-
Technical Assistance
Request product support from SAP
-
Non-Technical Assistance
Request non-product support or provide feedback on SAP Support Portal site
Technical Assistance
Request product support from SAP
Non-Technical Assistance
Request non-product support or provide feedback on SAP Support Portal site
This page summarizes steps to enable full SSL/TLS communication for Introscope in combination with Solution Manager. The steps are mainly organized by the two communication ports opened by the Enterprise Manager:
SSL Communication for Enterprise Managers in a cluster (MoM and Collectors).
Communication between Enterprise Managers in a cluster (collectors and MoM) uses RMI. Introscope does not support using SSL communication between collectors and MoM. In the picture below this is represented by black arrows.
Strictly speaking even more combinations are possible: Agents and Workstations can also use HTTP and HTTPS. These options are not explained here.
Configuration of HTTPS access to the Enterprise Manager is described on a dedicated page.
It may be necessary to explicitly enable TLSv1 on Enterprise Manager side since potentially not all components support TLSv1.2. In particular the following components lack TLSv1.2 support:
To enable TLSv1 put the following property into config/IntroscopeEnterpriseManager.properties:
introscope.enterprisemanager.protocols.channel2=TLSv1.2,TLSv1.1,TLSv1
1 Under the EM installation directory, open the file IntroscopeEnterpriseManager.properties which is located under the folder /config. Most of the properties mentioned below exist already in the file, but are commented out.
2 In this file, edit the propertyintroscope.enterprisemanager.enabled.channels to define which channels will be enabled and accept connections for the EM. Each "channel" refers to a set of properties that configure a TCP port for incoming connections.
By default, the 'channel1' is the default RMI port (6001) and the 'channel2' is the SSL RMI port (6443).
It is possible to activate just one channel or both channels like the following:
# SSL channel only
introscope.enterprisemanager.enabled.channels=channel2
# or activate both channels: default and SSL
introscope.enterprisemanager.enabled.channels=channel1,channel2
Recommendation
When you activate only channel 2 for SSL and restart the EM all existing agents cannot connect anymore. To avoid this it is recommend to activate temporarily both channels and if required remove channel1 later when all agents are reconfigured.
For collectors you must activate both channels.
3 Modify the property introscope.enterprisemanager.workstation.connection.channel to define which channel will be used by the Solution Manager. If you set this property with the value 'channel2' , when configuring agents in the future, the port set for channel2 will then be used by the agent to connect to the Enterprise Manager. The property will look like following:
For Collectors the property introscope.enterprisemanager.workstation.connection.channel must not be changed.
# This property is used for Workstations launched via Java Web Start, to set
# the communication port used for communicating with the Enterprise Manager.
introscope.enterprisemanager.workstation.connection.channel=channel2
4 Restart the Enterprise Manager so the changes take action
5 In the SAP Solution Manager system, access the Infrastructure Preparation under section 'Define CA Introscope". Here, use the discover button to reload the EM information.
6 If you have set both channels as active, you should then see two Enterprise Manager entries here for MoM and Standalone EM.
Collectors should appear only once with the 'old' port.
7 If you have already performed the steps on section 'Procedure to Enable HTTPS Port for EM WebView', ensure to check the HTTPS flag here for the new EM entry.
With SAP Solution Manager 7.2, it is possible to adjust the profile templates directly so the newly configured agents use the SSL Socket Factory and Port. You can upload templates for the agent profiles via diagnostics agent administration.
There is one template for wilyhost and one template for each byte code agent version. These templates can be customized on two different scopes:
1 In Diagnostics Agent Administration select the tab 'Application Configuration' and navigate through 'com.sap.smd.agent.application.wilyhost / Application Resources / IntroscopeSapAgent.profile.template.'
2 Download the default resource and save it locally as text file (.txt).
3 Rename the downloaded file to IntroscopeSapAgent.profile.template (replace the underscore with dot and remove the file extension .txt)
4 Edit the local file and change introscope.agent.enterprisemanager.transport.tcp.socketfactory.DEFAULT=com.wily.isengard.postofficehub.link.net.SSLSocketFactory. Save it again.
5 In agent administration, select the correct scope for the file(Global or specific host). Then browse to the modified file and press Upload.
Here it is important to note that the template for wilyhost will only be considered if the setup has not yet been executed before( if the resource 'IntroscopeSapAgent.profile' is not yet customized in the relevant scope). To force the use of the newly uploaded template, remove the customizing of 'IntroscopeSapAgent.profile' in the relevant scope(host for which the configurations have been done in the past). This can be done by accessing the file 'IntroscopeSapAgent.profile' in the same path, selecting the relevant host in the scope and then removing the customized file.
