Install and Secure the Operator Console

Applies To: Opalis 6.3

The Operator console provides a web-based view into the Opalis Integration Server system. To install the Operator console you will use a Windows PowerShell 2.0 script that automates many of the Operator console installation steps.

After you have completed the Operator console installation, we recommend securing the Operator console HTTP over SSL (https), in addition to performing the standard JBoss security steps described in the installation instructions.

Installing the Operator Console

To install required software on the Operator Console computer

1. Log on to the computer on which you will install the Operator console as a member of the Administrators group.

2. Download the Opalis Integration Server files. The Operator console installer script InstallOpConsole.ps1 is one of the files. Make a note of the location where you install the InstallOpConsole.ps1 file.

3. If you have not already done so, install Windows PowerShell 2.0. For download and installation instructions, see article 96829 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?linkID=151321).

4. Download all of the Operator console prerequisite binaries and third-party libraries listed in the Opalis System Requirements section. We recommend that you put these files in a single folder, for example, C:\Libraries.

5. Install Java Development Kit 6 Update 4 by using the default settings.

6. Set the JAVA_HOME system variable to the directory of the local Java Development Kit. By default, the location is C:\Program Files\Java\Jdk1.6.0_04.

7. Add %JAVA_HOME%\bin to the Path Environment variable.

8. Extract the contents of the JBoss Application Server 4.2.3.GA to the folder where the JBoss Application Server will run. We recommend that you extract the contents to [drive:]\JBoss.

9. At a command prompt, change to the \Libraries folder and run the command java -jar JAXWS2.1.2-20070917.zip. A license dialog box appears.

   If the java -jar JAXWS2.1.2-20070917.zip file is not present, run the command java -jar JAXWS2.1.2-20070917.jar.

10. Accept the Sun Microsystems, Inc. License Terms. The JAXWS2.1.2-20070917.zip (or java -jar JAXWS2.1.2-20070917.jar) file will be unpackaged.

11. Confirm that the \Jaxws-ri\Lib folder was created.

To install the Operator Console by using the Windows PowerShell installation script

1. Click Start, click Programs, click Accessories, click the Windows PowerShell folder, and then click the Windows PowerShell item.

2. At the Windows PowerShell prompt, type set-executionpolicy RemoteSigned.

3. Type the full path to the location where you installed the InstallOpConsole.ps1 file. For example: C:\OpConsoleInstaller\installOpConsole.ps1.

   Note

   As a security feature, Windows PowerShell does not run scripts when you double-click the script icon in Windows Explorer or when you type the script name without a full path, even when the script is in the current directory. For more information about running commands and scripts in Windows PowerShell, see About Command Precedence in the Windows PowerShell Help (https://go.microsoft.com/fwlink/?linkID=113214).

   If the path to the InstallOpConsole.ps1 file contains spaces, at the Windows PowerShell prompt, type an ampersand, followed by a space, and then type the full path enclosed in single quotes. For example,

   & ‘C:\Install Op Console\InstallOpConsole.ps1’

4. Follow the on-screen prompts. You will be asked to provide configuration information, for example:

   1. The full path to the location of the \JBoss folder.

   2. The full path to the location of the \OperatorConsole folder.

   3. The full path to the location of the \Libraries folder.

   4. The database type (Microsoft SQL Server).

   5. The name of the database server, for example, localhost.

   6. The database authentication type (Windows authentication or SQL Server authentication). For SQL Server, provide the user name and password.

   7. The name of the Opalis database.

   8. The user authentication type (Stand-alone or Active Directory). For Active Directory, provide the Active Directory root DN, Domain Controller, Port, and SAM account name for the administrator group.

5. When the "Operator Console installation complete" message appears, click Close.

Securing the Operator Console

By default, the Operator console is installed using the HTTP protocol (unsecured). We strongly recommended that you perform the following procedures to configure the Operator console to use HTTPS.

You will select one of the following options from the Java Developer's Kit: do the steps in the first procedure to generate and use a self-signed certificate, or perform both procedures to generate a request that you send to a certification authority.

To generate a self-signed certificate for the Operator Console

1. At the command prompt, type

   %JAVA_HOME%\bin\keytool -genkey -alias <Alias> -keyalg RSA -keystore %JAVA_HOME%\jre\lib\security\cacerts

   Replace <Alias> with the alias name that you want to use for the certificate.

