opt\aptare\utils\startportal.bat