HPA Portal installation HPA portal Configuration file - security.config

Certificates

To expose access trough https protocol, the different components use Java keystore. This file helps to configure keystore/truststore for the different modules.

Keystore vs Truststore

In short keystore can be used to store a public/private key that can be used to :

  • sign the https protocol
  • crypt/decrypt JWT or SAML token

The truststore contains CA (certificate authority) to trust https requests.

Internal communication

As the different components exchange information between themselves, especially with keycloak, they have to trust the certificates of the others components. See the architecture diagram for details.

The different components that expose https endpoint :

  • HPA Portal
  • Broadcom Webview
  • Keycloak
  • Broadcom EM Channel for agent communication

The components that need a truststore internally :

  • HPA Portal to consume Keycloak API And optionally (not activated by default) :
  • Broadcom Webview to consume Broadcom EM REST API
  • HPA extractor to consume Broadcom EM REST API

Another fixed public/private key is used :

  • Keycloak hpa-hexagon SAML and Webview Service Provider
  • Keycloak realm keys are stored in database. Keys can be exported through Keycloak GUI
  • Broadcom Webview use the keystore : spprivatekey.jks with a default password : password

Some internal communication are not secured by default, restrict to 127.0.0.1 local loop :

  • Broadcom EM Channel (Broadcom binary proprietary protocol), clients :
    • Webview
    • APMSQL
  • Broadcom EM REST API, clients :
    • Webview
    • APMSQL
    • HPA extractor
  • JDBC protocol

Security.config file

#!/bin/bash

export HPA_BASE_HTTP=https

export HPA_HOST_PORT_PUBLIC=$HPA_EXTERNAL_DNS:${HPA_NGINX_PORT}
export HPA_URL_SERVER_PUBLIC=$HPA_BASE_HTTP://$HPA_HOST_PORT_PUBLIC${HPA_URL_CONTEXTPATH_WITH_LEADING_SLASH}
export HPA_URL_SERVER_PRIVATE=$HPA_BASE_HTTP://$HPA_SERVER_LISTENIP:$HPA_SERVER_PORT
export HPA_URL_EXTRACTOR=http://$HPA_EXTRACTOR_LISTENIP:$HPA_EXTRACTOR_PORT
export HPA_URL_EM_WEB=http://$HPA_EM_WEB_HOST:$HPA_EM_WEB_PORT
export HPA_URL_WEBVIEW_PUBLIC=$HPA_BASE_HTTP://$HPA_HOST_PORT_PUBLIC${HPA_URL_CONTEXTPATH_WITH_LEADING_SLASH}/introscope
export HPA_URL_WEBVIEW_PRIVATE=$HPA_BASE_HTTP://$HPA_EM_WEBVIEW_LISTENIP:$HPA_EM_WEBVIEW_PORT
export HPA_URL_KEYCLOAK_PUBLIC=$HPA_BASE_HTTP://$HPA_HOST_PORT_PUBLIC${HPA_URL_CONTEXTPATH_WITH_LEADING_SLASH}/keycloak
export HPA_URL_KEYCLOAK_PRIVATE=$HPA_BASE_HTTP://$HPA_KEYCLOAK_LISTENIP:$HPA_KEYCLOAK_PORT

#
# NGINX
#
export HPA_NGINX_CERTIFICATE=$HPA_CERTIFICATES_DIR/nginx_fullchain.pem
export HPA_NGINX_CERTIFICATE_KEY=$HPA_CERTIFICATES_DIR/nginx_privkey.pem
export HPA_NGINX_CERTIFICATE_PASSWORD_FILE=$HPA_CERTIFICATES_DIR/nginx_privkey.pass

#
# HPA truststore
#
export HPA_TRUSTSTORE=$HPA_CERTIFICATES_DIR/hpa_truststore.jks
export HPA_TRUSTSTORE_PWD=changeit
export HPA_TRUSTSTORE_TYPE=JKS
export HPA_TRUSTSTORE_OPTS="-Djavax.net.ssl.trustStore=$HPA_TRUSTSTORE -Djavax.net.ssl.trustStorePassword=$HPA_TRUSTSTORE_PWD -Djavax.net.ssl.trustStoreType=$HPA_TRUSTSTORE_TYPE"

#
# HPA keystore
#
export HPA_KEYSTORE=$HPA_CERTIFICATES_DIR/hpa_keystore.p12
export HPA_KEYSTORE_PWD=changeit
export HPA_KEYSTORE_TYPE=PKCS12

#
# Certificate are called, in pem format and named :
# <alias>_certificate.pem
# <alias>_private_key.pem
#
# KEYCLOAK
#
export HPA_KEYCLOAK_ALIAS=keycloak
export HPA_REALM_KEYCLOAK=$HPA_CERTIFICATES_DIR/keycloak_realm_hpa.pem
export HPA_REALM_KEYCLOAK_ALIAS=keycloack_hpa_realm

#
# SERVER
#
export HPA_SERVER_ALIAS=hpa_portal

#
# EXTRACTOR
#
export HPA_EXTRACTOR_ALIAS=hpa_extractor

#
# EM
#
export HPA_EM_WEB_ALIAS=introscope_em
export HPA_CHANNEL_ALIAS=introscope_channel

#
# WEBVIEW
#
export HPA_WEBVIEW_ALIAS=introscope_webview

#
# Admin role
#
export HPA_ROLE_ADMIN="Admin"

If restricted firewall rules

Check against your firewall rules if default ports are authorized

HPA_EM_PORT HPA_KEYCLOAK_PORT HPA_EM_WEBVIEW_PORT HPA_SERVER_PORT

These ports must be opened to external network : end-user or calypso environments, see the firewall rules.

If restriction on internal server port

The others values should not be modified except if some of these ports are already used on the target HPA server.