Post-Installation Configurations for Web Server and Web Console

Table of Contents

After the Web Server and Web Console are installed, some configurations are needed to allow end-users to perform specific operations from the Web Console. Use the following section to complete your setup configuration.

Adding an Active Directory Domain and Enabling Single Sign On

Note: If you have already configured a domain in the CommCell with single sign-on (SSO), the Tomcat service on the computer where the Web Console is installed must be restarted for SSO to work properly.

To allow Active Directory domain users access to the Web Console, provide the details to communicate with the Active Directory service provider so that they are maintained in the Web Server database for authentication purposes. Adding a new domain controller registers the domain with the Web Server.

Note: By default, the Kerberos protocol is used for single sign-on (SSO). If you use the NT LAN Manager (NTLM) authentication protocol, update the SecurityProtocol property in the config.properties file. For instructions on updating the config.properties file, see Single Sign-On with the NTLM Authentication Protocol.

  1. Obtain the domain name and fully qualified domain name of the Active Directory server.
  2. Ensure that LDAP is configured on the Active Directory (AD) server:
    1. From the AD Server, select Start > Run.
    2. In the Run dialog box, type ldp and click OK.
    3. From the Connections menu, click Connect.
    4. In the Connect dialog box, enter information about the server:
      • In the Server box, type the name of the external domain server, for example, computer.domain.com.
      • In the Port box, type 636 as the port number for the external domain server.
      • Select the SSL check box to check for the proper certificate.
      • Click OK.

      When the LDAP is properly configured, the external domain server details are displayed in the LDP window. Otherwise, an error message appears indicating that a connection cannot be made using this feature.

  3. From the CommCell Browser, go to Security.
  4. Right-click Name Servers > Add new domain > Active Directory.
  5. In the Add New Domain Controller dialog box, enter the information about the domain controller:
    1. In the NetBIOS Name box, enter the domain name, for example, mydomain.
    2. In the Domain Name box, enter the Fully Qualified Domain Name (FQDN), for example, mydomain.mycompany.com.
    3. To allow users to automatically log on to the CommCell Console and Web Console, select the Enable SSO check box.
    4. Next to the User Account box, click Edit.
    5. In the Enter User Account Information dialog box, enter the user account information.

      The user account must have at least read access to the domain.

  6. Click OK.
  7. Restart the Tomcat service on the computer where the Web Console is installed.

    For instructions on restarting the Tomcat service, see Restarting a Service.

Single Sign-On with the NTLM Authentication Protocol

To use single sign-on (SSO) with the NT LAN Manager (NTLM) authentication protocol, you must make the following change to the config.properties file:

  1. On the Web Console computer, go to the software_installation_directory\WebConsole\WEB-INF\classes directory.
  2. Open the config.properties file, and locate the SecurityProtocol property.
  3. Change the property to 2 for NTLM.

Firewall Configurations

Connecting CommServe and Web Server

If a firewall is placed between the Web Server and the CommServe database, both database and firewall must be configured to allow traffic from the Web Server to the CommServe.

  1. Set static listener ports on the SQL Server instance of the CommServe database. Consult Microsoft TechNet article "Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager)" for more information.

    Although it is possible to query the SQL Server and set the firewall to allow the ports it is currently using, restarting the SQL Server instance can result in it using different (dynamic) ports, and therefore lost communication. Therefore, we recommend setting static ports.

  2. Depending on the firewall used, configure the firewall to pass traffic between the databases.
    • If it is a Windows Firewall, consult Microsoft's TechNet article "Configure the Windows Firewall to Allow SQL Server Access".
    • If it is a hardware-based firewall device, consult its manufacturer's documentation.
    • If using third-party port mappings (TPPM) to route traffic, see Configuring Third-Party Connections Using the Firewall Configuration File. When configuring TPPM, do the following:
      1. Use the configured static listener ports for incoming and outgoing TPPM ports in the firewall configuration file.
      2. On the Web Server host, configure the connection parameters on the  Open Database Connectivity (ODBC) manager to use the outgoing tppm=[Local port] specified in the firewall configuration file.
      3. Open the Database Connectivity (ODBC) data source manager and modify the connection parameters to use 127.0.0.1\Commvault as the server name and port number specified in the outgoing tppm=[Local port] in the firewall configuration file. Consult Microsoft documentation for configuring the ODBC manager.

Connecting Web Console and Web Server

If a firewall is placed between the Web Server and Web Console computer, see Configuring Access to the Web Server.

Changing the HTTP Ports for IIS and Tomcat

If you need to change the HTTP port numbers used by IIS and/or Tomcat, use the following steps:

For IIS

  1. Open the Internet Information Services (IIS) Manager.
  2. In the Connections pane, navigate to the Sites node. You may see more than one site, for example, Consoles and Default Web Site.
  3. Click on the <Site> node. Specific options are displayed in the Actions pane, located on the right pane.
  4. In the Actions pane, click Bindings....
  5. In the Site Bindings dialog box, select the http port type and then click Edit.
  6. In the Edit Site Binding dialog box, change the port number in the Port: box and then click OK.
  7. Click Close.

