Configuring Secure Web Logon

This section provides instructions on how to use the built-in Tomcat server and HTTPS to configure secure logon on the PPM logon page, the Administration Console, and the Change Password page.

To configure your instance to use HTTPS using the Tomcat server:

  1. Import your SSL certificate or, to create a simple self-signed certificate for testing, run the following command:

    keytool -genkey -alias <Your_Host> -keystore <Full_Keystore_File_Path> -storepass <Store_Password> -keypass <Key_Password>

    Your <Store_Password> and <Key_Password> should be the same. If they differ, you will get an error along the lines of java.io.IOException: Cannot recover key. For more information, see Tomcat documentation.

    For information about importing a third-party certificate, see Importing a SSL Certificate from a Certificate Authority to Tomcat .

    Note: PPM does not recommend using self-signed certificates in production environments as they may negate the benefits of end-to-end security by decreasing the ability of a user to detect a man-in-the-middle (MITM) attack.

  2. Open the server.conf file (located in the <PPM_Home> directory) and set the ENABLE_SSL_LOGIN server configuration parameter to true.

    PPM sets this parameter to false by default, for enabling SSL requires other user information. However, we recommend that you set this parameter to true to enable secure web log on. The use of SSL protects sensitive information from the risk of eavesdropping, data tampering, or message forgery in the process of transmitting.

  3. Add the following server configuration parameters to the server.conf file and set values for each of them.

    HTTPS_PORT

    See Using the Server Configuration Utility to Modify Server Configuration Parameters.

    The HTTPS_PORT value must be the HTTP_PORT number plus 363.

    HTTPS_WEB_THREAD_MIN See Using the Server Configuration Utility to Modify Server Configuration Parameters
    HTTPS_WEB_THREAD_MAX See Using the Server Configuration Utility to Modify Server Configuration Parameters
    HTTPS_KEYSTORE_LOCATION See Using the Server Configuration Utility to Modify Server Configuration Parameters
    HTTPS_KEYPASSWORD

    See Using the Server Configuration Utility to Modify Server Configuration Parameters

    To get the encrypted password to copy and paste into the server.conf file, run the following command:

    sh kEncrypt.sh –t <Keystore_Password>
  4. Run the kUpdateHtml.sh script (located in the <PPM_Home>/bin directory), and then restart the servers.

  5. (AIX systems only) If you have PPM Servers running on AIX, stop PPM Server, open the server.xsl file (located in the <PPM_Home>/conf/jboss directory) and add algorithm="IbmX509" to it, as follows:

    <Connector enableLookups="true" SSLEnabled="true" acceptCount="10" debug="0" scheme="https" secure="true" clientAuth="false" algorithm="IbmX509" >