Milestone 5: Configuring Compuware Enterprise Services

After installing CES, there are a few additional configuration considerations required to allow full functionality of the application. Start Compuware Enterprise Services and launch the Compuware Enterprise Services application from a browser using the URL specified in the installation. For example:

http://<hostname>:48226/compuware

Once in the Compuware Enterprise Services application, navigate to the Administration page. To access this page, you are required to provide the default password. Refer to Database Setup. Select each of the following configuration items:

Database setup

Although Compuware Enterprise Services installs out of the box with a fully functional Apache Derby database, you can either switch databases or migrate that database to one of the following supported databases:

  • Apache Derby (default)
  • Microsoft SQL Server
  • Oracle
  • IBM Db2 for LUW
  • IBM Db2 for z/OS

Further CES database setup details are provided in both the online help for Compuware Enterprise Services, as well as Appendix B: Compuware Enterprise Services Database Configuration of this installation space.

  NoteImage.jpg

Due to performance issues, Apache Derby is not a recommended DBMS when collecting SMF data.

Host connections

Host Connection settings are used to specify port connections to the Host Communications Interface (HCI). There must be at least one HCI port configured per LPAR.

For Topaz Workbench features requiring CES to manage leased-licensing, the Host Connection setting needs to point to the HCI connected to the License Management System (LMS) holding those license files. That HCI and LMS must be on the same LPAR. For more information on Topaz Workbench licensing, see Appendix A of the Topaz Workbench Installation space.

Optionally, autoconfiguration may be enabled in the CMSC. Information such as the accessible HCI host/port combinations are automatically sent and will automatically populate within CES. Topaz Workbench users may enter the CES URL in their Topaz Workbench preferences. This will synchronize the configured HCI connections to their own environment, eliminating the need for manual entry.

Further details for host connections setup are provided in the Compuware Enterprise Services Help.

Update Center

The Update Center provides a means for centrally administering updates to Compuware web-based products and Topaz Workbench. Updates are provided by obtaining an update repository, either online or manually.

Installed tab

Displays those Compuware Web Products that are currently installed.

Updates tab

  • Set Check for updates online to On -- On page load, a list of available updates is retrieved from a cloud-based Compuware update server. Check with your network administrator to be sure you can issue HTTPS requests to update.compuware.com on port 443. A secure proxy may be required.
  • Set Check for updates online to Off -- This option allows you to manually upload CES and Topaz updates downloaded from the Compuware Support Center or obtained from a Compuware representative.
  • To show the latest versions only of the web-based products, set the Show latest versions only switch to On.

Security

Compuware Enterprise Services (beginning with CES 18.2.1) provides the ability to secure access to administrative functions within the Compuware Enterprise Services application.

If a default password was enabled in the prior release, the upgraded CES will automatically create the user ID “cesadmin” with the password “cesadministration”.

The “cesrecovery” user function allows an administrator to login when there is no connection to the database in order to reconfigure the database. The default password is “cesadministration”, or a previous CES administration password. This can be changed on the Users tab.

Change the default auto-fill user ID

To change the default auto-fill user ID, specify a user ID by using the following entry in the security.properties file:

security.display.username=<insert user ID>

If you don't want the default auto-fill user ID to be populated, use the following entry without specifying a user ID:

security.display.username=

This parameter allows the user to control the default auto-fill user ID displayed in the CES login dialog. If the user has added one to their browser cache, the cache will override the default. So, the user would have to clear their browser cache of our CES URL to see the security.display.username property. If the parameter does not exist in the security.properties file the default cesadmin user name is displayed.

Default location of the security.properties file is:

C:\ProgramData\Compuware\CES\data\ces\config

Further details for security configuration are provided in the Compuware Enterprise Services Help.

Web server

Web Server Settings allow you to configure and manage settings for the following:

  • HTTPS - requires keystore information. The default port is: 48443
  • Proxy - allows for HTTP Proxy and Secure Proxy.

Further details for Web Server settings are provided in the Compuware Enterprise Services Help.

HTTPS and Client Server Certificate Authentication

Use the following steps to set up HTTPS and Client Server Certificate Authentication.

 RememberImage.jpg

These steps guide you through the process of setting up certificate security on CES. You must have already generated client certificates and a keystore. If you do not have those pieces, please refer to this page for instructions on creating certificates.

  1. Navigate to the CES Web Server page.
  2. On the tab that allows control of HTTP and HTTPS, toggle HTTP to the Off position, and toggle HTTPS to the On position.
    Note: Turning HTTP off is an essential step in the process.
  3. With the toggle for HTTPS turned on, you must also do the following:
    1. In the Location section, enter the full file path of the .jks keystore you created.
    2. In the password section, enter the password tied to the .jks keystore file.
    3. In the certificate alias section, enter the alias of the certificate you intend to use. Normally this is your machine name.
    4. Change Client Certificate Authentication from None to Keystore.
    5. Change the toggle for Require Client Certification Auth to On.
    6. Click Apply.

