Link: https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetsearch/document/KM02707977
Digital signature verification of RPM package
This procedure is necessary for the digital signature verification of RPM package to make sure the file has not been tampered with and the code was indeed signed by the trusted entity (Hewlett Packard Enterprise).
If this is not done, you may see NOKEY warning during the installation of the ALM Octane application:
warning: octane-onprem-12.53.xx.xx.rpm: Header V3 RSA/SHA1 Signature, key ID b564a643: NOKEY
Solution:
If user sees NOKEY warning during the RPM package installation, they need to follow procedure on this page for the missing key. In the example above, key ID is b564a643.
Here is the summary of steps:
Download the keys (or use attached)
Extract the missing key (or use attached)
Import the missing key
rpm --import /path_to_the_key/B564a643.pub
Validate signature is OK:
rpm --checksig filename_of_the_rpm
This means the package is fine. For the subsequent installations, run the above steps prior to the installation of the Octane and you will not get the warning.
Encryption of sensitive data
ALM Octane encryption uses AES-256 algorithm with shared secret symmetric key. This key is used for both encryption and decryption. Such keys are generated based on the values entered in setup.xml. These settings need to be stored in a safe location for potential future needs, i.e. installing additional services.
Securing access to ALM Octane Application Server (jetty)
Note: ALM Octane uses TLSv1.2 secure protocol.
To configure secure connection to the ALM Octane server:
- Obtain server certificate issued to the name of ALM Octane server.
- Convert this certificate into Java Keystore, e.g.:
keytool.exe -importkeystore -srckeystore
- Copy your keystore file to the /opt/octane/conf/ folder. Name the file keystore.jks.
- Run /opt/octane/install/enablessl.sh, supplying the certificate password as a parameter to the script
- Restart service
- Service HPALM restart
Redirect non-secure access to secure port ( http to https )
- Restart service
- Service HPALM restart
- Load http://
Octane>:8080 - Verify it redirects to https:/
:8443. - If it does not, ensure that SecurePort in /opt/octane/server/conf/jetty.xml matches your secure port.
Establishing trust to Certificate Authority
This procedure is necessary when ALM Octane connects to any other server over secure channel.
Example: Database server, LDAP server, etc.
Unless the remote server certificate has been issued by the trusted certificate authority (CA) already present in java truststore, SSL handshake will fail.
Most common error in the log would appear as "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target".
To establish trust:
- Obtain the certificate of the root CA and any intermediate CA that issued the remote server certificate.
- Import each certificate into the java truststore using a keytool command. For example:
cd
./keytool -import -trustcacerts -alias
- If service is already running, restart it.
Securing access to DB
- For Oracle:
- Copy Oracle client wallet file from Oracle Server and place it on the ALM Octane server into directory accessible for everyone (eg: /tmp/ewallet.p12)
- Specify ConnectionString in setup.xml:
- For SQL Server:
jdbc:mercury:sqlserver://
SSL Offloading
- On Apache:
- Add this line at the end of httpd.conf:
RequestHeader set X-Forwarded-Proto https
- Restart Apache
RequestHeader set X-Forwarded-Proto https
- Restart Apache
2. On F5 Load Balancer:
create HTTP profile and use it in Virtual Server definition.
Configuration steps:
1) Login to F5 LTM GUI
2) Open Local Traffic menu
3) Choose Profiles -> Services -> HTTP
4) Click “Create”
5) Enter new profile’s name
6) Under new profile make sure that Parent Profile is “http” and tick “Custom” on the right hand side.
7) Into “Request Header Erase” insert X-Forwarded-Proto
8) For field “Request Header Insert” enter X-Forwarded-Proto: https
9) Click “Finished” to save profile
10) Go to VIP for SSL traffic (listening on port 443) and add profile created under “HTTP Profile”
(From <http://itlibrary.net/index.php/2015/08/21/how-to-insert-http-header-x-forwarded-proto-for-ssl-traffic-of-f5-ltm/> )
Defining new HTTP profile:
Comments