embed link in webpage running over https

Hi All,
 
I have the following question. Do I need to make special provisions in order to embed a (report)link that is running over https? So not Ihub necessarily needs to run over htts (unless it is mandatory to eable the link) but the site that is running the webpage with the embedded report is running over https.
 
If I need to change settings in the Ihub configuraion in order to achieve this, is there some documentation?
 
For now my embedded reports are not working via a https website.
 
Thanks in advance,
 
Michel

Find more posts tagged with

Comments

bjenkins

Hello Michel,
 
HTTPS traffic is handled by port 8701 in the iHub's embedded Apache Tomcat. 
 
The HTTPS connector is defined in VISUALIZATION_HOME/etc/acpmdconfig.xml. Open this file in a text editor and search for "8701". You'll see a connector configuration for the HTTPS connector. The connector will accept any standard Tomcat parameters (found here: <a data-ipb='nomediaparse' href='https://tomcat.apache.org/tomcat-7.0-doc/config/http.html).'>https://tomcat.apache.org/tomcat-7.0-doc/config/http.html).</a>
 
We would expect that you should be able to visit <a data-ipb='nomediaparse' href='https://hostname:8701/iportal'>https://hostname:8701/iportal</a>. When loading the page, the browser will display a warning that the connection is untrusted. This is because Actuate includes a self-signed key in the installation package. You will need to deploy your own key, as you would with any application using secure sockets. 
 
However, you mentioned that embedded reports are not working via HTTPS, so there may be other factors at play here. What happens when you try to visit <a data-ipb='nomediaparse' href='https://hostname:8701/iportal?'>https://hostname:8701/iportal?</a>

zynapzyz

Hi Bruce,
 
tnx for the answer. When I visit the url mentioned the following happens
 
- I am rerouted to <a data-ipb='nomediaparse' href='http://myipadres:8700/iportal/dashboard/jsp/myfiles.jsp?__vp=Default Volume&volume=Default Volume '>http://myipadres:8700/iportal/dashboard/jsp/myfiles.jsp?__vp=Default Volume&volume=Default Volume </a>
- a file is downloaded to my downloads folder (iportal)
 
I Forgot to mention in my first message that I first searched for documentation and found this link: <a data-ipb='nomediaparse' href='http://developer.actuate.com/be/documentation/ihub3-dev/sag/index.html#page/admin/security.06.3.html'>http://developer.actuate.com/be/documentation/ihub3-dev/sag/index.html#page/admin/security.06.3.html</a>
 
I changed the web.xml and restarted. I am changing back to the default to see if that makes a difference. 
 
Thanks,
 
Michel

zynapzyz

fyi : I changed the web.xml to the default one, restarted but same result as posted in my previous post

zynapzyz

Hi Bruce,
 
sorry. forgot the https. It's working now.
 
tnx a lot,
 
Michel
 
please let me know what info you want regarding the problematic installation on the VPS

zynapzyz

Hi Bruce,
 
It works in a browser that also has the <a class="bbc_url" href="https://hostname:8701/iportal?" title="External link">https://hostname:8701/iportal?</a> opened. I was able to login on the <a data-ipb='nomediaparse' href='https://hostname:8701'>https://hostname:8701</a>etc> and run the report. Then I placed the link in the webpage opened in the same browser. Now i can see the report. Howerevr on other machies and in another browser it does not work. 
 
any suggestions?
 
regards,
 
Michel

bjenkins

Hello Michel, 
 
Please provide more detail. You mentioned that "it does not work". What isn't working? What message appears in the browser? 
 
Thanks!

zynapzyz

Hi Bruce,
 
There is no message in the browser. The page itself loads (its a worpress page) but the embedded report does not show. Via charles (Charles is an HTTP proxy / HTTP monitor) I see the following messages:
 
 

Host

<a data-ipb='nomediaparse' href='https://85.25.148.193:8701'>https://85.25.148.193:8701</a>

Path

/

Notes

SSL Proxying not enabled for this host: enable in Proxy Settings, SSL locations

Requests

2

Completed

0

Incomplete

2

Failed

0

Timing

Start

6/9/15 10:05:41 PM

End

6/9/15 10:06:41 PM

Duration

60.43 sec

Requests / sec

0.00

Durations

0 ms

Latency

0 ms

Speed

-

Request Speed

-

Response Speed

-

Size

Requests

1.48 KB

Responses

29.40 KB

Combined

30.88 KB

Compression

-
 

1

<a data-ipb='nomediaparse' href='https://85.25.148.193:8701'>https://85.25.148.193:8701</a>

85.25.148.193:8701

-1

0 B

137 B

133ms

2

<a data-ipb='nomediaparse' href='https://85.25.148.193:8701'>https://85.25.148.193:8701</a>

85.25.148.193:8701

-1

0 B

29.27 KB

60.4s

Total

0 B

29.40 KB

60.5s

Grand Total

29.40 KB

Duration

60.4s
 
 
regards,
 
Michel

zynapzyz

Hi Bruce,
 
I am new to the whole server ssl setup so my appologies for asking dumb questions.
 
