Configure secure PPM pages

This section provides instructions on how to use the built-in Tomcat server and HTTPS to configure secure PPM pages.

If your PPM server is integrated with a Web server or load balancer, configure HTTPS on the Web server or load balancer. For details, see Server Cluster/External Web Server Configuration and Server Cluster Hardware Load Balancer Configuration.

If your PPM server is deployed in a stand-alone configuration, such as the test and development instances, follow the steps below to configure your instance to use HTTPS for secure communication.

To configure your instance to use HTTPS with the Tomcat server:

  1. Import your SSL certificate, or to create a simple self-signed certificate for testing, run the following command:

    keytool -genkey -alias <Your_Host> -keystore <Full_Keystore_File_Path> -storepass <Store_Password> -keypass <Key_Password>

    Your <Store_Password> and <Key_Password> should be the same. If they differ, you will get an error along the lines of java.io.IOException: Cannot recover key. For more information, see the Tomcat documentation.

    For information about importing a third-party certificate, see Obtaining an SSL Certificate from a Certificate Authority to Tomcat and Importing an Existing SSL Certificate and Private Key to Tomcat.

    Note: PPM does not recommend the use of self-signed certificates in production environments. They decrease your ability to detect man-in-the-middle (MITM) attacks and negate the benefits of end-to-end security.

  2. Open the server.conf file (located in the <PPM_Home> directory) and set the ENABLE_SSL_LOGIN server configuration parameter to true.

    PPM sets this parameter to false by default. However, we recommend that you set this parameter to true to enable secure web logon. The use of SSL protects sensitive information from the risk of eavesdropping, data tampering, or message forgery in the process of transmitting.

  3. Add the following server configuration parameters to the server.conf file and specify a value for each of them.

    HTTPS_PORT

    See Using the Server Configuration Utility to Modify Server Configuration Parameters.

    The HTTPS_PORT value must be the HTTP_PORT number plus 363.

    HTTPS_WEB_THREAD_MIN See Using the Server Configuration Utility to Modify Server Configuration Parameters
    HTTPS_WEB_THREAD_MAX See Using the Server Configuration Utility to Modify Server Configuration Parameters
    HTTPS_KEYSTORE_LOCATION See Using the Server Configuration Utility to Modify Server Configuration Parameters
    HTTPS_KEYPASSWORD

    See Using the Server Configuration Utility to Modify Server Configuration Parameters

    To get the encrypted password, run the following command:

    sh kEncrypt.sh –t <Keystore_Password>
  4. Run the kUpdateHtml.sh script (located in the <PPM_Home>/bin directory), and then restart the PPM server.

  5. (AIX systems only) If you have the PPM Server running on AIX, stop the server, open the server.xsl file (located in the <PPM_Home>/conf/jboss directory) and add algorithm="IbmX509" to it, as follows:

    <Connector enableLookups="true" SSLEnabled="true" acceptCount="10" debug="0" scheme="https" secure="true" clientAuth="false" algorithm="IbmX509" >