This documentation supports the 18.08 version of Remedy Action Request System.

To view the latest version, select the version from the Product version menu.

Configuring REST API for HTTPS connection

Follow the steps given below to configure REST API for HTTPS connection.

  1. Import the existing signed primary certificate into an existing Java keystore:

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

    If you do not have a certificate, create a new keystore by using a new password to secure the certificate:

    keytool -keystore keystore -alias jetty -genkey -keyalg RSA
    

    After the keystore has been created, you must provide six parameters that form a distinguished name for a certificate associated with the key.

    • CN—Common Name of the certificate owner (usually the name of the host)
    • OU—Organizational Unit of the certificate owner
    • O—Organization to which the certificate owner belongs
    • L—Locality name of the certificate owner
    • ST—State or province of the certificate owner
    • C—Country of the certificate owner

      Note

      The keystore file is created in the current directory of the command window.

  2. Obfuscate the SSL connector keystore password for greater security. 
    For more information, see Obfuscating the password.
  3. Update the jetty-http.xml file with the new password for the keystore.

    Note

    * In <Set name="KeyStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set>, remove <Property name="jetty.home" default="." />.

    * Replace /etc/keystore/ with the actual path to the keystore.

    <Call name="addConnector">
        <Arg>
          <New class="org.eclipse.jetty.server.ServerConnector">
            <Arg name="server"><Ref refid="Server" /></Arg>
    		<Arg type="java.lang.Integer" name="acceptors">2</Arg>
    		<Arg type="java.lang.Integer" name="selectors">-1</Arg>
            <Arg name="factories">
              <Array type="org.eclipse.jetty.server.ConnectionFactory">
                <Item>
                  <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                    <Arg name="config"><Ref refid="httpConfig" /></Arg>
                  </New>
                </Item>
              </Array>
            </Arg> 
            <Set name="host"><Property name="jetty.http.host" /></Set>
            <Set name="port"><Property name="jetty.http.port" default="8008" /></Set>  
    		<!--Uncomment to Enable Connector Statistics -->
    		<!--<Call name="addBean">
    			<Arg>
    				<New id="ConnectorStatistics" class="org.eclipse.jetty.server.ConnectorStatistics"/>
    			</Arg>
    		</Call> -->
           </New>
        </Arg>
      </Call>
    	 
    	
    	<!-- Uncomment this to add SSL support for REST API,
             replace the values to match your environment -->	
      <!-- <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
            <Call name="addCustomizer">
                <Arg>
                    <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
                </Arg>
            </Call>
    		<Set name="sendServerVersion">false</Set>
        </New>
    	
      <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="KeyStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set>
    	<Set name="KeyManagerPassword">OBF:1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm</Set>
        <Set name="KeyStorePassword">OBF:1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm</Set>
        <Set name="TrustStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set>
        <Set name="TrustStorePassword">OBF:1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm</Set>
    	<Set name="IncludeCipherSuites">
    	  <Array type="String">
    	      <Item>TLS_DHE_RSA.*</Item>
    	      <Item>TLS_ECDHE.*</Item>
    	  </Array>
    	</Set>
    	<Set name="ExcludeCipherSuites">
    	   <Array type="String">
    	    <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
    	    <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
    	    <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
    	    <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
    	    <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    	    <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    	    <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    	
    	    <Item>.*NULL.*</Item>
    	    <Item>.*RC4.*</Item>
    	    <Item>.*MD5.*</Item>
    	    <Item>.*DES.*</Item>
    	    <Item>.*DSS.*</Item>
    	    <Item>.*_DHE_RSA_.*</Item>
    	
    	   </Array>
    	</Set>
    	<Set name="ExcludeProtocols">
    	     <Array type="java.lang.String">
    	         <Item>SSL</Item>
    	         <Item>SSLv2</Item>
    	         <Item>SSLv2Hello</Item>
    	         <Item>SSLv3</Item>
    	     </Array>
    	</Set> 	    
      </New>
      
      <New id="sslConnectionFactory" class="org.eclipse.jetty.server.SslConnectionFactory">
            <Arg name="sslContextFactory">
                <Ref refid="sslContextFactory" />
            </Arg>
            <Arg name="next">http/1.1</Arg>
      </New>
    
      <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server"><Ref refid="Server" /></Arg>
        <Arg name="factories">
            <Array type="org.eclipse.jetty.server.ConnectionFactory">
                <Item><Ref refid="sslConnectionFactory" /></Item>
                <Item>
                    <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                      <Arg name="config"><Ref refid="httpsConfig" /></Arg>           
                    </New>
                </Item>
            </Array>
        </Arg>
    	<Set name="port">8443</Set>        
      </New> 
    	
    	<Call name="setConnectors">
            <Arg>
                <Array type="org.eclipse.jetty.server.ServerConnector">
                    <Item>
                        <Ref refid="sslConnector" />
                    </Item>
                </Array>
            </Arg>
        </Call> 
          -->
    </Configure>
  4. Restart the AR System server.

After you restart the AR System sever, the following warning is displayed and you may experience runtime errors.

WARN:oejob.JettyBootstrapActivator:main: OSGi support for java.util.ServiceLoader may not be present.

Perform the following steps to turn-on the logging for jetty:

  • Enable jetty log level in the arserver.config file for Windows and in the arserverd.conf file for  Linux. Use the following JVM option:
    -Dorg.eclipse.jetty.LEVEL=DEBUG
  • Enable extra Jetty Related logs in the Jetty/etc/Jetty.xml file. Refer to the following code sample:

    <Call
    class="org.eclipse.jetty.util.log.Log"
    name="getRootLogger">
            <Call
    name="setDebugEnabled">
                <Arg
    type="boolean">false</Arg>
            </Call>

    Here, set the boolean argument of the setDebugEnabled property to true.

Once you enable the logging, the jetty logs are displayed on the server console or in the armonitor.log file.  

After you create a self-signed certificate, browsers and other programs issue warnings to users about an insecure certificate each time the user authenticates. You can prevent the certificate warning by adding the self-signed certificate to the Trusted Root Certification Authorities store. For more information, see Importing a certificate into the Trusted Root Certification Authorities store.

Obfuscating the password

The Jetty passwords are stored as clear text, obfuscated, check-summed, or in encrypted form. For the keystore/ key/ truststore passwords, you must obfuscate the passwords. The class org.eclipse.jetty.util.http.security.Password is used to generate all types of secure passwords. Create password at <install directory>\lib\start\startlevel1 location. The following command is used to create a new password:

The username parameter in the following command is optional.

java -cp jetty-util-9.4.11.v20180605 org.eclipse.jetty.util.security.Password username password

If you are using a reverse proxy, uncomment the below section from the jetty-http.xml file.

<Call name="addCustomizer">
        <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
      </Call>

Reference topic

Configuring REST API for HTTP connection


jetty-util-9.4.11.v20180605


Was this page helpful? Yes No Submitting... Thank you

Comments