For Tomcat

  1. Navigate to the <Software Installation Path>/Apache/Conf folder and open the server.xml file with an editor.
  2. In the server.xml file, locate the <Connector> element, and change the port number specified in the port attribute.
  3. Save and close the XML file.

Configuring Secured Access for the Web Console

Use the following sections to access the Web Console using HTTPS instead of HTTP.

Install Java with All Updates

On the Web Console computer, perform the following steps:

  1. Stop the Tomcat services.
  2. Download and install the latest version of Java. A minimum version of Java 7 Update 17 (JRE 1.7.0_17) is required.
  3. From the command prompt window, execute the following command to verify that Java is installed correctly on the computer: 

    java -version

    If the version is lower than Java 7 Update 17 (JRE 1.7.0_17), make sure to install the latest version of Java.

  4. Start the Tomcat services.
  5. If the Tomcat services fail to start, manually point the JVM to the Tomcat services using the following steps. Otherwise, skip this step and proceed to the next section.
    1. Open the command prompt window and navigate to <software installation path>\Apache\bin folder and execute the following command:

      tomcat6w.exe //ES//GxTomcatInstance001

      where, Instance001 is the instance installed on the computer.

    2. In the Tomcat services Instance properties dialog box, click the Java tab, and clear the Use default check box.
    3. Type the path to the Java Virtual Machine. For example: C:\Program Files\Java\jre7\bin\server\jvm.dll

    Make sure the path to the bin folder under the JRE installation is part of the PATH environment variable. For example, if Java is installed on C:\Program Files\Java\jre7, make sure the path environment variable is set to C:\Program Files\Java\jre7\bin folder.

Configure SSL on the Tomcat Server

You can configure SSL on the Tomcat server for the Web Console. As the first step, you need to create a certificate before configuring Tomcat with SSL.

Creating a Certificate

You can create a certificate signed by your own private key (self signed certificate) or by a Certificate Authority (CA).

Note:

  • If you are configuring SSL on the Tomcat Server for Web Console on a CommServe computer where Private Metrics Reporting Server is installed, then you must create a certificate signed by the CA. If you use a self-signed certificate, data will not upload to the Private Metrics Reporting Server.
  • If you have an expired certificate, you can create or import a new certificate and configure SSL on the Tomcat Server.

Use one of the following sections to generate the keystore needed to create the certificate. If you already have a CA-signed certificate, see Import the Signed Certificates Issued by the Certificate Authority.

  • Generate a Keystore for a Self-Signed Certificate

    This command creates the mykeystore.jks file containing a private key and the self-signed certificate. Note: When connecting to a server, visitors might see a warning in the browser indicating that it is not safe to proceed.

    1. From the command prompt, navigate to the directory where the keytool.exe is located (for example, C:\Program Files\Java\java_version\bin).
    2. Run the following command:

      keytool -genkey -keyalg RSA -alias selfsigned -keystore "C:\mykeystore.jks" -validity 360 -keysize 2048

      where validity is the number of days before the certificate expires.

    3. During the creation of the keystore, you are prompted for two passwords: the keystore password at the beginning of the process and the certificate password at the end. Both passwords must be the same. When the command prompts you for the certificate password, press Enter on your keyboard.
    4. Continue with the steps to configure the Tomcat server for SSL described in Configuring the SSL connector for Tomcat.
  • Generate a Keystore for a Certificate Signed by the CA

    This command will create the mykeystore.jks file containing the key-pair/certificate to be signed.

    During the command execution, you will be prompted to provide information regarding your organization. The following parameters must be provided:
    Parameter Description
    Alias Alias name used by Tomcat for reference purposes while importing or installing the certificate. The alias can be any simple name used for cross reference.

    After certificate signing is done by certificate authority and returned back to the customer, then you will need to use the same alias to import the certificate, which will be explained later.

    Password The keystore password. We recommended you use a strong password.
    First and Last name The fully qualified domain site name, such as someName.somecompany.com, which has to run using HTTPS. If requesting for a wildcard certificate, the site name can be specified as *.someportal.com.

    If the value given for this parameter does not reflect the starting part of the web site URL for which you are requesting the certificate, then the browser may treat the site as an untrusted. An error or warning message like this would be shown in such cases:

    The security certificate presented by this website was issued for a different website's address.

    Organizational Unit (Optional) If applicable, you can specify the DBA (Doing Business As) name.
    Organization Name Full legal name of your organization.

    The organization name must be legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor’s name.

