Configuring the Reporting Server for TLS Authentication

If your AAI system is set up to use HTTPS, the Reporting Server must be configured with HTTPS, too.

As a system administrator, you configure the Reporting Server for TLS authentication using a two-way certificate-based authentication over TLS 1.2. This section guides you through the process.

This page includes the following:

Generate a Self-Signed Key

Note:

If you are using a signed certificate and you have the keystore file, for example, .jks, skip this step and proceed with the next one.

When creating the self signed key, specify the hostname, FQDN and IP address in the SAN (subject alternative name) section of the command and specify the hostname or FQDN when asked for First and Last name:

Linux

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore <install dir>/apache-tomcat/conf/key.bin -ext SAN=dns:<hostname>,dns:<FQDN>,ip:192.168.1.38

Windows

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore <install dir>\apache-tomcat\conf\key.bin -ext SAN=dns:<hostname>,dns:<FQDN>,ip:192.168.1.38

Update the Tomcat Configuration.

Specify the HTTPS port that you want to use. If you are on the same server as AAI, make sure you use a different HTTPS port.

In this step you also have to specify the path to the keystore created in the previous step ( located in <install dir>/apache-tomcat/conf/) as well as the password used when creating the keystore.

Linux

Add the corresponding section after the existing <Connector> element in <Install dir>/apache-tomcat/conf/server.xml:

Windows

Add the corresponding section after the existing <Connector> element in <Install dir>\apache-tomcat\conf\server.xml:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="${HTTPS_PORT}" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="<insight install dir>\apache-tomcat\conf\key.bin" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/>

Get and Import the Certificate

Get and import the AAI certificate to the Reporting Server AND Jasperserver Java keystores.

Linux

Get the certificate for the AAI server:

openssl s_client -connect <AAI hostname:AAI port> | openssl x509 -out jawsserver.cert
Import the certificate into the $JAVA_HOME/jre/lib/security/cacerts keystore:

keytool -import -alias tomcat -keystore $JAVA_HOME/jre/lib/security/cacerts -file jawsserver.cert
Import the AAI cert file into the Java keystore that is embedded with Jasperserver, which is located in <Insight Install Dir>/java/jre/lib/security/cacerts:

keytool -import -alias tomcat -keystore <Insight Install Dir>/java/jre/lib/security/cacerts -file jawsserver.cert

Windows

You can get the AAI certificate over to the Reporting Server in a few different ways:
- Run openssl on a Linux machine to get the public certificate for the AAI server and then copy it over to Windows:
  
  openssl s_client -connect <AAI hostname:AAI port> | openssl x509 -out jawsserver.cert
- Use keytool to export the certificate from the keystore of the AAI server using the following command:
  
  keytool -export -alias jawsserver -file jaws.cer -keystore "<AAI Install Dir>\jboss\standalone\configuration\jaws.keystore"
- From IE, go to the AAI URL http://<jaws server>:8443/terma and save the keys and then open Internet Options > Content tab > Certificates and select the entry with the AAI server host name. Click Export and follow the wizard to save the certificate.
- From Chrome, go to the AAI URL http://<jaws server>:8443/terma, click the "Not secure" message to the left of the URL and select Certificates.
  
  Open the Details tab and select Copy to file. Select the top options and press Next. Select a name and save it. This saves a .cer file by default.
Import the generated/exported certificate to the Java keystore. The default keystore password is 'changeit':

keytool -import -alias tomcat -keystore %JAVA_HOME%\jre\lib\security\cacerts -file jawsserver.cert
Import the AAI cert file into the Java keystore that is embedded with Jasperserver, which is located in <Insight Install Dir>\java\lib\security\cacerts:

keytool -import -alias tomcat -keystore <Insight Install Dir>/java/lib/security/cacerts -file jawsserver.cert

Define the AAI URL

Make sure that the correct AAI URL is stored on the Reporting Server.

The server name, port, and protocol for accessing the AAI server from the Reporting Server are set during the Reporting Server in the respective installation parameters. For more information, see:

If, during the installation, you already have defined the protocol HTTPS and the corresponding port, as well as the hostname, FQDN, or IP that matches your certificate, then you only have to check that the configuration is indeed correct. To do so, check the following file on the Reporting Server:

Insight install dir>/apache-tomcat/webapps/jasperserver-pro/WEB-INF/applicationContext-externalAuth-preAuth-mt.xml

The jawsBaseUrl section of the file must be set to https and the proper https port must be defined. If it is not the case, make sure you define it correctly.

