To access Insight Monitor, you
must enable the Liberty admin center feature in the server.xml file of your
catalog and runtime servers, export a certificate from the keystore file on the adminCenter catalog
host, and import the certificate in the keystore on all of the runtime servers.
About this task
There are two ways to enable
Insight Monitor. You can use certificate
authentication or username/password authentication. If you decide to use certificate authentication,
make sure the admin user is the owner of the certificate that is in each of the runtime server trust
stores. If you decide to use username/password authentication, you need to add the user and password
attributes in the
server.xml of each runtime server. For both authentication
methods, you can change the SSL configuration and modify the server ports.
Procedure
- Edit the server.xml file of the catalog server where you want to enable
the Liberty admin center feature tag:
<feature>adminCenter-1.0</feature>
- In the server.xml of each runtime server, add the Liberty admin center
feature tag:
<feature>monitor-1.0</feature>
- If you want to use certificate authentication, do the following:
- In the server.xml file of each catalog and runtime server in your
topology, add the clientAuthenticationSupported="true" attribute to the
<ssl> tag. For example:
<ssl id="defaultSSLConfig"
clientAuthenticationSupported="true"
keyStoreRef="defaultKeyStore"
sslProtocol="TLS" />
- Export a certificate to authenticate a public key to the keystore of the catalog server that
hosts the adminCenter feature. The following keytool command exports a certificate from the keystore
key.jks to a file named certfile.cer. keytool -exportcert -alias -file outputfile.cer -keystore key.jks
Enter the keystore password when prompted. When you have an intermediate certificate file, you
can create other public key keystore files from it or add the trusted entry to existing files.
- Import the certificate to a keystore file in each runtime server. For example, to import the certificate file named certfile.cer in a
public key keystore named trust.jks, enter the following command:
keytool -importcert -file certfile.cer -keystore trust.jks
Enter the
keystore password when prompted and enter yes to trust the certificate.
Note: This password is for the new keystore file trust.jks. It is different
from the password that is used for the private key keystore.
- In each server.xml file of your runtime servers, define an
administrator-role to access the catalog keystore. The following example configures
the administrator-role where adminuser is the common name (CN) of
the owner that imported the trusted certificate in the public key keystore, and
adminpassword is the password you entered.
<basicRegistry id="basic" realm="realm">
<user name="adminuser" password="adminpassword"/>
</basicRegistry>
<administrator-role>
<user>adminuser</user>
</administrator-role>
- If the SSL configuration is different from defaultSSLConfig, and you want to
modify the server ports, add the ia_admincenter tag. For example:
<ia_admincenter http.ssl.config="defaultSSLConfig" user="tester"
password="tester" alternate.ports="servername:9443,servername2:9444"/>
If there are multiple servers on a single host, or the port value for any host is not in the
range 9442-9448, then you must add the alternate.ports attribute. The syntax of
the string is a comma-separated list of <name:port> values. The name can be a
fully qualified host name, or the server name. The server name or any server can be found in the
server.xml file by using the xsServer tag with the
serverName attribute. The port value is the https port.
- Optional: If you decide to use username/password authentication instead of certificate authentication,
then add the user and password attributes. For
example:
<ia_admincenter http.ssl.config="defaultSSLConfig" user="tester"
password="tester"/>
- Start all of your catalog and runtime servers, if they are not started, by running the
server start command.