How set up Single Sign-On with HTTPS for CA ADA, NFA and UCM

Document ID:  TEC1940212
Last Modified Date:  06/30/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Network Flow Analysis
  • CA Unified Communications Monitor
  • CA Application Delivery Analysis

Releases

  • CA Unified Communications Monitor:Release:3.7
  • CA Unified Communications Monitor:Release:3.6
  • CA Unified Communications Monitor:Release:3.5
  • CA Unified Communications Monitor:Release:3.4
  • CA Application Delivery Analysis:Release:10.0
  • CA Application Delivery Analysis:Release:10.1
  • CA Application Delivery Analysis:Release:10.2
  • CA Application Delivery Analysis:Release:10.3
  • CA Network Flow Analysis:Release:9.3.2
  • CA Network Flow Analysis:Release:9.3.1
  • CA Network Flow Analysis:Release:9.3

Components

  • NQRPTA - REPORTERANALYZER:NQRPTA
  • NQSACO - NETQOS SA COLLECTOR:NQSACO
  • NQUCMM - NETQOS UCM MGMT CONSOLE:NQUCMM
  • NQUCMC - NETQOS UCM COLLECTOR:NQUCMC
  • NQUCM - UNIFIED COMMUICATION MONITOR:NQUCM
  • NQRADS - NETQOS RA DATA STORAGE APPLIANCE:NQRADS
  • NQSAMC - NETQOS SA MGMT CONSOLE:NQSAMC
  • NQSPRA
  • NQRACO - NETQOS RA CONSOLE:NQRACO
  • NQRASA - NETQOS RA STAND ALONE:NQRASA
Introduction:

How to set up Single Sign-On with HTTPS for CA ADA (up to 10.6), NFA (up to 9.3.3), and UCM

Background:

How to set up Single Sign-On with HTTPS for CA ADA (up to 10.6), NFA (up to 9.3.3), and UCM

Instructions:

Follow the steps below to configure Single Sign-On with HTTPS for ADA (up to 10.6), NFA (up to 9.3.3), and UCM

**See 'Additional Information' below for wiki links to HTTPS setup for the latest ADA and NFA versions**

 Step 1. Generate and Install the SSL Certificate

Follow steps in section A for signed certificates and section B for self-signed certificates


A.    Steps for signed certificates


Note: The team that creates and enforces security policies for your organization can probably assist you with these steps.

•    Generate the certificate request in IIS Manager and obtain a Signed certificate.
See the following link: How to create a certificate request 

•    Install the signed certificate in IIS Manager Server Certificates 
See the following link: How to install a server certificate


•    Verify that the certificate is properly installed

Example:
Open the certificate and select the Certification Path as shown below.certificatecertificationpath3.png

Select each certificate displayed in the Certification Path list and ensure that the Certificate status field shows “This certificate is OK”.

Note: Contact the certificate provider if Certificate Status field displays errors.

•    To ensure that image graphs in NFA reports are properly included with the Print or Schedule report features, import the Certificate Authority root certificate in the IIS “Trusted Root Certification Authorities Certificates” for the Local Computer on the ADA, NFA or UCM Console server.

In the above certificate example the “CA Root Cert Auth” certificate displayed in the Certification Path must be imported to the IIS “Trusted Root Certification Authorities Certificates” for the Local Computer.

See the “Adding certificates to the Trusted Root Certification Authorities store for a local computer” section in the following link:
Manage Trusted Root certificates

B.   Steps for self-signed certificates.

Generate and export the self-signed certificate.
See the following link:
How to create and export a self-signed certificate

Note: The exported certificate will be used in Step 6 B.
In the steps below we will use c:\certs\nfaserver.cer as the exported certificate

 

Step 2. Export the certificate in PFX format from IIS Manager

See the following link for more information:
How to export a certificate in PFX format

Note: Remember the password as it will be used in Step 5 and 10.


In the steps below we will use c:\certs\nfaserver.pfx as the exported certificate with certificatepass as the password

 

Step 3.  Configure the HTTPS port IIS Application

By default, IIS does not have a binding for HTTPS.  Navigate to the Default Website in IIS -> Under actions, select “Bindings”

Click on Add in Site Bindings

AddBindings.png

Select the signed certificate in the SSL certificate pull down menu list

 

Note: Do not disable http-port 80 binding. The Product will not work properly if http is disabled.

 BindingsSelectCert.png

Step 4. Edit the product configuration XML file and change SignInPageProductDefaultUrl Scheme from http to https and enter 443 for the Port. The port field is blank by default.