Note:

The hostname used in this URL definition must be the same that is used when accessing the AAI Web UI to set up the Reporting Server.

Example

<property name="jawsBaseUrl">
          <value>https://<AAI Server>:<https port>/jaws/api/</value>
          </property>

Restart the Reporting Server application.

Linux

First stop the Reporting Server and then start it again:

sudo systemctl stop bi-server

sudo systemctl start bi-server

Windows

You can start and stop the aai-bi-server service using the Start JRS Service and Stop JRS Service desktop icons.

Optionally, you can do so from the Windows Service Manager.

For more information, see Stopping, Starting, Restarting the Reporting Server .

Access Jasperserver Login Page Using HTTPS

Verify that you can access the Jasperserver login page (https://<hostname>:<https port>/jasperserver-pro) using HTTPS.

Use the hostname, FQDN, or IP of the server. The name you use to access the URL has to match the name that you supplied as the SAN (Subject Alternative Names) in your certificate.

The default user and password definition is the following:

User: superuser
Password: TermaPassword

Note:

After upgrading the Reporting Server, the Jasperserver-pro password for the superuser is reset to the default TermaPassword. If you are not using the default password, make sure you define it again (http(s)://hostname:post/jasperserver-pro/login.html).

Download and Import the Certificate (Only Self-Signed Certificates)

If you are using self-signed certificates, you have to download the certificates used for the AAI Server and the Reporting Server to the machine that you are going to use to access the Web UI and import them into the Trusted Certificates folder.

To download the certificates do the following:

From Chrome, go to https://<aai server>:<port>/terma and https://<Insight server>:<port>/jasperserver-pro.
Click the "Not secure" message to the left of the URL and select Certificates.
Open the Details tab and select Copy to file.
Select the top options and press Next. Select a name and save it.

Then you have to import both certificates into the Windows Trusted Certificates folder.

Note:

If you are able to launch the AAI thick client, you might already have imported the AAI certificate.

To import the certificates, do the following:

Run mmc.exe from the Start menu on the client.
Click File and then click Add/Remove Snap-in.
Choose Certificates from the list then click Add.
In the Certificates snap-in pop-up window, select Computer Account then click Next.
In the Select Computer pop-up window, select Local Computer then click Finish.
Click OK to confirm Certificates (Local Computer) snap-in.
Expand Certificates, expand Trusted Root Certification Authorities.
Right-click Certificates, click All Tasks, and then click Import.
On the Certificate Import Wizard Welcome page, click Next.
Browse to the location of the saved certificate file, select the file and then click Open.
Select Next.
In the Certificate Store, select Place all certificates in the following store and choose Trusted Root Certification Authorities.
Select Next and then Finish.

Make sure you restart all browsers.

Import the Self-Signed Key into the Java Keystore (Only Self-Signed Certificates)

To connect to the Reporting Server from AAI using HTTPS with self-signed certificates, you have to import the self-signed certificate of the Reporting Server to the Java keystore in the AAI server. The default keystore password is 'changeit'.

Get the certificate using the command below from the AAI server:

openssl s_client -connect ${BI_HOSTNAME}:${BI_SSL_PORT} <<<'' | openssl x509 -out bi_server.cert

Linux

$JAVA_HOME/bin/keytool -import -alias bi_key -keystore $JAVA_HOME/jre/lib/security/cacerts -file bi_server.cert

Windows

“%JAVA_HOME% \bin\keytool” -import -alias bi_key -keystore “%JAVA_HOME%\jre\lib\security\cacerts” -file bi_server.cert (Windows)

Restart and Configure the Reporting Server

Once all your certificates are in place, restart the AAI server. For more information, see Stopping, Starting, Restarting the AAI Server.
Open AAI from a web browser using the URL that you have defined and define the relevant parameters for the Reporting Server. For more information, see Configuring the Reporting Server.

Important!
Make sure you use the same hostname or IP address that is in the URL that you defined before. That should also be the same used during the Reporting Server installation and https port definition.

If all is configured properly, you should be able to go to the home page, create a new view and see your Web UI reports ,see Web UI Reports.