Home > Success Center > Database Performance Analyzer (DPA) > Enable SSL

Enable SSL

Table of contents
Created by Interspire Import, last modified by Anthony.Rinaldi on Dec 06, 2016

Views: 2,367 Votes: 0 Revisions: 10

Overview

SSL encryption protects sensitive information that is passed over the network. This type of encryption may not be necessary in many environments and slows down the web server since all information (including graphics) must be encrypted.

Beginning with SolarWinds DPA 9.2, SSL is configured automatically, and by default uses port 8124.

These instructions use a Java Development Kit to generate a key for your server. To install an commercial key, see the advanced setup section at the end of this document.

These instructions can also be found in the <install-dir>/iwc/ssl_setup.txt file that comes with your installation.

Environment

Steps

1. Find or Install the keytool utility

The keytool utility is often installed on a server since it is part of the Java Development Kit. If it does not exist, you must install it.

  • Linux/Solaris

SolarWinds DPA ships a JRE for Linux and Solaris as part of the product and the keytool utility can be found in one of the following directories:

{install directory}/iwc/jre_solaris/bin

{install directory}/iwc/jre_linux/bin

  • Windows

SolarWinds DPA ships a JRE as part of the product and the keytool utility can be found in:

C:\Program Files (x86)\SolarWinds\DPA\iwc\jre\bin

  • Other O/S

If you are not using Windows, Linux or Solaris for your Ignite server, a JRE/JDK must be installed separately. This install will include the keytool utility and below are common links for those JREs.

IBM AIX - HP/UX - http://www.hp.com

 

2. Generate a server key using the keytool utility

Run the following command from the {install directory}/iwc/tomcat/conf:

{keytool directory}/keytool -genkey -alias tomcat -keyalg RSA -validity 365 -keystore ./.keystore

You are prompted for two passwords. Specify "changeit" for both passwords. When asked for your first and last name, put in the name of the server instead. The server name must match the name that the user will specify in the URL. The remaining information should be answered with your own information.

 

3. Change the server.xml file

Change the port on the SSL connectors from 8123 to 8124. The SSL connector is identified by the SSLEnabled="true" attribute. The other connector is an HTTP connector and port and must remain 8123.

Open the file {install directory}/iwc/tomcat/conf/server.xml and  make sure the SSL connector is present within the {Service} tag. Below is an example of a server.xml file setup for SSL.

< Connector port="8124" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="conf/.keystore"/>

AIX Note: for AIX uncomment the following entry instead:

< Connector port="8124" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="conf/.keystore" algorithm="ibmX509"/>

 

4. Start DPA and view results

  1. Start the DPA Server (startup.sh or start the service on Windows).
  2. Users should begin using https://{hostname or IP}:8124 to connect to the DPA user interface.

If the link does not work, check /tomcat/logs.

 

Special Instructions for Internet Explorer 6

Internet Explorer 6 needs users to explicitly allow TLS protocols for secure communication to be able to access SolarWinds DPA over HTTPS.

  1. Launch Internet Explorer 6.
  2. Click Tools > Internet Options > Advanced tab.
  3. Scroll down to the Security section.
  4. Enable the Use TLS 1.0 option and then click OK.

 

Advanced SSL Setup

DPA uses Tomcat as the web server. For advanced instructions on using SSL with Tomcat, please use the following link:

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Use a custom certificate

By default, DPA 9.2 and later automatically generates a self-signed certificate that is used for secure communication over HTTPS. The following article describes how to replace the self-signed certificate with a custom certificate:

Configure DPA to use a custom certificate for SSL/TLS

Last modified
16:21, 6 Dec 2016

Tags

Classifications

Public