ADA XML Path:  InstallDirectory\Portal\SSO\webapps\sso\configuration\SuperAgent.xml
NFA XML Path:   InstallDirectory\Portal\SSO\webapps\sso\configuration\ReporterAnalyzer.xml
UCM XML Path:  InstallDirectory\Portal\SSO\webapps\sso\configuration\voipmonitor.xml

NFA Example:

<?xml version="1.0" encoding="utf-8" ?>
<Configuration>
      <SingleSignOnEnabled>True</SingleSignOnEnabled>
      <SingleSignOnProductCode>ra</SingleSignOnProductCode>
 SignInPageProductTitle><![CDATA[NetQoS<sup><font class="Superscript">®</font></sup>     ReporterAnalyzer<sup><font class="Superscript">™</font></sup>]]></SignInPageProductTitle>
      <SignInPageProductDescription>Network Traffic Analysis</SignInPageProductDescription>
      <SignInPageProductDefaultUrl>
        <Scheme>https</Scheme>
        <Port>443</Port>
        <PathAndQuery>/ra/default.aspx</PathAndQuery>
      </SignInPageProductDefaultUrl>
      <SingleSignOnWebServiceUrl>
        <Scheme>http</Scheme>
        <Port></Port>
        <PathAndQuery>/ReporterDataSource/SingleSignOnWS.asmx</PathAndQuery>
      </SingleSignOnWebServiceUrl>
</Configuration>

 

Step 5. Create jetty keystore file from exported PFX certificate (Step 2)

ADA keystore file path:  InstallDirectory\Portal\Jetty-7.2.0\etc\keystore
NFA keystore file path:   InstallDirectory\Portal\Jetty-7.2.0\etc\keystore
NFA 9.3.2+ keystore file path:   InstallDirectory\Portal\Jetty\etc\keystore
UCM keystore file path:  InstallDirectory\Portal\Jetty\etc\keystore

A.  Rename the existing jetty keystore file

NFA Example:
C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore

B.  Keytool import command to create the new jetty keystore file with the PFX certificate as the source:

NFA Example:
keytool -importkeystore -srckeystore c:\certs\nfaserver.pfx -srcstoretype pkcs12 -destkeystore C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore -deststoretype JKS

Enter destination keystore password:(keystorepass
Note: This step creates a new password. In this example we will use keystorepass as the password

Re-enter new password:(keystorepass)

Enter source keystore password:(certificatepass)
Note: This is the pfx file password in Step 2

Remember both passwords as they will be used in later steps.

C.   Keytool list command to verify the imported keystore and password entered in above step.

NFA Example:
keytool -list -keystore C:\CA\NFA\Portal\Jetty-7.2.0\etc\keystore -storepass keystorepass

 

Step 6. Import the certificate(s) to the java trusted certificates keystore

ADA cacerts file path:  InstallDirectory\jre\lib\security\cacerts
NFA cacerts file path:   C:\Program Files\Java\jre6\lib\security\cacerts
NFA 9.3.1+ cacerts file path:   InstallDirectory\jre\lib\security\cacerts
UCM cacerts file path:      InstallDirectory\jre7\lib\security\cacerts

Follow steps in section A for signed certificates and section B for self-signed certificates

A.    Steps for signed certificates

If the ADA, NFA or UCM server is using a certificate signed by a Certificate Authority (CA) that is not included in the Java cacerts keystore by default, you need to import an intermediate certificate and/or root certificate into the cacerts file for https connections work properly. These certificates are the chain certificates displayed in the Certification path in Step 1 A. 

Note: The default Java cacerts file stores root certificates for the most common CAs, such as VeriSign, GoDaddy, etc.

 

•    (Optional) The following keytool list command can be used to view the default certificates included in the java trusted certificates keystore.

 Note: The default cacerts keystore password is changeit

keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit  > C:\certs\CACertsTrustedCerts1.txt

Edit the output file, CACertsTrustedCerts1.txt, and search for the alias name.

 

•    Import the root certificate and/or intermediate certificate into the Java trusted keystore (cacerts) with the keytool:

keytool -import -file c:\certs\ CARootCertAuth.cer -alias CARootCertAuth  -trustcacerts -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit

 

•    (Optional) Run the keytool command to print the certificates list and verify that imported certificate is in the list. 
keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit  > C:\certs\CACertsTrustedCerts2.txt

Edit the output file, CACertsTrustedCerts2.txt, and search for the alias name used in above import command.

 

B.    Steps for self-signed certificates

•    Import the self-signed certificate exported in Step 1 B to Java trusted keystore (cacerts)

NFA Example:
keytool -import -file c:\certs\nfaserver.cer  -alias nfaserver -trustcacerts -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit



•    (Optional) Run the keytool command to print the certificates list and verify that imported certificate is in the list. 

keytool -list -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -storepass changeit  > C:\certs\CACertsTrustedCerts3.txt
    
Edit the output file, CACertsTrustedCerts3.txt, and search for the alias name used in above import command.