6 In the Managed System Configuration for the relevant hosts, ensure the correct EM entry is selected. This is important to ensure the correct port will be pushed into the agent configuration.
7 Execute the step Introscope Host Adapter in Managed System configuration.
8 If the Wilyhost was active before, a complete restart of the diagnostics agent is needed.
It is possible to check if the agent is connecting correctly to the Enterprise Manager by checking the file 'jvm_smdagent.out' under the work folder inside the agent installation path. Entries like the following will be present:
[INFO] [IntroscopeAgent.IsengardServerConnectionManager] Connected Agent to the Introscope Enterprise Manager at <HOST>:<SSL PORT 6443>,com.wily.isengard.postofficehub.link.net.SSLSocketFactory. Host = "<HOST>", Process = "SAP HostAgent Process", Agent Name = "SAP HostAgent SMDA98".
1 In Diagnostics Agent Administration select the tab 'Application Configuration' and select the application relevant for your Introscope agent:
2 Under the selected application node select Application Resources and the agent profile, e.g. 'WilyResources/ISAGENT.9.1.5.3-2014-10-22/IntroscopeAgent.profile'
3 Download the default resource and save it locally.
4 Edit the local file and change introscope.agent.enterprisemanager.transport.tcp.socketfactory.DEFAULT=com.wily.isengard.postofficehub.link.net.SSLSocketFactory. Save it again.
5 In agent administration, select the correct scope for the file(Global or specific host). Then browse to the modified file and press Upload.
6 In the Managed System Configuration for the relevant hosts, ensure the correct EM entry is selected. This is important to ensure the correct port will be pushed into the agent configuration.
7 Execute the step 'Byte Code Adapter Installation' in Managed System configuration.
8 Restart the managed system to activate the changes.
By default the initial key stores are used and no additional configuration is needed. This means, however, that certificates are not validated for SSL communication.
You can optionally configure the SSL port to allow only trusted agent connections. This is achieved by setting introscope.enterprisemanager.needclientauth.channel2=true. This requires the following:
Edit the following properties in IntroscopeEnterpriseManager.properties. The effect is that all agents not providing a trusted certificate will be blocked from connecting to the Enterprise Manager.
# The truststore is optional. It is needed only if client authentication is required.
# If no truststore is specified, the EM trusts all client certificates.
introscope.enterprisemanager.truststore.channel2=myTruststore
# To change the existing password, enter the new password and set this property to true.
# Note: If this property is set to true and the password is not changed, the existing encrypted password will be encrypted again.
# If password field for a new channel is configured, add the corresponding
# plaintextpassword field and set it to true to enable encryption.
introscope.enterprisemanager.trustpassword.channel2.plaintextpassword=true
# The password for the truststore
introscope.enterprisemanager.trustpassword.channel2=mySecretPassword
# Set to true to require clients to authenticate.
# If true, clients must be configured with a keystore containing a certificate trusted by the EM.
# Default is false
introscope.enterprisemanager.needclientauth.channel2=true
Procedure to configure a keystore for the RMI communication via SSL on agent side. Goal: Allow only trusted agents to connect. Agent authenticates via a certificate which is configured as trusted in the EM.
Note that there is no automated transfer of the keystore from Solution Manager or Enterprise Manager to the agent host. You have to explicitly take care for the transfer and specify a path that is available on agent side (d:\isagent\emssl2.jks in the example below).
Edit the following properties in IntroscopeAgent.profile:
introscope.agent.enterprisemanager.transport.tcp.socketfactory.DEFAULT=com.wily.isengard.postofficehub.link.net.SSLSocketFactory
introscope.agent.enterprisemanager.transport.tcp.keystore.DEFAULT=d:\\isagent\\emssl2.jks
introscope.agent.enterprisemanager.transport.tcp.keypassword.DEFAULT=caapm9x
To get more details on TLS connection negotiation you can activate the standard Java SSL tracing. For this purpose add the Java VM parameter -Djavax.net.debug like below
-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager
or
-Djavax.net.debug=all:
On Windows add a new line to bin\EMService.conf:
wrapper.java.additional.8=-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager
.8 is the next free number for the parameter group wrapper.java.additional. Depending on your configuration you may have to choose a different number.
On Unix change the property lax.nl.java.option.additional in Introscope_Enterprise_Manager.lax.
Documentation can be found on every Enterprise Manager where the SAP management module package is deployed. Use the link https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/application-performance-management/10-7.html to get to the overview page of all guides.