To provide more security to Web Reports, you can use HTTPS. First, you need to request a Secure Socket Layer (SSL) certificate from a vendor such as Verisign, and then you need to set its location.
To register a certificate, you need a valid configuration file such as the following one:
[ req ]
default_bits = 1024
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = mypasswrd
[ req_distinguished_name ]
C = US
ST = California
L = City
O = BigCo
OU = Development
CN = Common
emailAddress = janedoe@bigco.com
[ req_attributes ]
challengePassword = bigcopasswrdTo use HTTPS:
- Install OpenSSL if it is not already available.
- Save
your configuration file as something like mynewconfig.conf,
and issue your certificate request. This also generates a private
key (in the file named keyfile.pem). On Windows you
can use this command:
openssl req -new -config "mynewconfig.conf" > cert.csr - Remove
the password from your private key file:
openssl rsa -in keyfile.pem -out nopwdkey.pem - Create
a certificate file:
openssl x509 -in cert.csr -out cert.pem -req -signkey nopwdkey.pem -days 365 - Open nopwdkey.pem in a text viewer, copy the contents, and paste them below the certificate in cert.pem.
- Save this file; it is your SSL certificate.
Next, you need to store the path for this file and add or modify sub-keys for the HTTPS flag, for the location of the SSL certificate, for the HTTPS port number, for a listening for HTTP connections and for redirecting the client to HTTPS on the SSL port as follows:
- From the Endpoint Manager Console select the Computers tab.
- Select the computer to configure and Edit Computer Settings from the Edit menu.
- Look for _WebReports_HTTPServer_UseSSLFlag setting.
If it exists, do not create a second one, but edit its value to 1 to
enable HTTPS. If it does not exist, add it:
- Look for _WebReports_HTTPServer_SSLCertificateFilePath setting.
If it exists, do not create a second one, but edit its value to the
full path name of the SSL certificate (cert.pem).
If it does not exist, add it:
- Look for _WebReports_HTTPServer_PortNumber.
If it exists, do not create a second one, but edit its value to the
port number you would like to use (typically 443). If it does not
exist, add it:
- When SSL is enabled define the forwarding port by setting the following: _WebReports_HTTPRedirect_Enabled to 1 and _WebReports_HTTPRedirect_PortNumber to the port listening for HTTP connection and redirecting the client to HTTPS.
- Restart the BESWebReports service.
On Windows, open Services, select BESWebReports and on the Action menu, click Restart.
On Linux run from the prompt: service beswebreports restart or /etc/init.d/beswebreports restart
The SSL certificate must be in standard OpenSSL PKCS7 (.pem) file format. If the certificate meets all of the trust requirements of the connecting browser, then the browser connects without any intervention. If the certificate does not meet the trust requirements of the browser, then you are prompted with a dialog asking if it is OK to proceed with the connection, and giving you access to information about the certificate.
Typically, a trusted certificate is one that is signed by a trusted authority (for example, Verisign), contains the correct host name, and is not expired. The .pem file is your SSL certificate, which you must obtain from your CA. If you do not require authentication back to a trusted root, you can also generate a self-signed certificate using OpenSSL utilities. For more information about how to create a self-signed certificate or request a signed certificate from a trusted Certificate Authority, see Setup for SSL on IBM Endpoint Manager Web Reports.