    City / Locality Name of the city (without abbreviation) in which your organization is located.
    State / Province Name of state or province (without abbreviation) where your organization is located.
    Country Code The two letter country code (international organization for standardization format) where your organization is legally registered.
    1. From the command prompt, navigate to the directory where the keytool.exe is located (for example, C:\Program Files\Java\java_version\bin).
    2. Run the following command:

      keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\mykeystore.jks"

    3. Use the following steps to request the Certificate Authority (CA) to sign the certificate:
      1. Generate CSR (Certificate Signing Request)

        keytool -certreq -keyalg RSA -alias tomcat -file C:\somename.csr -keystore C:\mykeystore.jks

        Parameter Description
        Alias The same alias name used for generating the keystore.
        File The path to the file for CSR creation.
        Keystore The path to the keystore that was recently created.

        You do not need to change the following parameters: -certreq -keyalg RSA.

      2. Upload the Certificate Signing Request to the CA website, indicate the type of Tomcat server and submit for signing.
    4. Continue with the steps to import the signed certificate described in Import the Signed Certificates Issued by the Certificate Authority.
  • Import the Signed Certificates Issued by the Certificate Authority

    This procedure may vary based on the CA who signed your certificate. Follow the guidelines provided by your CA.

    1. Downloaded and install the Root, Intermediate and Issued Server certificates:

      Root Certificate

      keytool -import -alias root -keystore C:\mykeystore.jks -trustcacerts -file C:\valicert_class2_root.crt

      Intermediate Certificate

      keytool -import -alias intermed -keystore C:\mykeystore.jks -trustcacerts -file C:\gd_intermediate.crt

      Issued Server/Domain Certificate

      keytool -import -alias tomcat -keystore C:\mykeystore.jks -trustcacerts -file C:\server_certificate_whatevername.crt

    2. Continue with the steps to configure the Tomcat server for SSL described in Configuring the SSL connector for Tomcat.

Configuring the SSL Connector for Tomcat

  1. Stop the Tomcat Server.
  2. Backup the server.xml that is part of the Apache configuration in the software_installation_path/Apache/Conf folder.
  3. Set the SSLEngine argument to 'Off' for the listener node with className='org.apache.catalina.core.AprLifecycleListener' . You can also remove or comment out the node completely from the server.xml, if recommended by the CA.

    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />

  4. Copy the generated keystore file to software_installation_path/Apache.
  5. In the server.xml file, add a second connector port.

    By default, the following connector is defined:

    <Connector protocol="HTTP/1.1" connectionTimeout="600000" redirectPort="443" URIEncoding="UTF-8" maxPostSize="40960000" maxHttpHeaderSize="1024000" maxThreads="2500" enableLookups="true" port="80" />

    Add a second connector as shown below:

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" connectionTimeout="600000" URIEncoding="UTF-8" maxPostSize="40960000" maxHttpHeaderSize="1024000" maxThreads="2500" enableLookups="true" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keystoreFile="software_installation_path/Apache/your_file" keystorePass="<password>" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"/>

    where:

    • port is the same port number specified in the redirectPort parameter of the default connector. Make sure the port number is not used by any other program on the server.
    • keystoreFile is the path to your keystore file (.jks) or your certificate file (.pfx).
    • keystorePass is the password that you used to create the keystore or certificate.
    • Note: If you are using a .pfx file, you must add the keystoreType="PKCS12" parameter to the <Connector> element.
  6. If you want all users to use a secured channel, update the config.properties file:
    1. On the Web Console computer, go to the software_installation_path\WebConsole\WEB-INF\classes directory.
    2. Open the config.properties file.
    3. Add the following comment and parameter:

      ## Force HTTPS - To force users to use https instead of http. Http pages get redirected to https.
      forceHttps=true

    4. Save the config.properties file.
  7. Update the URL for the link to the Web Console. For more information, see Linking to the Web Console from the CommCell Console.
  8. Start the Tomcat Server and access the resource on your server using HTTPS.

    For instructions on restarting the Tomcat service, see Restarting a Service.

Viewing the Web Console in an iFrame

To view the Web Console in an iFrame, the config.properties file must be updated. Once the config.properties file is updated, use the following example as a guide:

<iframe src="http://hostname:port/webconsole/applications" height="90%" width="90%" id="webConsoleIFrame"></iframe>

where:

  • hostname is the hostname of the computer where the Web Console is installed
  • id must be webConsoleIFrame

Procedure

  1. On the Web Console computer, go to the software_installation_path\WebConsole\WEB-INF\classes directory.
  2. Open the config.properties file.
  3. Add the following comment and parameters:

    disableSameOrigin=true
    #The following property hides the header and footer.
    bareFrameMode=true

  4. Save the config.properties file.
  5. Restart the Tomcat services on the Web Console machine.

    For instructions on restarting the Tomcat service, see Restarting a Service.