So I learned that both servers (the one that runs the website with the script and the server that runs ihub) need a valid commercial ssl certificate to be able to run the link script. My question is if the documentation on how to install the certificate for Ihub 3 (<a data-ipb='nomediaparse' href='http://developer.actuate.com/be/documentation/ManualsIHUB3/system-admin-guide.pdf'>http://developer.actuate.com/be/documentation/ManualsIHUB3/system-admin-guide.pdf</a>) is also valid for iHub FTYpe. So can I just follow these steps or does it work differently for FType? 
 
If I am correct I order a certificate for a domain that is running on the server that runs Ihub (currently there is no domain cause I only use the server for Ihub, so I will need to setup a domain?). After that I follow the steps in the manual to install the certificate for Ihub. After that it is possible to embed the javascript link to embed reports in webpages so that everybody can run those reports?
 
kind regards,
 
Michel

bjenkins

Hello Michel, 
 
These aren't dumb questions - in fact, they are excellent questions!
 
1. It is possible to embed the JS link to the report in a webpage so that your users can run/view reports.
 
2. While the general information about SSL in the System Administration guide is correct, I think you'll find the following steps from our eSupport Knowledge Base a bit more enlightening. Let me know if you have questions:
 
Problem/Description:
Starting in iHub 3 the embedded Tomcat implementation has a default HTTPS listener on port 8701. This is defined in a connector in the file at [iHub_Home]/etc/acpmdconfig.xml. This port is not production ready due to two issues with the certificate.
<ol><li>The certificate is self-signed, so most browsers do not trust it.</li>
<li>The certificate is not be configured to whatever host/domain combination is used to access Tomcat on port 8701, so most browsers will present a machine name conflict warning.</li>
</ol>How can this certificate be changed to one that users' browsers will trust?
 
Solution:
The certificate that Tomcat uses for the HTTPS listener is located in a keystore entry that is defined in the file at [iHub_Home]/shared/config/acserverconfig.xml. The relevant settings are "KeyAlias" (which specifies the appropriate alias in the keystore contains the certificate and key), "KeystoreFile" (which is the keystore file that contains the certificate and key), and KeystorePass (which is a hash of the keystore password). It is also important that the "iHubWebURL" property points to the same domain and/or host name that is specified in the new certificate. 

<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> <System 
 KeyAlias="birtihub" 
 ClusterID="74f0e69e-c3ba-4440-8a12-6904c9ced508" 
 SystemName="myihubserver" 
 iHubWebURL="<a data-ipb='nomediaparse' href='https://localhost:8701'>https://localhost:8701"</a> 
 EventLagTime="60" 
 KeystoreFile="$AC_CONFIG_HOME$/credentials/birtihub.jks" 
 KeystorePass="!1!MYcX5DOQRgWtLiN/GHmlLSLNFAb1uqjCgwfQXsB4L0p!" 
 AdminPassword="8f11d2043f9512b562d3407b95c4175a2cf83d8776fd6fd41897cb7e2b377bca" 
 DefaultLocale="default" 
 DefaultEncoding="windows-1252" 
 ArchiveServiceCmd="" 
 ConfigFileVersion="24" 
 EncyclopediaOwnerID="6085706d-666d-4a02-ad07-757dc2b55737" 
 SystemDefaultVolume="Default Volume" 
 EventPollingDuration="300" 
 EventPollingInterval="5" 
 ClusterDatabaseSchema="ac_cluster" 
 CustomEventServicePort="8700" 
 DefaultCLocaleOnWindows="true" 
 EnableCustomEventService="True" 
 EncyclopediaVolumeServer="myihubserver" 
 CustomEventServiceIPAddress="localhost" 
 MaxUserProprtiesCacheEntries="10000" 
 CustomEventServiceContextString="/acevent/servlet/AxisServlet" 
 CustomEventServiceConnectionTimeout="300"> 
 <UsageAndErrorLogging/> 
 <SMTPServers/> 
 </System></div>
Due to this configuration, the end goal is to have the new certificate and its associated private key in a keystore that is referenced in the settings above. In the below steps we will assume that you want to add your certificate to the keystore that already exists for the product, but it is possible to create a new keystore and use this instead. Before setting up the certificate and key please make sure you have the openssl and keytool commands available to you. The openssl command should be available if OpenSSL has been installed on the machine. The keytool command should be in a location like the following. 

<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;">iHub/modules/JDK64/bin/keytool</div>
Once you have the proper tools available on the machine the next priority will be to gather the certificate and key from the certificate authority and to get it into a state where they can be inserted into the keystore. The following are the initial steps to get the files into that state. 