Note: When doing this for the first time, it may be a good idea to first turn on HTTPS without turning off HTTP, check that HTTPS works, and then turn off HTTP. If HTTP is off and HTTPS is set incorrectly, you will be locked out of your CES, completing the process in two steps rather than one is slower but safer.

If you are locked out of CES:
If, during Step 3 above, you turned off HTTP and your HTTPS was not properly set, you must follow these steps to get CES up and running again:


    1. Shut down CES.
    2. Go into the properties files (normally contained within data/ces/config) and find ces.properties. Open it.
    3. Find the line "jetty.port.enabled=" and change false to *true*.
    4. Find the line "jetty.secure.port.enabled=" and change true to *false*.
    5. Find the line "jetty.port=" and change "0" to whatever port no. you want HTTP to use.
    6. Find the line "jetty.secure.port=" and change the port no. there to 0.
    7. Save and close the file.
    8. Start up CES.

After following these steps, you'll be back in your previous state, with HTTP enabled and HTTPS disabled. Troubleshoot your certificates, then try turning on HTTPS once more. Then, continue with Step 4 below.

4. Once CES has restarted, enter the new CES URL in the address bar and navigate to the secure CES.

 RememberImage.jpg

The URL must include the https://, and must be in the full, unshortened form unless defined otherwise by your administrator. Most often this takes the form: https://machinename.domainname:url.

5. Navigate to the "Security" page on CES.

6. Go into the Security tab.

7. Choose the Security option labeled Client Certificate. Here, you should see two input fields.

8. Change the client certificate mask field as you wish using Regex.

Note: However, make sure before you hit Apply that your choice will not lock out any users you wish to have access. If you are unsure, the default client certificate mask is a safe choice to start with.

9. Add the name you defined your certificate with when creating your client cert to the Administrator(s) field. Most commonly, this will be either your company-defined ID or your Firstname + Lastname, with a space in between the two names--check with the person or organization who created your client certificate if you are unsure what value to use.
10. Click Apply, and restart CES.

If you are getting an unauthorized user error:
If you are not able to access CES after turning on Client Certificate Security and need to remove and reapply security, follow these steps:
a. Shut down CES.
b. Go into the properties files (normally contained within data/ces/config) and find security.properties. Open it.
c. Find the line "auth.mode=" and change X509 to NONE. (the all-caps is important!)
d. Save and close the file.
e. Start CES.
Having performed these steps, CES should now be in a state in which HTTPS is on, but without Client Certificate security, allowing you to change your settings and retry.
11. Once you've restarted, you should see a prompt from the browser itself asking you to choose a certificate. Choose the browser certificate you created.

You should now have access to CES X509/Client Certificate security.

Smart Card authentication

Smart Card authentication can be set up on Compuware Enterprise Services. With Smart Card authentication, users are able to log on to Compuware Enterprise Services by inserting a physical card into their machine, without having to manually enter credentials.

Complete the following steps on the Web Server Settings page to establish Smart Card authentication:

  1. Disable the HTTP port and enable the HTTPS port.
  2. Within the KeyStore settings:
    • Be sure the KeyStore chosen to enable HTTPS matches the authentication established on users' Smart Cards.
    • Set the Client certificate authentication to an option other than 'None'. Click Apply. CES will restart.
  3. Navigate to the Security tab on the Security page, and switch the Authentication Mode to On. Navigate to the Client certificate tab.
  4. Enter the appropriate client certificate mask, and the administrator IDs for the associated admin users. Click Apply.
  5. CES will restart with x509 enabled. Authentication by Smart Card is now possible for those users whose certificate within the KeyStore established in the Web Server Settings page matches the certificate established on their Smart Card.

  RememberImage.jpg

In order to read the card and transmit the information to CES, the user must have appropriate drivers installed. These drivers are a third-party installation not provided by Compuware, and many options exist for installation.

Additional product configuration

  • (Fault Analytics only) To configure Abend-AID Fault Analytics web application (manager) and install the Fault Analytics Collector, refer to the Abend-AID Fault Analytics Installation and Configuration space.
  • (iStrobe only) To configure iStrobe, refer to the iStrobe Configuration space.
  • (Topaz for Java Performance only) At least one Topaz for Java Performance Agent per LPAR is required to be installed on z/OS UNIX in order initiate measurements. Refer to Installing the Topaz for Java Performance Agent.
  • (ISPW Web only) To configure ISPW Web, refer to the ISPW Web online help accessed within Compuware Enterprise Services.

  • (ThruPut Manager Web only) To configure ThruPut Manager Web, an HCI should be configured in CES that has access to a ThruPut Manager installation on the desired LPAR.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*