Server workflows for HP Matrix Operating Environment
13
Setting no default value (or setting default value to 0.0.0.0) for the jetty.host property will allow jetty server to listen
requests from localhost as well as from remote servers.
Note: For any reason if ESA is not running, the above configuration may lower the security level on the CMS server,
as the ESA ports (52000 and 52001) will be available as “Open” ports. To avoid this situation, follow the firewall
settings procedure given in the document “Managing HP servers through firewalls with Insight Dynamics Software
6.0 or greater”.
Securing OO callback
The default ESA configuration for OO callback (response) to ESA is over non-secure channel (http). To have this
callback on a secure channel (https), follow the steps below:
1. Import the HP SIM certificate into OO keystore file. Run the command below:
Keytool –import –v –trustcacerts –alias hpsim –file <HP SIM Certificate File> -keystore
<OO Jre cacerts file> -storepass <OO Jre cacerts keystore password>
where:
o <HP SIM Certificate File> is the location of HP SIM certificate. The HP SIM Certificate can be exported from
the HP SIM portal, as below:
On the CMS server, Login as Administrator into https://localhost:50000/
Click on the “Options” tab and select Security -> HP System Insight Manager Server Certificate…
Click the “Export” button. The HP SIM certificate will be displayed on a new window. Copy the
contents and save it into a file.
o <OO Jre cacerts file> is the location of cacerts file located under jre1.6\lib\security folder packaged with
OO. Typically, on the CMS server, this file can be located in the C:\Program Files\HP\Operations
Orchestration\jre1.6\lib\security folder. On a remote standalone OO server, this file can be located in the
C:\Hewlett-Packard\ Operations Orchestration\jre1.6\lib\security folder.
o <OO Jre cacerts keystore password> is the password of the cacerts keystore file. The default password set is
“changeit” and it is highly recommended to change it to a secure and private password.
2. Configure ESA for secure callback from OO. The esa.properties file specifies the “replytoURI” parameter, which
will be passed to OO along with the request. The OO server workflows will use this URI to send a response back
to ESA. Note that the default value for “hostname” in the replytoURI parameter is set to “localhost” to enable ESA
and OO interaction locally. In the case of a remote standalone OO, this value will be set to the hostname of the
CMS server. To have secure callback communication from OO to ESA, the hostname specified in the certificate
will be verified before establishing the connection. Hence, it is necessary to specify the hostname of the CMS
server even though both ESA and OO are running in the same CMS server. Modify the esa.properties file to
have configuration for secure call back from OO server, as below:
esa.oo.esacertificate.presentIn.OO=TRUE
esa.oo.san.replytoURI=https://<hostname>:52001/esa/services/oostorageservice?wsdl
esa.oo.server.replytoURI=https://<hostname>:52001/esa/services/ooserverservice?wsdl
3. Since the replytoURI parameter will have the hostname of CMS server (changed in step 2 above from
“localhost”, even though both ESA and OO are running on the same server), the default configuration in jetty.xml
file needs to be modified to accept the response from OO. Modify the jetty.xml file, as below:
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.nio.SelectChannelConnector">
<Set name="host"><SystemProperty name="jetty.host" /></Set>
<Set name="port"><SystemProperty name="jetty.port"
default="52000"/></Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="statsOn">false</Set>
<Set name="confidentialPort">52001</Set>
<Set name="lowResourcesConnections">5000</Set>
<Set name="lowResourcesMaxIdleTime">5000</Set>
</New>
</Arg>
</Call>
4. Restart the ESA service
This completes the configuration for securing the OO callback to ESA.