Configuring the UI communication channels (Tomcat)
This page describes how to configure the communication channel (the Tomcat server). It includes the following sections:
Configuration overview
You configure the secure transport protocol and cipher suite in the Tomcat server's server.xml files for each of the following product UIs: BMC Atrium Orchestrator Grid Manager, Operator Control Panel, the repository, and the dashboards.
- The protocol and allowed cipher suites are defined in the Connector element in the file.
- The cipher suite is listed in the ciphers attribute.
An example of the server.xml file is provided in the instructions in this page.
Note
If you change the protocol and cipher suite settings for the internal communication channel, BMC Software recommends that you use the same settings for all product UIs, such as the OCP, APs, LAPs, the repository, and dashboards.
Secure transport protocols
The following table lists the supported secure transport protocol values:
Secure transport protocol value | Supported versions Supported versions are based on the secure provider implementation configured for your environment. |
---|---|
TLS | Supports some versions of TLS. |
TLSv1 | Supports Supports RFC 2246: TLS version 1.0; may support other versions. |
TLSv1.1 | Supports RFC 4346: TLS version 1.1; may support other versions. |
TLSv1.2 | Supports RFC 5246: TLS version 1.2; may support other versions. |
Cipher suites
For a list of cipher suites that you can use for SSL connections, see Cipher suites.
The current BMC Atrium Orchestrator release installs Java SE Runtime Environment (build 1.7.0_07-b11). The cipher suites listed in Cipher suites are installed with the BMC Atrium Orchestrator release. Cipher suites listed as default are enabled. Unless a different list is defined for SSL, handshaking on an SSL connection will use one of these cipher suites.
Before you begin
Before configuring the UI communication channel, ensure that you have completed the following:
- Installed the BMC Atrium Orchestrator components, completed any post-installation configuration, and ensured that everything is working properly.
- Configured BMC Atrium Orchestrator to use HTTPS (see Configuring BMC Atrium Orchestrator to use HTTPS).
- Checked your web brower documentation for information about supported protocols and cipher suites. Ensure that the protocol you choose supports the cipher suites you use.
- Checked with your network administrator to ensure that the chosen protocol and cipher suites are supported by your network environment.
- Planned for a shutdown of your BMC Atrium Orchestrator environment, which occurs when you configure UI communication channels.
Made backup copies of the server.xml file for each BMC Atrium Orchestrator component (such as the CDP, OCP, repository, or dashboards). See Configuring the UI communication channels for file locations.
Warning
It is very important that you back up the server.xml files for each component, so that you can revert back to the original files if needed.
Configuring the UI communication channels
When you configure the UI communication channel, you need to shut down the UI server, resulting in a shutdown of your BMC Atrium Orchestrator environment. Ensure that you plan for this shutdown.
The server.xml file that you modify in these instructions is stored in the following locations (AO_HOME represents the installation directory for the BMC Atrium Orchestrator component, such as the CDP, HA-CDP, AP, LAP, OCP, repository, or dashboards):
- Grid Manager (AO_HOME/CDP/tomcat/conf)
- Operator Control Panel (AO_HOME/OCP/tomcat/conf)
- Repository (AO_HOME/REPO/tomcat/conf)
- Dashboards (AO_HOME/DASHBOARD/tomcat/conf)
To configure the UI communication channels
- Shut down the UI server for the product UI, such as Grid Manager CDP, OCP, repository, or dashboard (see Starting and stopping product components and services).
Navigate to the appropriate tomcat/conf directory (listed above) and edit the server.xml file, making the following two changes in the <Connector> element (use the example server.xml file entry as a guideline) :
<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false" keystoreFile="E:\Program Files\BMC Software\BAO\AP\tomcat\conf\.keystore" maxThreads="150" port="38080" protocol="HTTP/1.1" scheme="https" secure="true"sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
Change the protocol string in the sslProtocol value if applicable.
Add the cipher suite name to the ciphers attribute value.
- Repeat this process for each UI.
- Restart the UI server.
- Using a browser, connect to the UI and check that it is working.
- If you have any problems connecting to the UI, check the Tomcat log files (named localhost.date.log).
Troubleshooting
Check the Tomcat log files (named localhost.date.log) for errors related to unsupported cipher suites or handshake failure messages.
When installing a new AP or LAP, the installation will fail if the UI protocol is not SSL. The SSL protocol is hard-coded in the installer for the UI server connection verification. If the UI server protocol is not SSL, before installing an AP or LAP, change the protocol back to SSL and perform the installation.
Comments
Log in or register to comment.