<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;">A. (Optional if the certificate and key were provided in a PKCS12 keystore) If the key was provided in a PFX file format extract the certificate and key and send the output to a CRT and a KEY file. 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">openssl pkcs12 -in mykeystore.pfx -nocerts -out mykey.key -nodes 
openssl pkcs12 -in mykeystore.pfx -nokeys -out mycert.pem</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> 
B. If you have a passphrase defined for your key use openssl to remove the passphrase. 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">openssl rsa -in mykey.key -out mykey_nopass.key</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> 
C. If you received the certificate as a CRT file, convert the certificate file to a PEM file. 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">openssl x509 -in mycertificatefile.crt -out mycert.pem</div>
Alternatively to the steps above, if you want to create your own self-signed key and certificate you can follow the steps below to get a certificate and key. 

<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;">A. Create a new CA certificate i.e. pretend to be a GoDaddy/Versign/Symantec/etc 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">openssl req -x509 -nodes -days 1500 -newkey rsa:2048 -keyout testca.key -out testca.crt</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> 
B. Create a new customer CSR, new private key first, then csr 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">openssl genrsa -out mykey.key 2048 
openssl req -new -key mykey.key -out testreq.csr</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> 
C. Sign the CSR request. 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">openssl ca -in testereq.csr -out mycert.crt -keyfile testca.key -cert testca.crt</div>
Whichever of the two paths you took above you should now have a mycert.crt file and a mykey.key (or mykey_nopass.key). The following are the steps to add this certificate and key to the appropriate keystore. 

<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;">1. Move all of the certificate and key files to [iHub_Home]/shared/config/credentials, then navigate to that directory. 
2. Convert the certificate to PEM. 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">openssl x509 -in mycert.crt -out mycert.pem</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> 
3. Combine the private key with new certificate. If you are using mykey_nopass.key replace mykey.key below with that. 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">Windows: type mykey.key mycert.pem > certkey.pem Unix/Linux: cat mykey.key mycert.pem > certkey.pem</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> 
4. Convert the combined certificate and key file to PKCS12 format. Be sure to type "birtihub" as the new password when prompted. 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">openssl pkcs12 -export -in certkey.pem -out certkey.p12</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> 
5. Insert the contents of the p12 file into the keystore (the password is "birtihub" in both cases). 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">keytool -importkeystore -srckeystore certkey.p12 -srcstoretype PKCS12 -keystore birtihub.jks</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> 
6. Verify that the new certificate and key is in birtihub.jks. You should see an alias named "1" in the listing. It must be "PrivateKeyEntry." 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">keytool -list -keystore birtihub.jks 
1, Aug 12, 2014, PrivateKeyEntry, 
Certificate fingerprint (MD5): 1A:2A:3A:4A:5A:6A:7A:8A:9A:0A:9A:8A:7A:6A:5A:4A 
birtihub, Aug 7, 2014, PrivateKeyEntry, 
Certificate fingerprint (MD5): 1B:2B:3B:4B:5B:6B:7B:8B:9B:0B:9B:8B:7B:6B:5B:4B</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> 
7. Optionally, rename the "1" alias. 
</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> </div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">keytool -changealias -alias 1 -destalias mycert -keystore birtihub.jks</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> 
8. Verify that the alias name changed. 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">keytool -list -keystore birtihub.jks 
mycert, Aug 12, 2014, PrivateKeyEntry, 
Certificate fingerprint (MD5): 1A:2A:3A:4A:5A:6A:7A:8A:9A:0A:9A:8A:7A:6A:5A:4A 
birtihub, Aug 7, 2014, PrivateKeyEntry, 
Certificate fingerprint (MD5): 1B:2B:3B:4B:5B:6B:7B:8B:9B:0B:9B:8B:7B:6B:5B:4B</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> 
9. Verify that the iHub is not running. If it is, shut it down. 
10. Back up and edit the file at [iHub_Home]/shared/config/acserverconfing.xml. 
</div>
<div style="margin:0px 0px 0px 80px;font-family:Verdana, Arial, sans-serif;font-size:11px;">Before: <?xml version="1.0" encoding="UTF-8" standalone="no"?> 
<Config> 
 <System 
 KeyAlias="birtihub" After: 
<?xml version="1.0" encoding="UTF-8" standalone="no"?> 
<Config> 
 <System 
 KeyAlias="mycert"</div>
<div style="margin:0px 0px 0px 40px;font-family:Verdana, Arial, sans-serif;font-size:11px;"> 
11. Start the iHub and verify that the certificate used on port 8701 is the appropriate one.</div>

zynapzyz

Hi Bruce,
 
I will chew on that and try to implement it. As you probably can tell I am not a system administrator so it is a daunting task but wil let you know if I succeed.
 
regards,
 
Michel
 
P.S. i have send you the info about the issue 'ihub does not start after installation' by email. Please let me know if you need further info.