Step 7. Configure Single-Sign On SSL Scheme and Port

SsoConfig.exe path:  InstallDirectory\Portal\sso\bin

NFA Example:
Run the SsoConfig.exe

SSO Configuration:
1. CA Performance Center
2. CA Network Flow Analysis
Choose an option >2

SSO Configuration/CA Network Flow Analysis:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
Choose an option >4

SSO Configuration/CA Network Flow Analysis/Single Sign-On:
Anonymous User Enabled: Disabled
Anonymous User ID: 2
Localhost User Sign-In Page Enabled: Disabled
Localhost User Enabled: Enabled
Localhost User ID: 1
Cookie Timeout Minutes: 20
Encryption Decryption Key: #$utP9%z
Encryption Algorithm: DES
Failed Sleep Seconds: 3
Remember Me Enabled: Enabled
Remember Me Timeout Days: 15
Scheme: http
Port: 8381
Virtual Directory: sso

1. Remote Value
2. Local Override
Choose an option > 2

SSO Configuration/CA Network Flow Analysis/Single Sign-On/Local Override:
1. Anonymous User Enabled:
2. Anonymous User ID:
3. Localhost User Sign-In Page Enabled:
4. Localhost User Enabled:
5. Localhost User ID:
6. Cookie Timeout Minutes:
7. Encryption Decryption Key:
8. Encryption Algorithm:
9. Failed Sleep Seconds:
10. Remember Me Enabled:
11. Remember Me Timeout Days:
12. Scheme:
13. Port:
14. Virtual Directory:
Select a Property > 12

Enter u to update to new value > u
Enter new value > https

SSO Configuration/CA Network Flow Analysis/Single Sign-On/Local Override:
1. Anonymous User Enabled:
2. Anonymous User ID:
3. Localhost User Sign-In Page Enabled:
4. Localhost User Enabled:
5. Localhost User ID:
6. Cookie Timeout Minutes:
7. Encryption Decryption Key:
8. Encryption Algorithm:
9. Failed Sleep Seconds:
10. Remember Me Enabled:
11. Remember Me Timeout Days:
12. Scheme: https
13. Port:
14. Virtual Directory:
Select a Property > 13

Enter u to update to new value > u
Enter new value > 8382

Enter q to quit SsoConfig

 

Step 8. Backup and edit the SSO start.ini file

start.ini file path:    InstallDirectory\Portal\SSO\start.ini

Edit the InstallDirectory\Portal\SSO\start.ini.  Search for jetty-ssl and remove the '#' from the following line so that it is active:

NFA Example:
# D:\CA\NFA\Portal\SSO\etc\jetty-ssl.xml

 

Step 9. Backup and edit SSO wrapper.conf

wrapper.conf file path:   InstallDirectory\Portal\SSO\conf\wrapper.conf

Edit the InstallDirectory\Portal\SSO\conf\wrapper.conf. In the following line replace ‘8381’ with ‘8382’ so that it matches the port defined in jetty-ssl.xml, described previously.

wrapper.java.additional.2=-Djetty.port=8382

 

 Step 10. Configure the SSO jetty-.ssl.xml file

A.   Copy the ‘jetty-ssl.xml’ template to the InstallDirectory\SSO\etc path

Path where the jetty-ssl.xml template is located:
ADA:  InstallDirectory\Portal\Jetty-7.2.0\etc\jetty-ssl.xml
NFA:   InstallDirectory\Portal\Jetty-7.2.0\etc\jetty-ssl.xml
NFA 9.3.2+:   InstallDirectory\Portal\Jetty\etc\jetty-ssl.xml
UCM path:  InstallDirectory\Portal\Jetty\etc\jetty-ssl.xml


SSO path where the jetty-ssl.xml should be copied to:
ADA:    InstallDirectory\Portal\SSO\etc\
NFA:      InstallDirectory\Portal\SSO\etc\
UCM:    InstallDirectory\Portal\SSO\etc\

B.   Edit the following lines in the InstallDirectory\Portal\SSO\etc\jetty-ssl.xml file as shown in the example below:

Use keystore password created in Step 5 B for both the KeyStorePasssword and TrustedStorePasword

Use the PFX certificate password created in Step 2 for the KeyManagerPassword

Set the port to 8382

Example:
<Set name="KeyStorePassword">keystorepass</Set>
<Set name="KeyManagerPassword">certificatepass</Set>
<Set name="TrustStorePassword">keystorepass</Set>
<Set name="Port">8382</Set>

 

Step 11. Backup and edit the SSO Jetty.XML

XML file path:    InstallDirectory\Portal\SSO\etc\jetty.xml

Edit the InstallDirectory\Portal\SSO\etc\jetty.xml and remove the lines below:


