Management

Configure trust

Configure trust on the Integration Bridge Service server and Synchronizer Service server, when you need to connect to any other server over a secure channel.

  1. Obtain the certificate of the root and any intermediate Certificate Authority that issued the remote server certificate.

  2. Import each certificate into the java truststore using a keytool command. For example:

    cd $JAVA_HOME/bin
    ./keytool -import -trustcacerts -alias <CA> -keystore ../jre/lib/security/cacerts -file <path to the CA certificate file>

Configure a secure connection to the Synchronizer service and Integration Bridge service

The following procedure is identical for the Synchronizer service and Integration Bridge service. The example given is for the Integration Bridge service. For the Synchronizer service, replace ibs with sync.

  1. Prepare a java keystore file with your server certificate using the file name keystore.jks, and copy it to /opt/ibs/conf.

  2. Copy the file /opt/octane/server/conf/jetty-ssl.xml from your ALM Octane server to /opt/ibs/server/conf/jetty-ssl.xml. The ALM Octane configuration file is already set up for security requirements.

  3. Set the keystore password in jetty-ssl.xml. Note that if the Integration Bridge service keystore password is the same as in ALM Octane, you can skip this step.

    Edit /opt/ibs/server/conf/jetty-ssl.xml, and change all the passwords to the password of your keystore:

    1. To avoid entering plain-text passwords, obfuscuate the password:

      1. Run the following:

        java -cp /opt/ibs/server/lib/jetty-util-9.2.9.v20150224.jar org.eclipse.jetty.util.security.Password <password>

      2. Copy the entire string of the line starting with OBF. For example: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0

    2. Paste your keystore password in the default attribute of the following property names: jetty.keystore.password, jetty.keymanager.password, and jetty.truststore.password (replacing the old password there).

      For example:

      <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0"/></Set>

  4. Configure a secure port:

    1. In /opt/ibs/server/conf/jetty.xml, set the value of the default attribute for the jetty.secure.port property.

      For example:

      <Property name="jetty.secure.port" default="8443" /></Set>

    2. In /opt/ibs/server/conf/jetty-https.xml, set the value of the default attribute for the https.port property.

      For example:

      <Property name="https.port" default="8443" /></Set>

  5. Edit /opt/ibs/server/conf/start.ini and uncomment the lines with jetty-ssl.xml and jetty-https.xml (remove the # character from the beginning of the line).

  6. Restart the service:

    service HPEOctaneIBS restart

  7. When using secure endpoints, each service must trust the certificates of the other services. Add your certification authority certificate to all machines, if it is not trusted by default.

    1. ALM Octane must trust itself, the Synchronizer service, and the Integration Bridge service.

    2. The Synchronizer service must trust ALM Octane and the Integration Bridge service.

    3. The Integration Bridge service must trust ALM Octane and the Synchronizer service.

    4. The Integration Bridge agent must trust the Integration Bridge service. The truststore of the JDK used by the Integration Bridge agent is located in <Integration Bridge agent install folder>/product/util/3rd-party/openjre1.8.0_65/jre/lib/security/cacerts.

    For details on configuring trust, seeConfigure trust.

  8. Enable secure ports on firewalls as described in Firewall requirements.

  9. If you are configuring secure connections after all services are already configured and running, you also need to reconfigure endpoints in the following locations:

    1. ALM Octane:

      1. File /opt/octane/webapps/service.locator.properties

      2. SYNC_BASE_URL and EXTERNAL_HELP_URL configuration parameters

        You can update these in the PARAMS table of the ALM Octane site admin database, or edit /opt/sync/conf/octane.site.params.properties and run the following:

        /opt/sync/install/set-site-parameters-to-octane.sh <ALM Octane url> <site admin username> <site admin password> /opt/sync/conf/octane.site.params.properties

    2. Synchronizer service:

      1. File /opt/sync/conf/sync.yml

      2. File /opt/sync/webapps/service.locator.properties

      3. IBS_BASE_URL parameter in the PARAMS table of the Synchronizer service site admin database

    3. Integration Bridge service:

      1. File /opt/ibs/conf/ibs.yml

      2. File /opt/ibs/webapps/service.locator.properties

    4. Integration Bridge agent:

      1. File <Integration Bridge agent install folder>/product/conf/server-connection.conf

    Restart each service after modifying its parameters.

Running the Synchronizer service on OpenJRE

If running OpenJDK is not possible in your environment, you need to reconfigure the Synchronizer service.

  1. Within <sync_install_dir>/wrapper, edit the wrapper-common.conf file.

  2. Add a new line:

    wrapper.java.additional.<number>=-Dorg.apache.jasper.compiler.disablejsr199=true

    where <number> is the next line number that is available in the file.

    Example:

    wrapper.java.additional.43=-Dorg.apache.jasper.compiler.disablejsr199=true

  3. Restart the Synchronizer service.

Uninstall the Synchronizer

To uninstall the Synchronizer service:

From /opt:

  1. Run /opt/sync/install/uninstall.sh

  2. Run rm –rf /opt/sync

To uninstall the Integration Bridge service:

From /opt:

  1. Run: /opt/ibs/install/uninstall.sh

  2. Run: rm –rf /opt/ibs

Upgrade the Synchronizer

After upgrading ALM Octane, perform the following steps to upgrade the Synchronizer service and Integration Bridge service.

  1. Back up the Synchronizer service and Integration Bridge service databases.

  2. Back up your existing opt/ibs/conf and opt/sync/conf directories.

  3. Download and extract the new Integration Bridge service and Synchronizer service installation packages.

  4. Copy the contents of your old opt/ibs/conf and opt/sync/conf directories from the backup you made, and override the contents of the new opt/ibs/conf and opt/sync/conf directories.

  5. In the /opt/sync/conf/sync.yml and /opt/ibs/conf/ibs.yml files, in the database > action setting, enter CONNECT_TO_EXISTING_AND_UPGRADE.

  6. Back up the new .yml files, and execute the install.sh scripts as described in Step 2: Install and configure the Integration Bridge service and Step 3: Install the Synchronizer service.