Skip to main content

KM02707977: ALM Octane Secure Configuration


Link: https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetsearch/document/KM02707977

Digital signature verification of RPM package

This procedure is necessary for the digital signature verification of RPM package to make sure the file has not been tampered with and the code was indeed signed by the trusted entity (Hewlett Packard Enterprise).

If this is not done, you may see NOKEY warning during the installation of the ALM Octane application:

warning: octane-onprem-12.53.xx.xx.rpm: Header V3 RSA/SHA1 Signature, key ID b564a643: NOKEY

Solution
If user sees NOKEY warning during the RPM package installation, they need to follow procedure on this page  for the missing key. In the example above, key ID is  b564a643.

Here is the summary of steps:

Download the keys (or use attached)
Extract the missing key  (or use attached)
Import the missing key
rpm --import /path_to_the_key/B564a643.pub

Validate signature is OK:
rpm --checksig filename_of_the_rpm

This means the package is fine. For the subsequent installations, run the above steps prior to the installation of the Octane and you will not get the warning.

Encryption of sensitive data

ALM Octane encryption uses AES-256 algorithm with shared secret symmetric key. This key is used for both encryption and decryption. Such keys are generated based on the values entered in setup.xml. These settings  need to be stored in a safe location for potential future needs, i.e. installing additional services.

Securing access to ALM Octane Application Server (jetty)

Note: ALM Octane uses TLSv1.2 secure protocol.

To configure secure connection to the ALM Octane server:
  1. Obtain server certificate issued to the name of ALM Octane server.
  2. Convert this certificate into Java Keystore, e.g.:
cd /bin                
keytool.exe -importkeystore -srckeystore -destkeystore -srcstoretype PKCS12

  1. Copy your keystore file to the /opt/octane/conf/ folder. Name the file keystore.jks.
  2. Run /opt/octane/install/enablessl.sh, supplying the certificate password as a parameter to the script
  3. Restart service
    1. Service HPALM restart


Redirect non-secure access to secure port ( http to https )

  1. Edit /opt/octane/webapps/root/WEB-INF/web.xml
  2. Add this section at the end  (before web-app):

  1. Restart service
    1. Service HPALM restart
  2. Load http:// Octane>:8080
  3. Verify it redirects to https:/:8443.
  4. If it does not, ensure that SecurePort in /opt/octane/server/conf/jetty.xml matches your secure port.

 Establishing trust to Certificate Authority

This procedure is necessary when ALM Octane connects to any other server over secure channel.
Example: Database server, LDAP server, etc.

Unless the remote server certificate has been issued by the trusted certificate authority (CA) already present in java truststore, SSL handshake will fail.
Most common error in the log would appear as "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target".

To establish trust:
  1. Obtain the certificate of the root CA and any intermediate CA that issued the remote server certificate.
  2. Import each certificate into the java truststore using a keytool command. For example:

cd /bin
./keytool -import -trustcacerts -alias -keystore ../lib/security/cacerts -file
 

  1. If service is already running, restart it.



Securing access to DB
  1. For Oracle:
    1. Copy Oracle client wallet file from Oracle Server and place it on the ALM Octane server into directory accessible for everyone  (eg: /tmp/ewallet.p12)
    2. Specify ConnectionString in setup.xml:
                        jdbc:mercury:oracle://:;servicename=;EncryptionMethod=SSL;TrustStore= ;TrustStorePassword=
 

  1. For SQL Server:
            Specify ConnectionString in setup.xml:  
            jdbc:mercury:sqlserver://:;EncryptionMethod=SSL


SSL Offloading
  1. On Apache:
- Add this line at the end of httpd.conf:
  RequestHeader set X-Forwarded-Proto https
- Restart Apache

      2. On F5 Load Balancer:

          create HTTP profile and use it in Virtual Server definition.

Configuration steps:

1) Login to F5 LTM GUI
2) Open Local Traffic menu
3) Choose Profiles -> Services -> HTTP
4) Click “Create”
5) Enter new profile’s name
6) Under new profile make sure that Parent Profile is “http” and tick “Custom” on the right hand side.
7) Into “Request Header Erase” insert X-Forwarded-Proto
8) For field “Request Header Insert” enter X-Forwarded-Proto: https
9) Click “Finished” to save profile
10) Go to VIP for SSL traffic (listening on port 443) and add profile created under “HTTP Profile”

(From <http://itlibrary.net/index.php/2015/08/21/how-to-insert-http-header-x-forwarded-proto-for-ssl-traffic-of-f5-ltm/)

Defining new HTTP profile:
Defining new HTTP profile
SSL offloading:

Comments

Popular posts from this blog

Jenkins error: groovy.lang.MissingPropertyException

I tried to run groovy build step and got below error. This post will describe how I solved the problem.

Caught: groovy.lang.MissingPropertyException: No such property: hudson for class: script


What is PKI

PKI = Public Key Infrastructure
(Resource) Method of asserting the identity and validity of a person (or entity) that you have not previously met or interacted.

It use of certificates containing identifying information and public keys (these certificates are more properly called X.509 certificates).

PKI accomplishes this by defining a central authority who is mutually trusted by all users of the system.