2. At the prompts, provide the following information:

   1. Keystore password. In a default JDK installation the password is changeit.

   2. First and Last name. Type the fully qualified domain name of the Operator console host computer.

   3. Organizational unit

   4. Organization

   5. City

   6. State or Province

   7. Two-letter country code

3. When prompted for the Alias password, leave it blank and press ENTER.

   The certificate is added to the JAVA cacert certificate store.

To generate a certification authority request file, continue with the next procedure. Otherwise, skip to the Enable SSL Support procedure.

To generate a certification authority request file

1. At the command prompt, go to the <OperatorConsoleFolder>\server\default\conf folder.

2. Type the following command:

   %JAVA_HOME%\bin\keytool -certreq -keyalg RSA -alias <Alias> -file certreq.csr -keystore %JAVA_HOME%\jre\lib\security\cacerts

   Replace <Alias> and <Keystore_filename> with the values that you used in the previous procedure. You will also be asked for the keystore password. In a default installation of the JDK. the password is changeit.

3. At the prompt, provide the Keystore password. In a default JDK installation the password is changeit.

   The certificate request file (certreq.csr) appears in the <OperatorConsoleFolder>\server\default\conf folder.

4. Submit the certreq.csr file to the certification authority.

5. When you receive the certificate from the certification authority, import it using the following command:

   keytool -import -alias <Alias> -keystore %JAVA_HOME%\jre\lib\security\cacerts -trustcacerts file <CertificateNameFromCertificateAuthority>

   Replace <Alias>, <Keystore_filename>, and <YourCertificateNameFromCertificateAuthority> with the values of the Alias, Keystore filename, and Certificate name.

   The certificate is added to the JAVA cacert certificate store.

Next step: Enable Operator console access using HTTPS

To enable Operator Console access using the HTTPS protocol

1. Open the <OperatorConsoleFolder>\server\default\deploy\jboss-web.deployer\server.xml file.

2. Uncomment the HTTPS protocol information in the server.xml file. The resulting file should look similar to:

   <!-- HTTP protocol -->

   <Connector port="<AvailablePortNumber>"

   address="${jboss.bind.address}"

   maxThreads="250" maxHttpHeaderSize="8192"

   emptySessionPath="true" protocol="HTTP/1.1"

   enableLookups="false" redirectPort="8443" acceptCount="100"

   connectionTimeout="20000" disableUploadTimeout="true" />

   <!-- HTTPs protocol -->

   <Connector port="<AvailablePortNumber>"

   address="${jboss.bind.address}" protocol="HTTP/1.1" SSLEnabled="true"

   maxThreads="250" scheme="https" secure="true" clientAuth="false"

   keystoreFile="${java.home}/lib/security/cacerts"

   keystorePass="<KeystorePassword>"

   sslProtocol="TLS" />

3. Replace <AvailablePortNumber> for each protocol with the actual port numbers you will use. The default port number for the Operator console is 5314. The default port number for https is 8443.

4. Replace <KeystorePassword> with the password for the Keystore that you used in the previous procedures.

5. To turn off a protocol, comment out the connection string of the protocol that you want to block using <!-- before the string and --> after the string. Turning off a protocol means that users cannot access the Operator console using that protocol.

6. Copy the server folder from <OperatorConsoleFolder>\offline\protocol\https to <OperatorConsoleFolder>.

7. Modify the application.xml file located at <OperatorConsoleFolder>\server\default\deploy\OpsConsoleApp-1.0.ear\ME TA-INF\application.xml by changing

   <module><ejb>OpConsoleWebService-1.0.jar</ejb></module> to <module><ejb>OpConsoleWebServiceSSL-1.0.jar</ejb></module>.

8. Modify the security-constraint section of the <OperatorConsoleFolder>\server\default\deploy\OpConsoleWebServiceBridge-1.0.war\WEB-INF\web.xml file to the following:

   <security-constraint>

   <web-resource-collection>

   <web-resource-name>SecuredAll</web-resource-name>

   <url-pattern>/*</url-pattern> </web-resource-collection>

   <user-data-constraint>

   <transport-guarantee>CONFIDENTIAL</transport-guarantee>

   </user-data-constraint>

   </security-constraint>

9. Restart JBoss to load the new server.xml settings.

Next step: To view the Operator console using an SSL connection

To view the Operator Console using an SSL connection

• The Operator console URL will be different depending on the port number that you assigned to the HTTPS protocol in the previous procedure.

  If you use the default SSL port (443), the Operator console URL will be https://OperatorConsoleLocation.

  If you use a non-default SSL port, the Operator console URL will be https:// OperatorConsoleLocation: PortNumber. For example, if you use port 5314 on a computer named OperatorConsole, the URL would be https://OperatorConsole:5314.