HTTPS/SSL support for Applications Manager and Broker
Enhanced security for sensitive data transfer can be enabled by properly configuring Applications Manager and associated components to use Secure Sockets Layer (SSL) with HTTPS protocol. The purpose of this document is to present basic configuration options for using HTTPS/SSL in Applications Manager network communication.
It is assumed that a certificate will be purchased from a trusted certificate authority. Options of creating a self-signed certificate are not covered in this document.
For additional information about OpenLM Applications Manager configuration, please see OpenLM Applications Manager Configuration documentation.
2. Applications Manager configuration
To configure Applications Manager with HTTPS/SSL follow these steps:
2.1 Adding certificate chain to keystore
Configure Applications Manager to use JKS (Java Key Storage) file as the keystore (repository for security certificates). Certificate file may need to be converted to JKS with synchronized passwords (matching for file and certificate) and Applications Manager needs to be configured to use the keystore. The source file has to include entire chain of certificates from a trusted certificate authority that produced the certificate, not just only the one that user got for a host name. “Openssl” tool can also be used in order to produce the required file. The process includes the next:
- Purchase a Certificate File (from a trusted certificate authority).
- Convert Certificate File to JKS format.
- Synchronize certificate and JKS passwords.
2.2 Configuring Applications Manager to use keystore
Run C:/Program Files (x86)/OpenLM/OpenLM App Manager/bin/OpenLMAppManager.exe and go to Java tab:
All parameters in Java tab are pre-configured by installer except for SSL:
-Djavax.net.ssl.keyStore=<path to the JKS file>
Nothing else is required if Server uses valid SSL certificates signed with a trusted authority.
In case of a self-signed certificate it has to be added to Java trust store.
2.3 Updating Applications Manager properties file
Several parameters need to be updated in openlm-app-manager.properties file which is used to configure Applications Manager. HTTPS/SSL needs to be enabled using properties and binding.host parameters. A secure connection between Applications Manager and OpenLM Server is established with openlm.server.protocol parameter.
1. Locate openlm-app-manager.properties file (e.g., C:\Program Files (x86)\OpenLM\OpenLM App Manager\openlm-app-manager.properties) and open it in a text editor (e.g., Notepad).
2. Locate binding.host parameter and change it to actual host name or IP address (see Figure 1).
Figure 1: Changing Protocol parameter to “https.”
3. Change protocol parameter to “https” (see Figure 2).
Figure 2: Changing Protocol parameter to “https.”
4. If your OpenLM Server is running with SSL, change openlm.server.protocol parameter to “https” (see Figure 3).
Figure 3: Changing Protocol parameter to “https.”
5. Save openlm-app-manager.properties file.
6. Restart Applications Manager to activate the changes.
2.4 Securing Applications Manager Web Services
Applications Manager web service is used by both Active Agent and User Interface (also known as EasyAdmin or Dashboard). User Interface implements a fallback approach. If plain HTTP connection fails, it tries to connect with HTTPS. OpenLM Agent services need to be configured to work with SSL using the following steps.
1. Open OpenLM Agent Configuration screen ([Show Hidden Icons] > [right click – OpenLM Agent icon] > [OpenLM Agent Configuration]).
Figure 4: Choosing OpenLM Agent Configuration.
2. Click OpenLM Applications Manager tab to reveal Applications Manager configuration options.
3. Fill OpenLM License Manager server field with the same hostname or IP as binding.host parameter in openlm-app-manager.properties file.
4. Check SSL checkbox to the right of server name field (see Figure 5).
Figure 5: Agent Configuration screen with SSL checked.
5. Click [Check Connectivity status] button. A screen should appear confirming connection to Applications Manager (see Figure 6). If attempt to connect is not successful there will be a warning screen (see Figure 7). If warning appears, check that OpenLM License Manager server field and port field are filled with the same hostname (you need exactly the same host address as the one your SSL certificate is released for. Purpose of the certificate is to ensure Agent is connecting to the right Applications Manager instance) and port as binding.host parameter and port in the openlm-app-manager.properties file, and repeat this step. If connection is still not successful contact OpenLM support (firstname.lastname@example.org).
Figure 6: Server connection check success screen.
Figure 7: Server connection warning screen.
6. Click [OK] to close success screen.
7. Click [Apply] to save changes. OpenLM Agent Configuration Tool will close.
3. Broker Configuration
When Applications Manager is bound to a host name (as opposed to ‘localhost’) and SSL is enabled for Agent, host name and secure parameters have to be added to OpenLM Broker configurations in OpenLM Broker Configurations Tool and lmstat.bat file (lmstat.sh for Linux/Unix).
3.1 Modifying lmstat.bat file
1. Locate lmstat.bat file in OpenLM Applications Manager folder (e.g., C:\Program Files (x86)\OpenLM\OpenLM App Manager\lmstat.bat).
2. Open lmstat.bat file in any text editor (e.g., Notepad).
3. Locate set host parameter and change its value to correct HostName \ IP for your system (see Figure 9).
Figure 9: Locating and changing set host parameter.
4. [Optional] Locate call parameter and add -k to call string if accepting self-signed certificates (see Figure 10).
Figure 10: Locating and changing call string parameter.
5. Locate and change http parameter to https.
Figure 11: Locating and changing http parameter to https.
6. Save and close lmstat.bat file.
3.2 OpenLM Broker Configuration Tool
1. Run OpenLM Broker Configuration Tool ([Start] > [OpenLM] > [OpenLM Broker Configuration Tool]). OpenLM Broker Configuration Tool will open.
2. Check Host Name \ IP for License Servers. It should match binding host (e.g., it should not be ‘localhost’). If value needs to be changed, click on localhost node and enter Host Name \ IP in the field (see Figure 6).
3. Click [Apply] button to commit changes.
Figure 6: Locating Host Name \ IP field on License Manager panel.
4. Click Commands node for Applications Manager (e.g., Commands under Port 27080).
5. Click [Update] button on Commands panel (see Figure 7).
Figure 7: Locating [Update] button on Command panel.
6. Click on data_inquery node to be sure that Command Line has been updated successfully. Click Execute button to make sure that it works. <server_status=”ok”> message will be displayed. The path should look like on Figure 8.
Figure 8: Locating Command Lines.