Configuring SSL and LW-SSO in a horizontal scaling environment

Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

In a horizontally scaled environment, you use the Service Manager software load balancer in front of a virtual group to redirect client requests among the server nodes in the group. The load balancer server is called the primary server, while the other servers in the group are called secondary servers.

Important Requirements

On a horizontally scaled system, it is very important that all certificates are created from the same machine. Ensure to not copy any files to their target directories until all certificates for all server machines (the primary server and secondary server machines) in the horizontally scaled environment are created.

For each server host (primary or secondary), you need a unique server certificate.

For each Windows client machine you need a unique client certificate.

For each Service Manager Web application server host you need a unique client certificate.

Best Practice recommendation:

When generating each Windows or web client certificate, enter the FQDN name of the client machine in front of the keystore, certificate request and certificate names to make them unique and easy to distinguish.

If a Windows client and the Web application server are on the same physical machine, it is possible to use the same cacerts and clientcerts files for both, rather than creating two sets of nearly identical keystores. In such a case, copy the files created for the Windows or Web client – whichever was created first– into either the <Service Manager Client>/plugins/com.hp.ov.sm.client.common_x.xx directory or the Service Manager/WEB-INF folder of the Web application server.

To configure SSL in a horizontal scaling implementation:

Create a private key and public certificate for your private certificate authority. For details, see Example: Generating a server certificate with OpenSSL.

Update the Java cacerts file by importing your private certificate authority's certificate into it. The updated cacerts file will contain the certificate and private key of the certificate authority that signs each server/client certificate. For details, see Example: Generating a server certificate with OpenSSL.

Create a separate signed server keystore for each server machine. For details, see Example: Generating a server certificate with OpenSSL.

Note: In a later step, you will add each server keystore and the updated Java cacerts file to each server's sm.ini file as the following parameters: keystoreFile, and truststoreFile.

Create a separate signed client certificate for each Service Manager client (web application server or Windows client) machine and import each client certificate into a trusted clients keystore. For details, see Example: Generating a client certificate with OpenSSL.

Note: In a later step, you will add the trusted clients keystore as the following parameter in each server's sm.ini file: ssl_trustedClientsJKS.

Copy the following keystore files to each server's RUN folder:

The server's server keystore file (unique)
The trusted clients keystore file (same for all servers)
The updated Java cacerts file (same for all servers and clients)

Copy the following keystore files to each web tier's WEB-INF folder:

The updated Java cacerts file

<clientcerts>.keystore – This keystore contains the signed certificate of your Service Manager web tier client.

Copy the following keystore files to each Windows client's <Windows client installation path>\plugins\com.hp.ov.sm.client.common_x.xx folder.

The updated Java cacerts file
<clientcerts>.keystore – This keystore contains the signed certificate of each Windows client.

Add the following SSL configuration lines to the sm.ini file for each of the primary server and secondary servers, and restart each server.

Note: For all servers, the truststoreFile and ssl_trustedClientsJKS settings should be the same; however, each server should use its own server keystore (keystoreFile:<servercert.keystore>).

ssl:1

ssl_reqClientAuth:2

sslConnector:1

ssl_trustedClientsJKS:<trustedclients.keystore>

ssl_trustedClientsPwd:<ClientKeyPassword>

truststoreFile:cacerts

truststorePass:changeit

keystoreFile:<servercert.keystore>

keystorePass:changeit

Configure each Service Manager web client to validate each server's signed certificate and present the signed client certificate.

Stop the web application server running the web tier, open the web configuration file (web.xml) in a text editor.

Configure the following parameters as shown below:

<init-param>

    <param-name>cacerts</param-name>

    <param-value>/WEB-INF/cacerts</param-value>

</init-param>

<init-param>

    <param-name>keystore</param-name>

    <param-value>/WEB-INF/<clientcerts>.keystore</param-value>

</init-param>

<init-param>

    <param-name>keystorePassword</param-name>

    <param-value><<clientcerts>.keystore password></param-value>

</init-param>

Set the ssl parameter to true.
Set the serverHost and serverPort parameters to the fully-qualified domain name and port number of the primary server. For example: myprimaryserver.mydomain.com and 13080.
Restart each web application server.

Configure each Windows client to validate each server's signed certificate and present the signed client certificate.

Click Window > Preferences > Service Manager > Security.
Set CA Certificates File to the cacerts keystore you copied to the <Windows client installation path>\plugins\com.hp.ov.sm.client.common_x.xx folder.
Set Keystore File to the keystore containing your Windows client's signed certificate, for example <clientcerts>.keystore. You created this keystore when you created the Windows client certificate request.
Set Keystore password to the password required to access the Windows client keystore. For example, ClientKeyPassword. You created this keystore password when you created the Windows client certificate request.
Update your Windows client connections by selecting Use SSL Encryption on their Advanced tab.

To set up LW-SSO in a horizontal scaling implementation:

Enable LW-SSO on each server node. All server nodes should share the same initString setting. For details, see Configure LW-SSO in the Service Manager server.

Note: Normally, all server nodes are in the same domain, so you can configure LW-SSO in one server node and then copy the server's LW-SSO configuration file (lwssofmconf.xml) to the rest of the nodes.

If needed, enable LW-SSO in each web tier. For details, see Configure LW-SSO in the Service Manager Web tier.

Note: The server nodes and web tiers should share the same initString setting.

Related topics