Configuring the UI communication channels (Tomcat)
This page describes how to configure the communication channel (the Tomcat server). It includes the following sections:
Configuration overview
You configure the secure transport protocol and cipher suite in the Tomcat server's server.xml files for each of the following product UIs: Grid Manager, Operator Control Panel, the repository, and the dashboards.
- The protocol and allowed cipher suites are defined in the Connector element in the file.
- The cipher suite is listed in the ciphers attribute.
An example of the server.xml file is provided in the instructions in this page.
Note
If you change the protocol and cipher suite settings for the internal communication channel, BMC Software recommends that you use the same settings for all product UIs, such as the OCP, APs, LAPs, the repository, and dashboards.
Secure transport protocols
The following table lists the supported secure transport protocol values:
Secure transport protocol value | Supported versions Supported versions are based on the secure provider implementation configured for your environment. |
---|---|
TLS | Supports some versions of TLS. |
TLSv1 | Supports Supports RFC 2246: TLS version 1.0; may support other versions. |
TLSv1.1 | Supports RFC 4346: TLS version 1.1; may support other versions. |
TLSv1.2 | Supports RFC 5246: TLS version 1.2; may support other versions. |
Cipher suites
For a list of cipher suites that you can use for SSL connections, see Cipher suites.
The current release installs Java SE Runtime Environment (build 1.8.0_202). The cipher suites listed in Cipher suites are installed with the release. Cipher suites listed as default are enabled. Unless a different list is defined for SSL, handshaking on an SSL connection will use one of these cipher suites.
Before you begin
Before configuring the UI communication channel, ensure that you have completed the following:
- Installed the components, completed any post-installation configuration, and ensured that everything is working properly.
- Configured to use HTTPS (see Configuring TrueSight Orchestration to use HTTPS).
- Checked your web brower documentation for information about supported protocols and cipher suites. Ensure that the protocol you choose supports the cipher suites you use.
- Checked with your network administrator to ensure that the chosen protocol and cipher suites are supported by your network environment.
- Planned for a shutdown of your environment, which occurs when you configure UI communication channels.
Made backup copies of the server.xml file for each component (such as the CDP, OCP, repository, or dashboards). See Configuring the UI communication channels for file locations.
Warning
It is very important that you back up the server.xml files for each component, so that you can revert back to the original files if needed.
Configuring the UI communication channels
When you configure the UI communication channel, you need to shut down the UI server, resulting in a shutdown of your environment. Ensure that you plan for this shutdown.
The server.xml file that you modify in these instructions is stored in the following locations (AO_HOME represents the installation directory for the component, such as the CDP, HA-CDP, AP, LAP, OCP, repository, or dashboards):
- Grid Manager (AO_HOME/CDP/tomcat/conf)
- Operator Control Panel (AO_HOME/OCP/tomcat/conf)
- Repository (AO_HOME/REPO/tomcat/conf)
- Dashboards (AO_HOME/DASHBOARD/tomcat/conf)
To configure the UI communication channels
- Shut down the UI server for the product UI, such as Grid Manager CDP, OCP, repository, or dashboards (see Starting and stopping product components and services).
Navigate to the appropriate tomcat/conf directory (listed above) and edit the server.xml file, making the following two changes in the <Connector> element (use the example server.xml file entry as a guideline) :
<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false" keystoreFile="E:\Program Files\BMC Software\BAO\AP\tomcat\conf\.keystore" maxThreads="150" port="38080" protocol="HTTP/1.1" scheme="https" secure="true"sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
Change the protocol string in the sslProtocol value if applicable.
Add the cipher suite name to the ciphers attribute value.
- Repeat this process for each UI.
- Restart the UI server.
- Using a browser, connect to the UI and check that it is working.
- If you have any problems connecting to the UI, check the Tomcat log files (named localhost.date.log).
Troubleshooting
Check the Tomcat log files (named localhost.date.log) for errors related to unsupported cipher suites or handshake failure messages.
When installing a new AP or LAP, the installation will fail if the UI protocol is not SSL. The SSL protocol is hard-coded in the installer for the UI server connection verification. If the UI server protocol is not SSL, before installing an AP or LAP, change the protocol back to SSL and perform the installation.
Comments
The documentation is out of date.... "The current release installs Java SE Runtime Environment (build 1.7.0_07-b11). "
E:\Apps\BMC Software\OCP\jvm\bin>java -version openjdk version "1.8.0_202" OpenJDK Runtime Environment (Zulu 8.36.0.2-SA-win64) (build 1.8.0_202-b05) OpenJDK 64-Bit Server VM (Zulu 8.36.0.2-SA-win64) (build 25.202-b05, mixed mode)
E:\Apps\BMC Software\OCP\tomcat\bin>version.bat Using CATALINA_BASE: "E:\Apps\BMC Software\OCP\tomcat" Using CATALINA_HOME: "E:\Apps\BMC Software\OCP\tomcat" Using CATALINA_TMPDIR: "E:\Apps\BMC Software\OCP\tomcat\temp" Using JRE_HOME: "E:\Apps\CDP\jvm" Using CLASSPATH: "E:\Apps\BMC Software\OCP\tomcat\bin\bootstrap.jar;E:\Apps\BMC Software\OCP\tomcat\bin\tomcat-juli.jar" Server version: Apache Tomcat/9.0.10 Server built: Jun 20 2018 17:32:21 UTC Server number: 9.0.10.0 Architecture: amd64 JVM Version: 1.8.0_202-b05 JVM Vendor: Azul Systems, Inc.
Thanks for bringing it to our notice, Greg. Will work with the team to update it asap.
It's now been more than 3 months with no updates...
Hi Greg,
Apologies for the delayed update.
We have updated the Java version now. Is there anything else you want us to update here?
Log in or register to comment.