Web Server Settings

The Web Server Settings page allows you to configure and manage settings for the following:

  • Web Server
  • Proxy
  • Ports
  • Email
  • Logging
  • Host Whitelist

Web Server

The Web Server settings tab allows you to change the following server settings established during installation:

  • Protocol established (HTTP or HTTPS).
    You can choose to enable either protocol or enable both protocols by clicking the On/Off switch for each.
  • Port settings established.
    You can choose to change the established port for each protocol.

If you choose to enable HTTPS, you must be prepared to provide a keystore and, optionally, a truststore as follows:

For Windows or Linux

  • When using the Java Keystore type, you must provide the location of the Java keystore file (.jks) on the server, as well as the Java keystore password.
  • When selecting TrustStore for client certificate authentication, you must provide the location of the TrustStore on the server. The TrustStore can be the same as the Java Keystore.

For USS

  • When using the Java Keystore type, you must provide the location of the Java keystore file (.jks) on the server, as well as the Java keystore password.
  • When using either the Keyring or the Keyring with Hardware CCA type, you must provide the Keyring username, as well as the Keyring name.
  • When selecting TrustStore for client certificate authentication, you must provide the location of the TrustStore on the server. The TrustStore can be the same as the Java Keystore or the provided Keyring or Keyring with Hardware CCA type.

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is a web policy designed to protect visitors by ensuring that their browsers only contact the web server via HTTPS after initial contact. HSTS accomplishes this by adding the domain to a list that the user's browser keeps internally. Once the domain is added, the browser will enforce HTTPS only on behalf of the web server until it expires after 7 days and will attempt to make any user requested HTTP calls as HTTPS.

Limitations and consequences

Enabling HSTS may prevent some forms of SSL Stripping and Session Hijacking attacks, but comes at the cost of possible future use of HTTP. The web server has no control over the browser's list of domains that requested HSTS to be enabled. Because of this, the web server cannot remove its domain if HSTS is no longer desired. Before enabling HSTS, become familiar with the process of turning it off and weigh its practicality with your organization's needs.

Attributes

You can choose to customize your CES installation by specifying an attribute for your installation.

  1. Go to Administration > Web Server settings > Attributes.
  2. Enter the required Name to identify the CES installation that you are working on, and click Apply
    This name appears in the CES header.

Important

The alphanumeric Name field has a character limit of 100 characters, and only allows you to enter A-Z and 0-9. Clicking Apply restarts the server.

Restart web server

You can choose to restart the web server by clicking Restart. This is helpful if you do not have access to manually restart the web server. The user interface displays a confirmation message and also returns you to the same page after the restart.

Proxy

The Proxy settings tab allows you to establish proxy settings for outbound HTTP requests. By toggling the On/Off switch for each, you can choose to enable either the HTTP proxy or the secured HTTPS proxy. You can also enable both proxy settings.

At a minimum, you must provide both the Host and Port settings. If your site has established a user name and password for each proxy, you must provide that information as well.

Important

If you want to use the BMC Compuware Update Center through an HTTP proxy, you must configure using Secure Proxy.

Ports

The Ports settings tab allows you to optionally change the port settings that were established when installing BMC Compuware Web Products. Those ports include the following:

CES

    • ===
  • Strobe communication - Used for communication between the mainframe and the client.
  • CES shutdown - Used to stop the web application.
  • Internal messaging - Provides additional processing capacity.
  • Derby - Used to start the embedded Derby database.
  • Internal proxy server- Used to proxy requests to an internal server.

Abend-AID  Fault Analytics

This is listed only if Abend-AID Fault Analytics has been installed.

Abend-AID Communication - Used by Abend-AID  Fault Analytics to transmit messages.

Topaz for Java Performance

This is listed only if Topaz for Java Performance has been installed.

Agent Communication - Used for communication between the agent and the server. TJP listens on this.

iStrobe

This is listed only if iStrobe has been installed.

SMF Collection - Used by iStrobe to collect SMF data.

Communication Port Security

Use the toggle switches to selectively enable and configure support for IBM AT-TLS on the communication ports. The following ports will be configured:

  • Strobe communication
  • SMF collection (iStrobe only)
  • Agent communication (TJP only)
  • Abend-AID communication (Fault Analytics only).

For more information on IBM AT-TLS, refer to the IBM documentation.

AT-TLS is only supported when HTTPS is configured and enabled. When the Communication Port Security settings are changed without HTTPS in use, the settings will not be used until HTTPS is configured and enabled.

This setting is not applicable for USS installs and will not display.

TLS Settings

Although the settings for the SSL/TLS protocol for CES can be set manually, this option is recommended for advanced users only . If the SSL/TLS protocol is manually set, CES will not be able to connect to applications without a matching SSL/TLS protocol until the process is undone.

To manually change the protocol, follow these steps:

  1. Open the CES_DATA_DIR/jetty/etc directory:
    • If you are operating in a MS Windows or Linux environment, open the jetty-ssl-context.xml file.
    • If you are operating in a z/OS environment, open the jetty-ssl-context-zos.xml file.
  2. Find the line beginning with
    <Configure id="sslContextFactory" class="com.compuware.jetty.security.extension.CompuwareSslContextFactory">.
  3. Find the corresponding close tag </Configure>.
  4. Create a blank line immediately above the close tag </Configure>.

  5. Insert the following line: <Set name="protocol">TLSv1.2</Set>.
    If a security level other than TLS v1.2 is required, replace where necessary.

    Important

    Security levels other than TLS v1.2 have been decremented and are no longer considered secure, and are not recommended for use.

Email

The CES email notification option allows automated email messages to be sent to users when profiles have been downloaded. You must set up the email server and sender addresses to values appropriate for your site.

To access the Email Settings, select Administration from the CES menu, and click Email.

  • SMTP server address – Contact your email administrator for the name or IP address of your email server. The SMTP server address length is limited to a maximum of 255 characters.
  • From address – The sender's address appears on all email messages sent when it receives a profile. You should use a valid SMTP format address that is associated with a mailbox that you monitor. You may want to have a mailbox setup specifically for iStrobe. This email will receive all non-deliverable notifications and any other exceptions that may occur when an e-mail is sent. The From address length is limited to a maximum of 255 characters.
  • Default host – CES installs with a default host name that is used for generating links in emails that are sent from other BMC Compuware web applications. You can change the default host name by selecting the Custom host radio button.

  • Custom host – To use a custom host name instead of the default host name, select this option and enter a custom host name for generating links within the email that point to iStrobe reports. Choosing this will override the Default host name.
    You can configure the email server to automatically include the CES port number by enabling the Use CES port number toggle switch. If you turn off this switch, you need to manually enter the host name and port number, in the format <host>:<port>.

    When the Use 

    CES

     port number toggle switch is disabled, the following scenarios are applicable.
    Custom host name with http protocol:

    • If the custom host name is entered with the protocol as http, then it will be used as is.
    • If the custom host name is entered without a protocol, then default protocol http will be used.

Custom host name with https protocol:


    • If the custom host name is entered without a protocol but with the default secure port (443), then the protocol will default to https.
    • If the secure port number is a number other than the default secure port, then you must enter the name with protocol https and a secure port number.

Important

Refer to your Strobe documentation to set up email notifications using Strobe’s SMTP E-mail Notification Address field on the 

iStrobe

 Performance Profile Options panel.

Logging

Settings in the Logging Level box should not be changed. The defaults are shipped for minimal logging for all BMC Compuware web-based product log files. These settings are used for diagnostics and should only be changed when instructed to by BMC Support.

You may download a log file by selecting the row in the table and clicking downloadicon.pngabove the table. You may select multiple log files for download with ctrl+click and/or shift+click. Clicking downloadicon.pngwith multiple rows selected allows you to download all of these files at once.

Clicking on a log component name presents that log's contents. Clicking refreshicon.png refreshes the contents of the log, and clicking downloadicon.png allows you to download the log.

Host Whitelist

The Host Whitelist can be configured to restrict access to CES through approved hosts only. This adds a layer of security against host header poisoning attacks.

The approved hosts are managed in a table on the Host Whitelist tab. From this tab, hosts are added to the whitelist by clicking Add located beneath the table, and removed from the whitelist by clicking Delete. Certain hosts appear by default and are tied to the machine on which CES is installed. These pre-approved hosts cannot be deleted and appear grayed-out in the table.

The Host Whitelist is enabled or disabled as follows:

  • With the switch set to On, access to CES is restricted to only those hosts on the whitelist.
  • With the switch set to Off, CES can be accessed through any host.

Important

Use caution when turning on the Host Whitelist knowing that, once enabled, you will only be able to access 

CES

 through those hosts on the whitelist.


Related topics

Introduction-to-BMC-Compuware-Enterprise-Services

Administration

Database-Settings

Host-Connection-Settings

Issue-Tracking-Settings

Topaz-License-Settings

Security-Settings

Topaz-Team-Profiles

Update-Center

Webhooks

iStrobe-Administration

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*