By default, App Visibility Manager uses pregenerated, self-signed certificates for authentication between the server components, agents, and the Presentation Server. You can replace the pregenerated certificates with custom certificates.
This topic contains the following sections:
App Visibility certificate overview
The following diagram shows the components of the App Visibility Manager environment, and the properties files that manage the keystore file names and passwords on each component. The arrows represent the flow of data between the components.
App Visibility components and the properties files that manage certificates
To use your own security certificate, put a certificate on each component, and then edit the properties files on each component to use the new certificates and password.
Before you begin
- Install and configure App Visibility components.
- Prepare security files for the following components. For details about creating the files, see the Java Keytool documentation on the
Oracle website.
.
- For App Visibility server components and agents for Java, prepare the following files:
- keystoreFileName.jks, where keystoreFileName is your custom keystore file name
- truststoreFileName.jks, where truststoreFileName is your custom truststore file name
- For App Visibility agents for .NET, prepare the following files:
- For the Presentation Server, prepare the following files:
- (HotfixCore_TSPS_1010006 or later) keystoreFileName.jks file, where keystoreFileName is your custom keystore file name
- (HotfixCore_TSPS_1010009 or later) truststoreFileName.jks, where truststoreFileName is your custom truststore file name
In a multitenancy environment, you can prepare a separate keystore file and truststore file for each tenant. If you do not specify separate files for a tenant, the designated default certificate will be used.
- Prepare an encrypted password (instructions near the end of this topic) for each security file.
To replace security files for App Visibility server components
For each App Visibility server component, perform the following procedure.
- Place your keystore and truststore files on each component computer.
- Open the specified properties file (see the following table).
- Replace the default location and file name of the keystore and truststore with the location and file name of your files.
- Replace the default password with your encrypted password value.
The system uses the same password for the truststore and the keystore. - Save the file and restart the service.
The following table lists the file paths and file names of the properties files for the App Visibility server components. Each component has the following default installation directory:
By default, the keystore and truststore files are located in the installationDirectory\component\security directory. In the properties files, you must provide a relative path to the keystore and truststore files in the security directory.
App Visibility server security files and parameters
Properties file* | Parameter |
---|
portalInstallationDirectory\portal\properties\portal.properties | key.store.file.path=relativePath/keystoreFileName.jks trust.store.file.path=relativePath/truststoreFileName.jks key.store.password.enc=encryptedPassword
|
collectorInstallationDirectory\collector\properties\collector.properties | key.store.file.path=relativePath/keystoreFileName.jks trust.store.file.path=relativePath/truststoreFileName.jks key.store.password.enc=encryptedPassword
|
proxyInstallationDirectory\apm-proxy\properties\apm-proxy.properties | key.store.file.path=relativePath/keystoreFileName.jks trust.store.file.path=relativePath/truststoreFileName.jks key.store.password.enc=encryptedPassword
|
* The file paths in Windows are displayed with a backslash (\) separator. For components installed on Linux computers, use a forward slash (/).
To replace security files for App Visibility agents for Java
For each App Visibility agent for Java, perform the following procedure.
- Place your keystore and truststore files in the agentInstallationDirectory\ADOPsInstall\properties directory* on each computer with the agent for Java installed.
- Open the portal.connection.properties file, located in the agentInstallationDirectory\ADOPsInstall\properties directory.
- Replace the default file name of the keystore and truststore with the names of your files:
key.store.file.name=keystoreFileName.jks
trust.store.file.name=truststoreFileName.jks
- Replace the default password with your encrypted password value:
key.store.password.enc=encryptedPassword
The system uses the same password for the truststore and the keystore. - Save the file and restart the application server.
* The file paths in Windows are displayed with a backslash (\) separator. For components installed on Linux computers, use a forward slash (/).
To replace security files for App Visibility agents for .NET
For each App Visibility agent for .NET, perform the following procedure.
- Place your keystore and truststore files in the agentInstallationDirectory\properties directory on each computer with the agent for .NET installed.
- Open the agents.properties file, located in the agentInstallationDirectory\properties directory.
- Replace the default location and file name of the keystore and truststore with the location and file name of your files:
key.store.file.name=keystoreFileName.p12
trust.store.file.name=truststoreFileName.cer
- Replace the default password with your encrypted password value.
key.store.password.enc=encryptedPassword
The system uses the same password for the truststore and the keystore. - Save the file and restart IIS.
To replace security files for communication with the Presentation Server
Click here for instructions Hotfix_TSPS_1010006 - Hotfix_TSPS_1010008
After you apply HotfixCore_TSPS_1010006 or later, certificate details for internal communication between the Presentation Server and App Visibility Manager are managed by the App Visibility certificates file, appVisCertificates.xml. The certificates file is located with default certificate information on the Presentation Server.
You can replace the default certificate and update the values of the default-certificate
element in the appVisCertificates.xml file. In an environment with multiple tenants, you can add a tenant-certificate
element for each tenant. If you do not define a tenant-certificate
for one or more tenants, those tenants use the default-certificate
values, instead.
- Place your keystore file or files (for multiple tenants) on the Presentation Server computer.
- Open the appVisCertificates.xml file, located in the tspsInstallationDirectory\conf directory.*
- To replace the default certificate, replace the default location and file name of the keystore, and the password with the values for your files:
<default-certificate path="fullFilePath/keystoreFileName.jks" password="encryptedPassword "/>
- To add a certificate for one or more tenants, add the following element for each tenant, and use your values for the tenant name, location and file name of the keystore, and the encrypted password.
<tenant-certificate tenant="tenantName" path="fullFilePath/keystoreFileName.jks" password="encryptedPassword"/>
- Save the file and restart the Presentation Server by running the following command:
(Windows) tssh server start
(Linux) ./tssh server start &
* Use a forward slash (/) for file paths, even on Windows systems.
After you apply HotfixCore_TSPS_1010009, certificate details for internal communication between the Presentation Server and App Visibility Manager are managed by the App Visibility certificates file, appVisCertificates.xml. The certificates file is located with default certificate information on the Presentation Server.
You can use your own default certificate and update the values of the default-certificate
element in the appVisCertificates.xml file. In an environment with multiple tenants, you can add a tenant-certificate
element for each tenant. If you do not define a tenant-certificate
for one or more tenants, those tenants use the default-certificate
values, instead.
Place your keystore file and (optional) truststore file (or multiple files for multiple tenants) on the Presentation Server computer.
- Open the appVisCertificates.xml file, located in the tspsInstallationDirectory/conf directory.
- Update the following elements, as required:*
- To replace the default certificate, replace the default path and file name of the keystore and (optional) the truststore, and the password with the values for your keystore file:
<default-certificate path="conf/secure/appVisSecure/
keystoreFileName.jks" password="encryptedPassword" truststorePath="conf/secure/appVisSecure/trust
storeFileName.jks"
/>
- To add a certificate for one or more tenants, add the following element for each tenant, and use your values for the tenant name, path and file name of the keystore file and (optional) truststore files, and the encrypted password.
<tenant-certificate tenant="tenant1Name" path="conf/secure/appVisSecure/
keystoreFileName.jks"
password="encryptedPassword" truststorePath="conf/secure/appVisSecure/trust
storeFileName.jks"
/>
<tenant-certificate tenant="tenant2Name" path="conf/secure/appVisSecure/
keystoreFileName.jks"
password="encryptedPassword" truststorePath="conf/secure/appVisSecure/trust
storeFileName.jks"
/>
- Save the file and restart the Presentation Server service by running the following command:
* Use a forward slash (/) for file paths, even on Windows systems.
Encrypting a new keystore password
Use an encrypted password so that the plain text password is not displayed in your properties files. After you encrypt the new password, copy the encrypted password to the relevant properties file.
To encrypt a new keystore password
Encrypt the password with the passwordEncrypt.bat
script, located on the portal or collector computer.
Windows
- On the App Visibility portal or collector computer, open a command prompt, and run the following command:
portalInstallationDirectory\portal\bin\passwordEncrypt.bat NewPassword
or
collectorInstallationDirectory\collector\bin\passwordEncrypt.bat NewPassword
NewPassword is the password you want to encrypt.
A message is displayed while the password is encrypted and upon completion, the encrypted password is displayed. - Copy the encrypted password and paste it in the relevant properties file.
Linux
- On the App Visibility portal or collector computer, run the following command:
portalInstallationDirectory
/portal/bin/passwordEncrypt.sh NewPassword
or
collectorInstallationDirectory
/collector/bin/passwordEncrypt.sh NewPassword
NewPassword is the password you want to encrypt.
A message is displayed while the password is encrypted and upon completion, the encrypted password is displayed. - Copy the encrypted password and paste it in the relevant properties file.
Security planning
Importing a KeyStore file or replacing the certificate
Changing the App Visibility database password
Starting and stopping services
Changing the App Visibility agent settings
Changing App Visibility collector settings
Changing App Visibility portal settings
Changing App Visibility proxy settings
4 Comments
Olga Saldarriaga
Sara Kamen
Racheli Nehemia
Sara Kamen