Browser to Control Center

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

172 IBM Enterprise Workload Manager

Figure 6-11 Security context and boundaries

The following sections describe which actions are already in place when you install EWLM

and what steps are required to further protect the EWLM data travelling across the different

domain boundaries:

? Browser to Control Center

? Control Center to domain manager

? Domain manager to managed servers

? Domain manager and load balancer (discussed in “EWLM and workload balancing

overview” on page 188)

6.2.1 Browser to Control Center

Figure 6-12 on page 173 shows an EWLM user logging into the Control Center through the

browser via a secure login.

In this portion of the data exchange, EWLM performs SSL encryption of the conversation to

protect the content of the data between the browser and the Control Center, and the Control

Center application performs authentication of the user by verifying that the userid and

password logging in are defined and valid to the application.

Note: Once you establish your certificates, remember to set up file system protections to

limit access to the keystore file. After the configuration is established, access should be

limited to the user ID under which the Control Center’s server instance runs.

Operating System

WebSphere

Control

Center

JVM

User accounts

JVM

Domain

Manager

User

Registry

Database

Store

SSL

Keystore

SSL

Keystore

Database

Store

User account

Operating System

SSL

Keystore

Database

Store

JVM

Managed

Server

User account

ARM APIs

extensions

Instrumented

Application

User account

Browser

Chapter 6. Using a firewall and securing EWLM 173

For the authentication of the users, and before this login can happen, someone—typically the

system administrator responsible for installing and configuring EWLM and for managing its

users—must establish the user in the user registry and add the user to a Control Center role.

Your Control Center site has been already created using the createDM command, which

creates the Control Center along with the domain manager. For i5/OS, the createCC shell

command creates the Control Center. In both cases, the command establishes the userid

passed in the adminUser parameter as an administrator for the WebSphere Application

Server instance established for the site.

Figure 6-12 Communication between the browser and the Control Center

If we look at the SSL connection, EWLM establishes an SSL connection between the browser

and the Control Center, initially using a default pair of public/private keys.

When you log in to the Control Center (for example, in our configuration using the initial port

20003), you notice that EWLM immediately routes your connection on the SSL port 20004

and the conversation becomes SSL-encrypted from there on.

Also, when you perform the initial log in from your browser, you receive a security alert during

the sign-on process to ask you to accept the default certificate, as shown in Figure 6-13.

WebSphere

Control

Center

User account

User

Registry

SSL

Keystore

Operating System

Browser

174 IBM Enterprise Workload Manager

Figure 6-13 Security Alert at login

For your installation, we suggest that the EWLM administrator configure EWLM for Server

SSL and use a certificate authority to create and install the certificate on the browser. In our

configuration, after we created a default login, we acquired a secure (non-default)

public/private keypair and used the changeCC command to configure EWLM to use the keypair

for Server SSL between the Control Center and the browser. Your installation can use the

same procedure we used in our environment, or you can use a certificate authority to create

certificates instead of using the public/private keypair.

Here are the tasks required to change from a default security setting:

? Create a keystore.

? Install the keystore in WebSphere.

? Trust the new certificate.

Create a keystore

We used the Java SDK tool to generate a certificate with our new key. As we mentioned

previously, this step is probably not going to take place in your installation. Most likely this will

be replaced by simply acquiring a key/certificate from a certificate authority.

As shown in Example 6-9, in our configuration we generated the keystore ks and stored it in

the /home/ibmewlm directory. This directory has limited access to ensure security of the

keystore.

Example 6-9 Keystore creation

[ibmewlm@ewlmdm1 ibmewlm]$ pwd

/home/ibmewlm

[ibmewlm@ewlmdm1 ibmewlm]$ keytool -genkey -alias ewlmdm1 -keyalg RSA -keystore ks

-validity 365

Enter keystore password: 111111

What is your first and last name?

[Unknown]: ewlmdm1

What is the name of your organizational unit?

[Unknown]: itso

What is the name of your organization?

[Unknown]: IBM

Chapter 6. Using a firewall and securing EWLM 175

What is the name of your City or Locality?

[Unknown]: Poughkeepsie

What is the name of your State or Province?

[Unknown]: NY

What is the two-letter country code for this unit?

[Unknown]: US

Is <CN=ewlmdm1, OU=itso, O=IBM, L=Poughkeepsie, ST=NY, C=US> correct?

[no]: yes

Enter key password for <ewlmdm1>

(RETURN if same as keystore password): 111111

As a result of this command, the keystore ks has been successfully created. The next step is

to switch the EWLM from using the default key to the key provided in the certificate just

created.

Install the keystore in WebSphere

When you issue the changeCC command, you need to specify the level of security, in our case

adminDefined instead of the default ewlmDefined, and the keystore name, location, and

password. With this command, the keystore will be installed in the Control Center WebSphere

instance.

Example 6-10 ChangeCC command to enable security

[ibmewlm@ewlmdm1 bin]$ ./changeCC.sh -sslSecurity /opt/EWLMDM/ -adminUser ibmewlm -adminPW

111111 -level adminDefined -keystore /home/ibmewlm/ks -keystorePW 111111

Processing changeCC -sslSecurity request. Please be patient as this may take

a while...

...processing 33% complete:

...processing 66% complete

SSLSECURITY END

If the WebSphere instance was active at the time, the changeCC command restarts the

WebSphere instance after the keystore information has been updated. If the WebSphere

instance was not active when the changeCC command was issued, then the WebSphere

instance is updated such that the next time it is started, it will use the new keystore

information.

Trust the new certificate

This section is not needed if the certificate is from a certificate authority that the Web browser

already trusts (such as Verisign). The only time you need to trust the certificate is when it is

not currently in your Web browser’s truststore.

The first time you access the Control Center from a browser, you still receive the Security

Alert warning shown in Figure 6-14, but this time only the first item should have a warning

symbol because now the certificate should match the name of your Control Center site.

176 IBM Enterprise Workload Manager

Figure 6-14 Securing warning after certificate installation

If you click View Certificate you will receive the Certificate shown in Figure 6-15, which gives

you the opportunity to launch the wizard to install the Certificate on your workstation.

Figure 6-15 Certificate

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Browser to Control Center

Create new playlist

Sign In

Sign Up

Table of Contents for
Browser to Control Center