    <Call name="addConnector">
      <Arg>
          <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
            <Set name="host"><Property name="jetty.host" /></Set>
              <!-- Changed: Used to be Property -->
            <Set name="port"><SystemProperty name="jetty.port" default="8381"/></Set>
            <Set name="maxIdleTime">300000</Set>
            <Set name="Acceptors">2</Set>
            <Set name="statsOn">false</Set>
            <Set name="confidentialPort">8443</Set>
        <Set name="lowResourcesConnections">20000</Set>
        <Set name="lowResourcesMaxIdleTime">5000</Set>
          </New>
      </Arg>
    </Call>

 

Step 12. Confirm that port 8382 is open if Firewall is enable


Step 13. Restart service the “CA Performance Center SSO” service and run an iisreset from the command prompt


Step 14. Verify that Data source Web console is accessible via https and that SsoConfig.exe can be launched

Note: The following log files can be checked if login fails or if SsoConfig.exe fails to launch
InstallDirectory\Portal\SSO\logs\wrapper
InstallDirectory\Portal\SSO\logs\SSOService.log
InstallDirectory\Portal\SSO\logs\application.log (if present)

Step 15. (Optional) Configured the Data Source Web Console HTTPS protocol and port.

If ADA, NFA or UCM is integrated with CAPC follow steps in section A and C for signed certificates or section B and C for self-signed certificates

If ADA, NFA or UCM is integrated with NPC go to step C.

A.    Steps for Data Sources configured with signed certificates and integrated with CAPC.


•    Copy the root certificate and/or intermediate certificate identified in Step 6 A to the CAPC server.
Example: /tmp/corp_root.cer

•    Import the Certificate Authority certificate(s) to CAPC’s Java trusted keystore (cacerts) with the keytool command:

Example:
/CAPerformancenstallDirectory/jre/bin/keytool -import -alias corp_root  -trustcacerts  -file /tmp/corp_root.cer -keystore /CAPerformancenstallDirectory/jre/lib/security/cacerts -storepass changeit

Note: The default cacerts keystore password is changeit

•    (Optional) Run the keytool command to verify/print the newly imported certificate(s)

Example:
/CAPerformancenstallDirectory/jre/bin/keytool -list -keystore /CAPerformancenstallDirectory/jre/lib/security/cacerts -storepass changeit | grep -i corp

•    Restart each CA Performance Center service using these commands:

/sbin/service caperfcenter_sso restart
/sbin/service caperfcenter_devicemanager restart
/sbin/service caperfcenter_console restart  

For more information about configuring the Single Sign-On tool with SSL certificate, see the following Single Sign-On section in the CA Performance Management wiki.

B.    Steps for Data Sources configured with self-signed certificates and integrated with CAPC.

•    Copy the Data Sources’ self-signed certificate created in Step 1 B. to the CAPC.
Example: /tmp/nfaserver.cer

•    Import the self-signed certificate to CAPC’s Java trusted keystore (cacerts) with the keytool command:

Example:
/CAPerformancenstallDirectory/jre/bin/keytool -import -alias nfaserver  -trustcacerts  -file /tmp/nfaserver.cer -keystore /CAPerformancenstallDirectory/jre/lib/security/cacerts -storepass changeit

Note: The default cacerts keystore password is changeit

•    (Optional) Run the keytool command to verify/print the newly imported certificate

Example:
/CAPerformancenstallDirectory/jre/bin/keytool -list -keystore /CAPerformancenstallDirectory/jre/lib/security/cacerts -storepass changeit | grep -i nfaserver

•    Restart each CA Performance Center service using these commands:

/sbin/service caperfcenter_sso restart
/sbin/service caperfcenter_devicemanager restart
/sbin/service caperfcenter_console restart

For more information about configuring the Single Sign-On tool with SSL certificate, see the following Single Sign-On section in the CA Performance Management wiki.

C.   Login to CAPC or NPC and edit the Data Source settings -> set the Web Console to the HTTPS and enter the https port.

NFA Data source settings example:

nfadatasource.png

Note: The Host Name must be set to the name that the certificate was Issue To:
IIS Server Certificate example:

 

Click on Test to verify connectivity and Save.

Note: The following log files can be checked if the Test option fails
/CAPerformancCertIssueToExample.pngenstallDirectory/PC/logs

 

 Step 16: Resync the NFA data source from CAPC/NPC and verify that NFA views show data. Click on the NFA Link to ensure that NFA Portal is accessible.

Additional Information:

If you are running NFA 9.3.2 or later please see the docs below:

TEC1430439 - NFA portal login fails over HTTPS (SSL) after upgrade to NFA 9.3.2

TEC1123504 - The Flow Statistics page does not show any data when connecting to NFA using HTTPS.

TEC1474313 - Unable to configure LDAP over SSL (LDAPS) for ADA, NFA or UCM

ADA 11 HTTPS Setup

 

NFA 9.3.6 HTTPS Setup

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >