sitescope - help.sap.com

SiteScope Version : 2019.11 PDF Generated on : 01 Apr 2020

SiteScope 2019.11

Table of Contents

Administer 4 ...................................................................................................................................................... Set Up 5 ............................................................................................................................................................. Restrict Access to SiteScope 8 ........................................................................................................................... Export Configuration Data 9 .............................................................................................................................. Import Configuration Data 10 ............................................................................................................................ Use the JMX Console 11 ..................................................................................................................................... Configure Security 15 ........................................................................................................................................ Harden the SiteScope Platform 16 ..................................................................................................................... Set SiteScope User Preferences 17 .................................................................................................................... Password Encryption 18 ..................................................................................................................................... Use Transport Layer Security (TLS) to Access SiteScope 19 .............................................................................. Smart Card Authentication 20 ........................................................................................................................... Common Criteria Certification 21 ...................................................................................................................... FIPS 140-2 Compliancy 22 ................................................................................................................................. Encrypt Data Using a Custom Key 23 ................................................................................................................ Recommendations for Securing User Accounts 24 ............................................................................................ Configure a Warning Banner to be Displayed on Login 26 ................................................................................. Configure SiteScope to Communicate Over a Secure Connection 27 ................................................................ Configure SiteScope to Require a Secure Connection 28 .................................................................................. Manually Configuring SiteScope for Using a Secure Connection 29 ................................................................... Preparing SiteScope for Using TLS 30 ................................................................................................................ Manually Configuring SiteScope for TLS on Tomcat 31 ...................................................................................... Manually Configuring SiteScope for Mutual TLS Configuration 33 ..................................................................... Manually Configuring SiteScope to Connect to APM Server With TLS Deployment 34 ....................................... Manually Configuring SiteScope to Connect to an APM Server That Requires a Client Certificate 35 ................ Manually Configuring the Topology Discovery Agent in SiteScope When APM Server Requires a ClientCertificate 37 ..................................................................................................................................................... Configure Smart Card Authentication 39 ........................................................................................................... Configure SiteScope to Require Client Certificate Authentication 40 ................................................................ Configure SiteScope to be accessible using Reverse Proxy Server 41 ............................................................... Advanced Hardening Configuration 42 .............................................................................................................. Configure SiteScope to Verify Certificate Revocation 43 ................................................................................... Using Firefox When Client Certification is Enabled 44 ....................................................................................... Import Certificate Authority Certificates into SiteScope TrustStores 45 ............................................................ Enable JMX Remote Access 46 ........................................................................................................................... Restore a Backed Up Configuration 47 .............................................................................................................. Configure Framing Filters in SiteScope 48 ......................................................................................................... Automatically Terminating Sessions 50 ............................................................................................................. Configure SiteScope to Operate in FIPS 140-2 Compliant Mode 51 ................................................................... FIPS 140-2 Compliancy Overview 52 .................................................................................................................

SiteScope 2019.11

Enable FIPS 140-2 Compliant Mode 53 .............................................................................................................. Disable FIPS 140-2 Compliant Mode 59 ............................................................................................................. Configure SiteScope to Use a Custom Key for Data Encryption 61 .................................................................... Key Management Overview 62 .......................................................................................................................... How to Configure SiteScope to Use a Custom Key for Data Encryption 63 ........................................................ How to Export and Import Configuration Data When Using a Custom Key for Data Encryption 65 ................... Configure SiteScope to Communicate With APM Over a Secure Connection 67 ................................................ Configure SiteScope to Connect to an APM Server That Requires a Secure Connection 68 ............................... Configure SiteScope to Connect to an APM Server That Requires a Client Certificate 69 .................................. Configure APM to Connect to SiteScope When SiteScope Requires a Client Certificate 70 ............................... Use the Hardening Tool 71 ................................................................................................................................ How to Run the Hardening Tool 72 .................................................................................................................... How to Use the Hardening Tool to Configure SiteScope to Require a Secure Connection 74 ............................ How to Use the Hardening Tool to Configure SiteScope to Verify Certificate Revocation 76 ............................. How to Use the Hardening Tool to Import Certificate Authority Certificates into SiteScope TrustStore 78 ........ How to Use the Hardening Tool to Configure SiteScope to Connect to an APM Server That Requires a ClientCertificate 79 ..................................................................................................................................................... How to Use the Hardening Tool to Enable FIPS 140-2 Compliant Mode for a Non-Secure Connection 81 .......... How to Use the Hardening Tool to Enable Key Management for Data Encryption 82 ........................................ How to Use the Hardening Tool to Configure SiteScope and SiteScope Public API Client CertificateAuthentication 83 .............................................................................................................................................. How to Use the Hardening Tool to Configure JMX Remote Access 84 ................................................................ How to Use the Hardening Tool to Restore a Backed Up Configuration 86 ........................................................ Configuration of USGCB (FDCC) Compliant Desktop 87 ..................................................................................... Configure SiteScope Failover 89 ........................................................................................................................ How to Configure SiteScope Failover 90 ............................................................................................................ How to Configure SiteScope Failover for SSL With Client Certificate Authentication 95 .................................... How to Configure SiteScope Failover profile when Primary and Failover SiteScope Servers are ClientCertificate authenticated 97 .............................................................................................................................. Test SiteScope Failover Configuration 99 .......................................................................................................... SiteScope Failover and APM Integration 101 ..................................................................................................... SiteScope Failover and Operations Manager Integration 102 ............................................................................

This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com.

AdministerThe topics in this section detail all the Administrator tasks of SiteScope.In this section

Set up and Administer SiteScopeRestrict Access to SiteScopeExport/Back Up SiteScope Configuration DataImport/Restore SiteScope Configuration DataHow to Use the JMX ConsoleConfigure SecurityConfigure SiteScope Failover

SiteScope 2019.11


Set UpThis section describes a suggested working order for preparing to set up and administer SiteScope.

Log on to SiteScope1.

Enter the SiteScope address in a Web browser. The default address ishttp://localhost:8080/SiteScope.

Enter your SiteScope license2.

If you did not enter your SiteScope license information during installation, enter it in Preferences > GeneralPreferences > Licenses.

(Optional) Create a SiteScope user account3.

The Administrator account is the default account that is active when the product is installed. It has fullprivileges to manage SiteScope and is the account that all users who access the product use unless yourestrict the account. Therefore, it is recommended to create and configure other user accounts based on therequirements of the organization.

Note:

If no user name and password are defined for the administrator user, SiteScope skips the login page andautomatically logs in.

You can restrict access to the SiteScope user interface for a given IP address or host name. For details, seeRestrict Access to SiteScope.

Configure SiteScope preferences (as required)4.

Configure specific properties and settings related to administrative tasks within SiteScope.

Configure the SiteScope Email Preferences server. Configure an administrators email addressa.and specify a mail server that SiteScope can use to forward email messages and alerts to users.

Adjust Log Preferences. Set the number of days of monitor data that are retained on the SiteScopeb.server. By default, SiteScope deletes logs older than 40 days. If you plan to have monitor data exportedto an external database, prepare the database, the necessary drivers, and configure the LogPreferences as applicable.

SiteScope 2019.11


Configure credentials for SiteScope objects. Use Credential Preferences to store and mangec.credentials for SiteScope objects that require user authentication.

In addition, you can configure any of the other SiteScope preferences as required.d.

(Optional)Configure SiteScope to integrate with other applications5.

SiteScope can be used as a data collector for various other applications, including:

Application Performance Management (APM). Enables logging of SiteScope monitor data and topologyreporting to APM.

Operations Bridge Manager (OBM). Enables sending SiteScope events and reporting metrics data to OBMand APM products. For task details on enabling SiteScope to send events to OBM , and enabling SiteScopeto report metrics using the Operations Agent, see the Integration Options and Details topic.

Network Node Manager i (NNMi). Enables sending SiteScope events and reporting metrics data to NNMi.

Diagnostics. Enables you to see a more complete view of the application servers that are monitored byDiagnostics.

Generic data integration. Enables forwarding SiteScope metrics to an application for which a directintegration does not exist.

Generic event integration. Enables forwarding events to a third-party application or management consolefor which a direct integration does not exist.

Configure connection profiles for remote servers6.

Specify the connection method for the remote servers you want to monitor in accordance with your securityrequirements.

Install middleware drivers (if required)7.

Install middleware drivers for connectivity with remote databases and applications for those monitors thatrequire drivers.

For details, see the help for the specific monitor.

http://docs.microfocus.com/itom/SiteScope:2019.11/IntegrationOptionsDetails

SiteScope 2019.11


Enable JMX server password protection - optional8.

To prevent unauthorized entry to the JMX server embedded in SiteScope, enable JMX passwordauthentication.

Start using SiteScope9.

You are now ready to use SiteScope.

SiteScope 2019.11


Restrict Access to SiteScopeRestrict Access to SiteScopeThis task describes how to restrict access to the SiteScope user interface for a given IP address or host name.

Open the server.xml file that is located in the <SiteScope root directory>\Tomcat\conf directory.1.

Locate the RemoteAddrValve and RemoteHostValve Valves, uncomment and configure them to allow or2.deny IP addresses or host names as required. For details on configuring these values, see the explanationsand examples in the server.xml file. By default, any host is allowed access.

To log the IP addresses and host names from which requests are sent to SiteScope through the user interface3.(and the access status of these hosts), uncomment the FastCommonAccessLogValve Valve.

To restrict access to SiteScope's reports on port 8888, set the following properties in the <SiteScope root4.directory>\groups\master.config file:

_checkAddressAndLogin. Set the value to =true.

_authorizedIP. Provide a comma-separated list of all IP addresses that are allowed to access the reports.By default, any host is allowed access to the SiteScope reports.

SiteScope 2019.11


Export Configuration DataThe simplest way to prepare for a SiteScope upgrade is to use the Configuration Tool to make a backup of yourcurrent SiteScope installation directory and the required subdirectories within the directory. Using theConfiguration Tool, you can export SiteScope data such as templates, logs, monitor configuration files, servercertificates, scripts, and so forth from your current SiteScope for later import into SiteScope. The user data isexported to a .zip file.Note:

You should make a backup of the <SiteScope>\htdocs directory and copy it to the SiteScope 2019.11 directoryafter an upgrade so that you can see old reports, since this directory is not copied when you export SiteScopedata.Before importing the configuration from SiteScope 11.3x version, back up the Kubernetes.config file(<SiteScopeDir>\templates.docker\api). After importing the configuration, copy the Kubernetes.configfile back inthe same location as it gets overwritten after the import.When importing configurations with monitors deployed from Monitor Deployment Wizard Templates or TemplateExamples, you must rename the templates on the source SiteScope before exporting the configuration, orrename or delete the templates on the destination SiteScope.

Alternatively, you can export SiteScope data as part of the installation process.

Related Topics

Run the SiteScope Configuration Tool

http://docs.microfocus.com/itom/SiteScope:2019.11/RunSiSConfigTool

SiteScope 2019.11


Import Configuration DataAfter upgrading SiteScope, monitor configuration data can be copied from earlier versions of SiteScope using theConfiguration Tool.Alternatively, if you manually created a back up, you must delete all the folders and files from the new installationdirectory, and then copy the backed up folders and files to the installation directory.

Related Topics

Run the SiteScope Configuration Tool

http://docs.microfocus.com/itom/SiteScope:2019.11/RunSiSConfigTool

SiteScope 2019.11


Use the JMX ConsoleHow to Use the JMX ConsoleSiteScope includes the Java monitoring and management instrumentation (JConsole) tool. This tool uses JavaManagement Extension (JMX) technology to provide information on performance and resource consumption ofapplications running on the Java platform.You can use JConsole to perform remote management operations, view performance of processes, andtroubleshoot problematic areas of SiteScope. This tool may help in debugging difficult issues related to memoryconsumption, threading, and other issues in the production environment.

To Access

To access the JConsole tool, run <SiteScope root directory>\java\bin\jconsole.exe on Windows1.platforms (and <SiteScope root directory>/java/bin/jconsole binary file on UNIX platforms).

Depending on which SiteScope you want to monitor, select Local, or Remote with port 28006 (the default2.JMX port).

Note:

Because access to the JMX server is not password protected (JConsole password authentication is disabled bydefault in SiteScope), we recommend that you enable JMX password authentication to prevent unauthorizedentry. For details, see Enable Authentication for the JConsole below.

We recommend not changing any other JConsole settings.

Enable Authentication for the JConsole

Create property files to configure users, passwords, and access roles (for Windows/UNIX/Linux platforms).1.

Create a property file named password.properties that contains users and passwords, and copy it toa.the <SiteScope root directory>\conf folder:

# specify actual passworduserLogin1=<<enter the actual password>>userLogin1=<<enter the actual password>>

Create a property file named access.properties that contains users and access roles, and copy it tob.the <SiteScope root directory>\conf folder:

SiteScope 2019.11


# The "monitorRole" role has readonly access.# The "controlRole" role has readwrite access.userLogin1=readonlyuserLogin2=readwrite

Change access permissions to both files. Allow only read access to current user and remove all others.c.

You can find additional information on the Oracle website:http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent#$filename|.

For more information on how to Secure a Password File on Microsoft Windows Systems, seehttp://docs.oracle.com/javase/6/docs/technotes/guides/management/security-windows#$filename|.

On UNIX/Linux systems, you can set the file permissions for the password file by running the followingcommand:

chmod 600 jmxremote.password

Perform the following for SiteScope installed on Windows platform:2.

If you start SiteScope using the go.bat file, perform the following:

Open the <SiteScope root directory>\conf\go.bat file for editing.i.

Find the string that starts ..\java\bin\SiteScope, and add the following parameters to the end of thisii.string:

-Dcom.sun.management.jmxremote.password.file=../conf/password.properties-Dcom.sun.management.jmxremote.access.file=../conf/access.properties

Find the parameter -Dcom.sun.management.jmxremote.authenticate and change its value fromiii.false to true.

Save changes.iv.

http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent

http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent

SiteScope 2019.11


If you start SiteScope using the SiteScope service, perform the following:

Open the registry editor, regedit.exe.i.

Locate and then click the following registry subkey:ii.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SiteScope\serviceParam

Add the following parameters to the end of the default value:iii.


Find the parameter -Dcom.sun.management.jmxremote.authenticate and change its value fromiv.false to true.

Save changes.v.

Perform the following for SiteScope installed on a UNIX/Linux platform:3.

If you start SiteScope using the go.sh file, perform the following:

Open the <SiteScope root directory>/bin/go.sh file for editing.i.

Find the string that starts ../java/bin/SiteScope, and add the following parameters to the end of thisii.string:



Save changes.iv.

SiteScope 2019.11


If you start SiteScope using the start command in the SiteScope bin folder, perform the following:

Open the <SiteScope root directory>/bin/start-monitor file for editing.i.

Find the string that starts ../java/bin/SiteScope, and add the following parameters to the end of thisii.string:



Save changes.iv.

To get properties of a CI reported to a Data Flowdatabase with JMX

Open http://<APM/OMi_machine>:21212/jmx-console/ in a Web browser.1.

Click UCMDB:service= Model Services.2.

Invoke method: retrieveObjectProperties.3.

Where to Configure the Port to Which Data Flow ReportsThe server settings are initialized in APM in Admin > System Availability Management > Topology Settingsfrom the Topology receiver port or Topology receiver SSL port boxes.

SiteScope 2019.11


Configure SecurityIn this section

Hardening the SiteScope PlatformConfigure SiteScope to Communicate Over a Secure ConnectionAdvanced Hardening ConfigurationConfigure SiteScope to Operate in FIPS 140-2 Compliant ModeConfigure SiteScope to Use a Custom Key for Data EncryptionConfigure SiteScope to Communicate With APM Over a Secure ConnectionUsing the Hardening ToolConfigure of USGCB (FDCC) Compliant DesktopConfiguring SiteScope Failover

SiteScope 2019.11


Harden the SiteScope PlatformAs a system availability monitoring tool, SiteScope might have access to system information that could be used tocompromise system security if steps are not taken to secure it. You should use the configurations and setupoptions in this section to protect the SiteScope platform.There are two web servers that are active and serving two versions of the SiteScope product interface: theSiteScope web server, and the Apache Tomcat server supplied with SiteScope. To limit all access to SiteScope, youmust apply the applicable settings to both of these servers.In this section

Set SiteScope User PreferencesPassword EncryptionUse Transport Layer Security (TLS) to Access SiteScopeSmart Card AuthenticationCommon Criteria CertificationFIPS 140-2 CompliancyEncrypt Data Using a Custom KeyRecommendations for Securing User AccountsConfigure a Warning Banner to be Displayed on Login

SiteScope 2019.11


Set SiteScope User PreferencesSiteScope user profiles are used to require a user name and password to access the SiteScope interface. Afterinstallation, SiteScope is normally accessible to any user who has HTTP access to the server on which SiteScope isrunning.By default, SiteScope is installed with only one user account and this account does not have a default user name orpassword defined for it. This is the administrator account.You should define a user name and password for this account after installing and accessing the product. You canalso create other user account profiles to control how other users may access the product and what actions theymay perform. For more information on creating user accounts, see the User Management Preferences section inUsing SiteScope in the SiteScope Help.

SiteScope 2019.11


Password EncryptionAll SiteScope passwords are encrypted using a method called Triple Data Encryption Standard (TDES). TDESapplies the Data Encryption Algorithm on each 64-bit block of text three successive times, using either two or threedifferent keys. As a result, it is extremely difficult for unauthorized users to reproduce the original password.

SiteScope 2019.11


Use Transport Layer Security (TLS) to AccessSiteScopeYou can configure SiteScope to use TLS to control access to the product interface. For more information, seeConfigure SiteScope to Communicate Over a Secure Connection.Please note transport Layer Security (TLS) is the new name for Secure Sockets Layer (SSL). The SiteScope userinterface still includes references to SSL. The terms are used interchangeably in SiteScope.

SiteScope 2019.11


Smart Card AuthenticationSmart cards are physical devices used to identify users in secure systems. These cards can be used to storecertificates which verify the user's identity and allow access to secure environments.SiteScope supports user authentication using smart cards. If smart card authentication is configured, you cannotlog in to SiteScope without a valid smart card. There are different types of smart cards that can be used withSiteScope, which include:

CAC. The Common Access Card (often called CAC card), is a smart card that it is used by the US Department ofDefense. This smart card is required to do any work on government systems in the military.PIV. Like their military counterparts, Federal employees and contractors within civilian agencies also need smartcards. They use a similar standard known as a PIV card (Personal Identification Verification). The cards areslightly different from CACs, and have varying information printed on them, depending on the issuing agency.They use a different set of CA (Certificate Authority) servers than the ones that CACs use. The PIV card ispersonalized with data needed by the PIV system to grant access to the subscriber to Federal facilities andinformation systems; assure appropriate levels of security for all applicable Federal applications; and provideinteroperability among Federal organizations using the standards.

For details on configuring smart card authentication, see Configure Smart Card Authentication.Note there are many different smart card vendors that exist in the market. To support all the differentpermutations for using client certificates, you can use the following parameters in the <SiteScoperoot>\groups\master.config file:

_clientCertificateAuthJITCComplianceEnforcementEnabled_clientCertificateAuthSmartCardEnforcementEnabled_clientCertificateAuthIsGetUidFromSubject_clientCertificateAuthAllowLocalUsers_clientCertificateSubjectAlternativeNamesGeneralName_clientCertificateAuthEnabled

Joint Interoperability Test Command (JITC) Certification

JITC is a United States military organization that tests technology that pertains to multiple branches of the armedservices and government. JITC provides test, evaluation, and certification services for acquiring and deploying ofglobal “net-centric” military capabilities.SiteScope is currently undergoing JITC testing and evaluation. JITC certification is one of the Common Criteriacertifications required for supporting CAC and smart card authentication login.Note this section will be updated when the evaluation process has been completed.

SiteScope 2019.11


Common Criteria CertificationSiteScope is committed to providing industry-leading monitoring software that meets global industry standards andgovernment certification programs.SiteScope has been evaluated under the terms and conditions of the Canadian Common Criteria Scheme andcomplies with the requirements for Common Criteria Recognition Agreement (CCRA). SiteScope has achieved theCommon Criteria certification with Evaluation Assurance Level (EAL) 2+. Certifications like Common Criteria arefundamentally important to federal government security measures. In addition to protecting governmentcustomers from today’s advanced attacks and data theft, these security certifications also supports the needs ofour global business customers as well.The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria) is aninternational standard for computer security certification. Common Criteria is validation that the product does whatis promised, and is built in a manner that is both secure and stable. Results are verified by and evaluated byindependent testing laboratories. It is also a requirement by the U.S. government for federal purchases of securityproducts.

SiteScope 2019.11


FIPS 140-2 CompliancyAs part of Common Criteria certification, SiteScope can be configured to operate in FIPS 140-2 compliant mode.FIPS 140-2, or Federal Information Processing Standard 140-2 is a set of security requirements for cryptographicmodules. FIPS 140-2 is overseen by CMVP (Cryptographic Module Validation Program) which is a joint effortmandated by both the United States and Canadian governments.

Limitations

Only SSH2 is supported for SSH connections when SiteScope is run in FIPS 140-2 mode.The Prefer SSL to TLS option in URL monitors, URL Tool, and New/Edit HTTP Recipient dialog box is ignoredwhen SiteScope is run in FIPS 140-2 mode (authentication using TLS is mandatory in FIPS 140-2 mode).

Related Topics

Configure SiteScope to Operate in FIPS 140-2 Compliant Mode

SiteScope 2019.11


Encrypt Data Using a Custom KeyBy default, SiteScope uses a standard encryption algorithm to encrypt the persistency data (this includesconfiguration data of all defined monitors, groups, alerts, templates, and many other SiteScope entities). You canuse Key Management in the Hardening Tool to change the cryptographic keys that are used for encrypting thepersistency data.

Related Topics

Configure SiteScope to Use a Custom Key for Data Encryption

SiteScope 2019.11


Recommendations for Securing User AccountsThe following table lists the various accounts available in SiteScope and the steps that can be taken to securethese accounts.

User Account Description Hardening Steps

Default(Administrator)

By default, SiteScope is installed withonly one user account and this accountdoes not have a default user name orpassword defined for it.

To restrict access to this account and itsprivileges, we recommend editing theAdministrator account profile to include a userlogin name and login password after installingand accessing the product. SiteScope thendisplays a login page before SiteScope can beaccessed.You should create other user account profilesto control how other users may access theproduct and what actions they can perform.For more information, see the UserManagement Preferences section in UsingSiteScope in the SiteScope Help.Note: To create other accounts, you must firstedit the Administrator account profile toinclude a user login name and password.

IntegrationViewer

By default, SiteScope provides anIntegration Viewer user that is used fordrilling down from OM events. This is aregular user that has been granted viewpermissions, and permissions to refreshgroups and monitors. For more details,see Integrating SiteScope withOperations Manager Products.

If you have an OM or APM integration, werecommend changing the predefined loginpassword for the Integration Viewer accountprofile.If you do not have an OM/APM integration, youcan disable or delete this user.

SiteScope 2019.11


User Account Description Hardening Steps

SiteScopeService User

For Windows:By default, SiteScope is installed to runas a local system account (notapplicable for Linux installations). Thisaccount has extensive privileges on thelocal computer, and has access to mostsystem objects. When SiteScope isrunning under a local system account, itattempts to connect to remote serversusing credentials of the server asconfigured in SiteScope.For Linux:SiteScope must be installed on a Linuxenvironment by the root user.

For Windows:We recommend setting the SiteScope serviceto log on as a user with domain administrationprivileges.This gives SiteScope access privileges tomonitor server data within the domain. Enteran account and password (and confirm thepassword) that can access the remote servers.In a domain environment, use the domainadministrator user; in a non-domainenvironment use the built-in administratoruser.You can change this setting during installationtime (see"Installing Using the InstallationWizard"), or after SiteScope is installed (seethe Configure SiteScope to Monitor RemoteWindows Servers section in Using SiteScope inthe SiteScope Help).For Linux:After SiteScope has been installed, you cancreate a non-root user account withpermissions to run SiteScope (unless theSiteScope Web server is run on a privilegedport, in which case it should be run by the rootuser). For details on configuring a non-rootuser with permissions to run SiteScope, seeRecommendations for Securing User Accounts.

JMX User JMX has remote access to the SiteScopeserver by default (the connection usingthe JMX protocol can be configured usingthe Hardening Tool).

To fully secure SiteScope, it is recommendedthat you disable JMX remote access by usingthe Hardening Tool. For details, see How to Usethe Hardening Tool to Configure JMX RemoteAccess.

API User Generally there is no such a user(SiteScope has a number of APIs that donot require authentication).

If you need to disable old unused API users,you can do so by setting Disable old APIs totrue in Preferences > InfrastructurePreferences > Custom Settings.

http://docs.microfocus.com/itom/SiteScope:2019.11/InstallWizardWinLinux

http://docs.microfocus.com/itom/SiteScope:2019.11/InstallWizardWinLinux

SiteScope 2019.11


Configure a Warning Banner to be Displayed onLoginYou can enable SiteScope to display a warning message to users when they log on to SiteScope that they areabout to log in to a secure system. The property _isAllowedHTMLTagsInBannerMessage is added to supportHTML tags.To configure a message to be displayed on login:

Open the <SiteScope root directory>\templates.fips\banner.template file in a text editor, and enter1.the text that you want to be displayed in the login screen.

Open the <SiteScope root directory>\groups\master.config file in a text editor, and set2._isLogonWarningBannerDisplayed= true.

(optional) Set the parameter isAllowedHTMLTagsInBannerMessage = true if you want to support HTML tags.3.When set to "true", the message is formatted as per the HTML tags.

By default, the parameter isAllowedHTMLTagsInBannerMessage = false. The HTML tags are not supportedand if any markup character sequences are used in the banner.template file, the whole message string isescaped and displayed as markup code instead of formatted text, and no code is executed. An error messageis logged to the error.log file. The only exception is <br> tag which can be used to separate message linesalong with regular line breaks.

Restart SiteScope (required after making any changes to the master.config file).4.

Whenever a user logs on to SiteScope, the notification message is displayed. The user must confirm themessage before being able to use SiteScope.

SiteScope 2019.11


Configure SiteScope to Communicate Over aSecure ConnectionIn this section

Configure SiteScope to Require a Secure ConnectionConfigure Smart Card AuthenticationConfigure SiteScope to Verify Certificate RevocationConfigure SiteScope to be accessible using the Reverse Proxy Server

SiteScope 2019.11


Configure SiteScope to Require a SecureConnectionYou can configure SiteScope to require secure access to its interfaces (UI and API). You can do this by:

Obtaining the server certificate issued to the FQDN of the SiteScope server.1.

Configuring SiteScope to respond to access requests only over a secure channel.2.

Note: Certificates created using the SHA-2 (SHA-256) algorithm is supported in SiteScope.You can do this by either:

Using the Hardening Tool to configure SiteScope to perform this configuration (recommended method).Manually configuring SiteScope to use TLS.

Related Topics

How to Use the Hardening Tool to Configure SiteScope to Require a Secure ConnectionManually Configuring SiteScope for Using a Secure Connection

SiteScope 2019.11


Manually Configuring SiteScope for Using aSecure ConnectionYou can manually configure SiteScope to using a secure connection to restrict access to the SiteScope interface.This section includes:

Preparing SiteScope for Using TLSManually Configuring SiteScope for TLS on TomcatManually Configuring SiteScope for Mutual TLS ConfigurationManually Configuring SiteScope to Connect to APM Server With TLS DeploymentManually Configuring SiteScope to Connect to an APM Server That Requires a Client CertificateManually Configuring the Topology Discovery Agent in SiteScope When APM Server Requires a Client Certificate

SiteScope 2019.11


Preparing SiteScope for Using TLS

SiteScope is shipped with Keytool.exe. Keytool is a key and certificate management utility. It enables users toadminister their own public/private key pairs and associated certificates for authentication using digital signatures.It also enables users to cache the public keys of other persons and organizations they communicate with. This isinstalled in the <SiteScope install path>\SiteScope\java\bin directory.Caution When you create, request, and install a digital certificate, make a note of the parameters and commandline arguments that you use in each step of the process. It is very important that you use the same valuesthroughout the procedure.Note:

SiteScope uses keystores and truststores in JKS format only.To prepare the SiteScope Classic interface for use with TLS, you must configure both the Tomcat server (seeManually Configuring SiteScope for TLS on Tomcat) and the classic interface engine

You can find out more about keytool at the Oracle web site(http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool#$filename|).

http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool

SiteScope 2019.11


Manually Configuring SiteScope for TLS onTomcatTo enable TLS on Tomcat, you need to make changes to the configuration files used by the Tomcat server.Open the server.xml file that is located in the <SiteScope root directory>\Tomcat\conf directory.Locate the section of the configuration file that looks like the following:

  <Connector port="8443"maxThreads="150" minSpareThreads="25" maxSpareThreads="75" SSLEnabled="true" enableLookups="false"disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"keystoreFile="<SiteScope_install_path>\SiteScope\groups\serverKeystore" keystorePass="testing" />

where <SiteScope_install_path> is the path to your SiteScope installation.If you do not want to use the default 8443 port, you can change the Connector portvalue to any required port. Forexample, to access SiteScope using port 443 make the following change in the configuration file:

 <Connector port="443" maxThreads="150"minSpareThreads="25" maxSpareThreads="75" SSLEnabled="true" enableLookups="false"disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"keystoreFile="<SiteScope_install_path>\SiteScope\groups\serverKeystore" keystorePass="testing" />

Note

If there are other Micro Focus products installed on the same server asSiteScope, you might need to change port 8443 to another port to avoid conflict.Tomcat log output is written to the <SiteScope rootdirectory>\logs\tomcat.log file. Settings for the log file can be configuredfrom the <SiteScope root directory>\Tomcat\lib\log4j.properties file.You can strengthen security on the Tomcat server by disabling weak ciphers. Todo so, open <SiteScope root directory>\Tomcat\conf\server.xml, and

SiteScope 2019.11


change the existing list to the following:<Connector port="8443" protocol="HTTP/1.1"SSLEnabled="true"maxThreads="150" scheme="https" secure="true"clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>]

By default, Tomcat looks for a .keystore file in the SiteScope user's home directory.For more information on enabling TLS for the Tomcat server, seehttp://tomcat.apache.org/tomcat-5.5-doc/ssl-howto#$filename%7C.Restart the SiteScope service. After enabling Tomcat to use TLS using this example, the SiteScope interface isavailable at a URL with the following syntax:https://<SiteScope_server>:8443/SiteScope (the link is case sensitive)

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto#$filename%7C

SiteScope 2019.11


Manually Configuring SiteScope for Mutual TLSConfigurationPerform the following steps if the SiteScope server requires a client certificate from the client.SiteScope should be configured with TLS For details, see Manually Configuring SiteScope for TLS on Tomcat.Configure the Tomcat server to request a client certificate by locating the following section of the <SiteScoperoot directory>\Tomcat\conf\server.xml configuration file:<Connector port="8443"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75" SSLEnabled="true"enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https"secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,SSLv2Hello"keystoreFile="..\groups\serverKeystore" keystorePass="changeit"

and adding the following attributes, and changing clientAuth="true":

truststoreFile="..\java\lib\security\cacerts" truststorePass="changeit"truststoreType="JKS" clientAuth="true"

/>Import the root certificate of the certificate authority that issues client certificates to your organization to theSiteScope truststore (<SiteScope root directory>\java\lib\security\cacerts) by running the command:C:\SiteScope\java\>keytool -import -trustcacerts -alias <your alias> -keystore ..\lib\security\ cacerts -file<certificate file>Create a client certificate, or use an existing one to import it to the browser.Restart SiteScope, and access it using the following link:https://<server>:8443/SiteScope (the link is case sensitive)NoteCalls to the SiteScope SOAP API also require a certificate. Add the following to your Java code to respond with aclient certificate:System.setProperty("javax.net.ssl.keyStore",<pathname to client certificate keystore in JKS format>);System.setProperty("javax.net.ssl.keyStorePassword", <password of client certificate keystore>);(Optional) System.setProperty("javax.net.ssl.trustStore", <pathname to truststore in JKS format>);or use the following JVM arguments:-Djavax.net.ssl.keyStore=<pathname to client certificate keystore in JKS format>-Djavax.net.ssl.keyStorePassword=<password of client certificate keystore>(Optional) -Djavax.net.ssl.trustStore=<pathname to truststore in JKS format>

SiteScope 2019.11


Manually Configuring SiteScope to Connect toAPM Server With TLS DeploymentTo connect SiteScope to a APM server with an TLS deployment, perform the following:

Connect to the SiteScope server.Import the CA root certificate or APM server certificate into SiteScope using Certificate Management in theSiteScope user interface. For details, see the Certificate Management section in the Using SiteScope Guide in theSiteScope Help.If APM is configured with a load balancer, import the certificates of Load Balance Core and Center URLs intoSiteScope using Certificate Management in the SiteScope user interface. For details, see the CertificateManagement section in the Using SiteScope Guide in the SiteScope Help.

For details on how to import the certificate into APM, see the Using SSL with SiteScope section in the APMHardening Guide in the APM Documentation Library.

SiteScope 2019.11


Manually Configuring SiteScope to Connect to anAPM Server That Requires a Client CertificateTo connect SiteScope to a APM server that requires a client certificate, perform the following:Connect to the SiteScope server.Import the CA root certificate or APM server certificate into SiteScope using Certificate Management in theSiteScope user interface. For details, see the Certificate Management section in the Using SiteScope Guide in theSiteScope Help.If you obtained the client certificate in JKS format, copy it to the <SiteScope rootdirectory>\templates.certificates folder, and continue from step 11.Note

Make sure that the private key password is at least 6 characters long, and that the private key and keystorepasswords are the same.In addition, make sure that the above keystore contains the CA certificate that issued it.

If you obtained the client certificate in some other format, perform the steps below.Create a keystore under <SiteScope root directory>/templates.certificates by running the followingcommand from the <SiteScope root directory>\java\bin directory:keytool -genkey -keyalg RSA -alias sis -keystore <SiteScope root directory>\templates.certificates\.ks -storepass<your_keystore_password>

keytool -genkey -keyalg RSA -alias sis -keystore C:\SiteScope\templates.certificates\.ks-storepass changeit What is your first and last name? [Unknown]: domain.name What is the name ofyour organizational unit? Unknown]: dept What is the name of your organization? [Unknown]: XYZ LtdWhat is the name of your City or Locality? [Unknown]: New York What is the name of your State orProvince? [Unknown]: USA What is the two-letter country code for this unit? [Unknown]: US IsCN=domain.name, OU=dept, O=XYZ Ltd, L=New York, ST=USA, C=US correct? [no]: yes Enter key passwordfor <SiteScope>

Press ENTER to use the same password as the keystore password.Create a certificate request for this keystore by running the following command from the <SiteScope rootdirectory>\java\bin directory:keytool -certreq -alias sis -file c:\sis.csr -keystore <SiteScope root directory>\templates.certificates\.ks -storepass<your_keystore_password>keytool -certreq -alias sis -file c:\sis.csr -keystore C:\SiteScope\templates.certificates\.ks -storepass changeitHave your certificate authority sign the certificate request. Copy/paste the contents of the .csr file into yourCertificate Authority Web form.Download the signed client certificate in BASE-64 format to <SiteScope rootdirectory>\templates.certificates\clientcert.cer.Download the certificate authority certificate in BASE-64 format to c:\.Import the certificate authority certificate into the JKS keystore by running the following command:

SiteScope 2019.11


keytool -import -alias ca -file c:\ca.cer -keystore <SiteScope root directory>\templates.certificates\.ks -storepass<your_keystore_password>

keytool -import -alias ca -file c:\ca.cer -keystore C:\SiteScope\templates.certificates\.ks-storepass changeit Owner: CN=dept-CA, DC=domain.name Issuer: CN=dept-CA, DC=domain.name Serialnumber: 2c2721eb293d60b4424fe82e37794d2c Valid from: Tue Jun 17 11:49:31 IDT 2008 until: Mon Jun 1711:57:06 IDT 2013 Certificate fingerprints: MD5: 14:59:8F:47:00:E8:10:93:23:1C:C6:22:6F:A6:6C:5BSHA1: 17:2F:4E:76:83:5F:03:BB:A4:B9:96:D4:80:E3:08:94:8C:D5:4A:D5 Trust this certificate? [no]: yesCertificate was added to keystore

Import the client certificate into the keystore by running the following command:keytool -import -alias sis -file <SiteScope root directory>\templates.certificates\certnew.cer -keystore <SiteScoperoot directory>\templates.certificates\.ks -storepass <your_keystore_password>keytool -import -alias sis -fil c:\SiteScope\templates.certificates\certnew.cer -keystoreC:\SiteScope\templates.certificates\.ks -storepass changeitThe certificate reply is installed in the keystore <SiteScope root directory>\java\bin directory.Check the keystore contents by running the following command from the <SiteScope root directory>\java\bindirectory, and enter the keystore password:keytool -list -keystore <SiteScope root directory>\templates.certificates\.ks

keytool -list -keystore C:\SiteScope\templates.certificates\.ks Enter keystore password: changeitKeystore type: jks Keystore provider: SUN Your keystore contains 2 entries ca, Mar 8, 2009,trustedCertEntry, Certificate fingerprint (MD5): 14:59:8F:47:00:E8:10:93:23:1C:C6:22:6F:A6:6C:5Bsis, Mar 8, 2009, keyEntry, Certificate fingerprint (MD5):C7:70:8B:3C:2D:A9:48:EB:24:8A:46:77:B0:A3:42:E1 C:\SiteScope\java\bin>

To use this keystore for client certificate, add the following lines to the <SiteScope rootdirectory>\groups\master.config file:_urlClientCert=<keystoreName>_urlClientCertPassword=<keystorePassword>_urlClientCert=.ks _urlClientCertPassword=changeitSave the changes to the file.In SiteScope Preferences > Integration Preferences > APM Preferences Available Operations, clickReset to delete all APM related settings from the SiteScope server and all SiteScope configurations from APM.Restart the SiteScope server.In APM, select Admin > System Availability Management Administration, and click the New SiteScopebutton to add the SiteScope instance.Note: If the connection between SiteScope and APM fails, check the <SiteScope rootdirectory>\log\bac_integration.log for errors.

SiteScope 2019.11


Manually Configuring the Topology DiscoveryAgent in SiteScope When APM Server Requires aClient CertificateAfter configuring SiteScope to connect to the APM Gateway server using a client certificate (see ManuallyConfiguring SiteScope to Connect to an APM Server That Requires a Client Certificate), you need to perform thefollowing steps for discovery to report topology to the APM server.Create a folder named security in <SiteScope root directory>\WEB-INF\classes (if it does not exist).Move MAMTrustStoreExp.jks and ssl.properties from <SiteScope root directory>\WEB-INF\classes tothe <SiteScope root directory>\WEB-INF\classes\security folder.Import the CA root certificate (or APM server certificate) into the discovery trust store (MAMTrustStoreExp.jks)with password (the default password for the discovery trust store is logomania, which encrypted, is:[22,-8,116,-119,-107,64,49,93,-69,57,-13,-123,-32,-114,-88,-61]):keytool -import -alias <your_CA> -keystore <SiteScope root directory>\WEB-INF\classes\security\MAMTrustStoreExp.jks -storepass <your_keystore_password>

Example: keytool -import -alias AMQA_CA -file c:\ca.cer -keystore C:\SiteScope\WEB-INF\classes\security\MAMTrustStoreExp.jks -storepass logomania

Note: The private key password must be at least 6 characters, and the password for the private key and passwordfor the keystore must be the same.Check the contents of TrustStore using the following command:<SiteScope root directory>\java\bin>keytool -list -keystore <SiteScope root directory>\WEB-INF\classes\security\MAMTrustStoreExp.jks -storepass <your_keystore_password> Keystore type: <Keystore_type>Keystore provider: <Keystore_provider> Your keystore contains 2 entries mam, Nov 4, 2004,trustedCertEntry,Certificate fingerprint (MD5): <Certificate_fingerprint> amqa_ca, Dec 30, 2010,trustedCertEntry,Certificate fingerprint (MD5)<Certificate_fingerprint>C:\SiteScope\java\bin>keytool -list -keystore C:\SiteScope\WEB-INF\classes\security\MAMTrustStoreExp.jks -storepass logomania Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries mam, Nov 4,2004,trustedCertEntry, Certificate fingerprint (MD5): C6:78:0F:58:32:04:DF:87:5C:8C:60:BC:58:75:6E:F7 amqa_ca,Dec 30, 2010, trustedCertEntry, Certificate fingerprint (MD5): 5D:47:4B:52:14:66:9A:6A:0A:90:8F:6D:7A:94:76:ABCopy the SiteScope client keyStore (.ks) from <SiteScope rootdirectory>\templates.certificates to <SiteScope root directory>SiteScope\WEB-INF\classes\security\.In the ssl.properties file, update the javax.net.ssl.keyStore property to the keyStore name. Forexample, javax.net.ssl.keyStore=.ks.Change the SiteScope client keyStore password to match the Discovery password for keystore (defaultis logomania).keytool -storepasswd -new <Discovery_keystore_password> -keystore <SiteScope root directory>\WEB-INF\classes\security\.ks -storepass <your_keystore_password>

SiteScope 2019.11


keytool -storepasswd -new logomania -keystore C:\SiteScope\WEB-INF\classes\security\.ks -storepass changeitChange private key password to match Discovery password for keystore:keytool -keypasswd -alias sis -keypass <your_keystore_password> -new <Discovery_keystore_password> -keystore <SiteScope root directory>\WEB-INF\classes\security\.ks -storepass <your_keystore_password>keytool -keypasswd -alias sis -keypass changeit -new logomania -keystore C:\SiteScope\WEB-INF\classes\security\.ks -storepass logomaniaVerify keystore using new password:keytool -list -v -keystore <SiteScope root directory>\WEB-INF\classes\security\.ks -storepass<your_keystore_password>keytool -list -v -keystore C:\SiteScope\WEB-INF\classes\security\.ks -storepass logomaniaRestart the SiteScope server.In APM, select Admin > System Availability Management Administration, and click the NewSiteScope button to add the SiteScope instance. In the Profile Settings pane, make sure to select the APM FrontEnd Use HTTPS check box.Check the topology appears in APM > Admin > RTSM Administration > IT Universe Manager > SystemMonitors view.

SiteScope 2019.11


Configure Smart Card AuthenticationSmart cards are physical devices used to identify users in secure systems. These cards can be used to storecertificates which verify the user's identity and allow access to secure environments.SiteScope supports user authentication using smart cards. If smart card authentication is configured, you cannotlog in to SiteScope without a valid smart card.SiteScope can be configured to use these certificates in place of the standard model of each user manuallyentering a user name and password. You define a method of extracting the user name from the certificate storedon each card.When SiteScope is configured for smart card authentication, users can log in to SiteScope only with a valid smartcard. The option of logging in by manually typing in your username and password is locked for all users unlesssmart card configuration is disabled.If smart card authentication is configured in APM and you want to integrate SiteScope with APM, you mustconfigure SiteScope smart card authentication to authenticate the APM client certificate. Similarly, if SiteScope isconfigured for smart card authentication and you want to allow APM to communicate with SiteScope, you must firstconfigure APM to authenticate with the client certificate in SiteScope.Note if smart card enforcement is enabled, the only supported browser is Internet Explorer running on a Windowsoperating system.If smart card enforcement is disabled, but client certificate authentication is enabled, to use SiteScope in Firefox,see Using Firefox When Client Certification is Enabled.For more information about smart cards, see the Smart Card Authentication Configuration Guide.

Related Topics

Configure SiteScope to Connect to an APM Server That Requires a Secure Connection

SiteScope 2019.11


Configure SiteScope to Require Client CertificateAuthenticationIf you have configured SiteScope to work over TLS (see Configure SiteScope to Require a Secure Connection), youcan then configure SiteScope and SiteScope public API client to require client certificate authentication.You do this by using the Hardening Tool. For details, see How to Use the Hardening Tool to Configure SiteScopeand SiteScope Public API Client Certificate Authentication.

SiteScope 2019.11


Configure SiteScope to be accessible usingReverse Proxy ServerSiteScope can be configured to be accessible by a reverse proxy server. The configuration is supported forenvironments where

A single instance of SiteScope resides behind the secured reverse proxy serverMultiple instances of SiteScope resides behind the secured reverse proxy server. The number of SiteScopeinstances that can reside behind the proxy server depend on the number of available ports.

Prerequisites

Ensure the following are met to configure reverse proxy server for SiteScope:

Configure SiteScope to work over SSL (https)Map the SSL-enabled SiteScope default port 8443 to the reverse proxy server's port 8443. This enables to accessSiteScope UI using the reverse proxy server using https://<reverseproxy>:8443/SiteScope.

Map the SiteScope port 8899 to the reverse proxy server’s port 8899. This enables to generate quick reportswhen accessing SiteScope UI using the reverse proxy server.

For environments where multiple SiteScope instances reside behind the reverse proxy server:

All SiteScope instances must be configured for SSLMap any one instance of SiteScope default port 8443 to reverse proxy server's port 8443. Also map the sameinstance's port 8899 to the reverse proxy server's port 8899 to generate quick reports using the reverse proxy.Map any other instance of SiteScope port 8444 to the reverse proxy port 8444. Also map the same instance'sport 8898 to the reverse proxy port 8898 to generate quick reports using the reverse proxy.You can use the remaining available ports for other configurations in your environment as required.

SiteScope 2019.11


Advanced Hardening ConfigurationIn this section

Configure SiteScope to Verify Certificate RevocationUsing Firefox When Client Certification is EnabledImport Certificate Authority Certificates into SiteScope TrustStoresEnable JMX Remote AccessRestore a Backed Up ConfigurationConfiguring Framing Filters in SiteScopeAutomatically Terminating Sessions

SiteScope 2019.11


Configure SiteScope to Verify CertificateRevocationYou use the Hardening Tool to configure SiteScope to verify revocation of client certificates. For details, see How toUse the Hardening Tool to Configure SiteScope to Verify Certificate Revocation.

SiteScope 2019.11


Using Firefox When Client Certification is EnabledIf smart card enforcement is disabled, but client certificate authentication is enabled, to open the SiteScope userinterface in Firefox, you must:

Import your personal certificate into Firefox, as follows:1.

In Firefox, go to Tools > Options > Advanced > Certificates > View Certificates. The Certificatea.Manager dialog box opens.

Click Import... and open your personal certificate in .p12 (or .pfx) file format. The Password Entryb.dialog box opens.

Enter the password used to encrypt this certificate backup and click OK. The certificate appears in thec.Certificate Manager dialog box, confirming that the certificate is added to Firefox.

Import your personal certificate into the client JRE, as follows:2.

In the JRE, open the Java Control Panel.a.

Go to Security > Certificates and select Client Authentication as the Certificate type.b.

Click Import and open the client certificate that you imported into Firefox.c.

Click OK. The personal certificate appears in the JRE.d.

Enter the SiteScope URL in Firefox. The User Identification Request dialog box opens. Select the personal3.certificate that you created in step 1 to present as identification.

SiteScope 2019.11


Import Certificate Authority Certificates intoSiteScope TrustStoresFor SiteScope to trust a client certificate, SiteScope must trust the Certificate Authority that issued the clientcertificate. For SiteScope to trust a Certificate Authority, the Certificate Authority's certificate must be stored in theSiteScope server and main TrustStores.The SiteScope server TrustStore is responsible for authentication of all incoming connection request from clients(API and browsers).The SiteScope main TrustStore is a Certificate Authority Java TrustStore that is located in the Java directory in theSiteScope install directory. This TrustStore is responsible for SiteScope certificate management.Use the Hardening Tool to import Certificate Authority certificates into SiteScope server and main TrustStores.

Related Topics

How to Use the Hardening Tool to Import Certificate Authority Certificates into SiteScope TrustStores

SiteScope 2019.11


Enable JMX Remote AccessBy default, JMX remote access to the SiteScope server is disabled. You can enable the access. Use the HardeningTool to configure JMX remote access. For details, see How to Use the Hardening Tool to Configure JMX RemoteAccess

SiteScope 2019.11


Restore a Backed Up ConfigurationWhen you run the Hardening Tool, the existing SiteScope configuration is automatically backed up. To restore abacked up configuration, see How to Use the Hardening Tool to Restore a Backed Up Configuration.

SiteScope 2019.11


Configure Framing Filters in SiteScopeA frame is a part of a web page or browser window which displays content independent of its container, with theability to load content independently. Framing of SiteScope is enabled by default.If you do not want other sites to be able to frame SiteScope, or you want to allow partial framing only, you mustperform the following:

Open the master.config file in <SiteScope root directory>\groups, and configure the1._disableFramingFiltering property as required:

True. Filter is disabled which allows SiteScope to be framed from every web page. (This is the defaultsetting.)

False. Filter is enabled which prevents SiteScope being framed from web pages, including Micro Focusproducts such as APM, OM, and Performance Center. For example, APM's hosted user interface will notwork.

Smart. Enables partial framing of SiteScope according to the plugs listed in the_framingFilteringPlugsClasses property.

When using partial framing, create plugs that you want applied by the filter, and add them to the2._framingFilteringPlugsClasses property.

Navigate to the _framingFilteringPlugsClasses property in the master.config file. By default, thisa.property includes the following out-of-the-box plugs:

com.mercury.sitescope.web.request.framing.plugs.LWSSOPlug. Allows requests sent with aLightweight Single Sign-On (LW-SSO) token.

com.mercury.sitescope.web.request.framing.plugs.BSMPlug. Allows requests sent from APM's SAMAdministration.

com.mercury.sitescope.web.request.framing.plugs.PerformanceCenterPlug. Allows requests fromPerformance Center.

You can disable any of the out-of-the-box plugs by removing them from the property.

To add your own plugs:b.

SiteScope 2019.11


Write the plug which must implement the interface:i.com.mercury.sitescope.web.request.framing.IFramingPlug.

This interface exists in <SiteScope root directory>\WEB-INF\lib\ss_webaccess.jar. This jarmust be in the classpath to compile the plug.

Below is an example of a plug that allows framing for a parameter with the request nameexampleParameter when this parameter is set to true:

package com.company.sitescope.examples.plug import javax.servlet.ServletRequest;import com.mercury.sitescope.web.request.framing.IFramingPlug; public classExamplePlug implements IFramingPlug{ @Override public booleanisAuthorized(ServletRequest request) { //Add the code that will determinewhether this request comes from an authorized product. if (request ==null){ return false; } HttpServletRequesthttpServletRequest = (HttpServletRequest)request; if(httpServletRequest.getParameter("exampleParameter") == null){ returnfalse; } return"true".equalsIgnoreCase((String)httpServletRequest.getParameter("exampleParameter"));} }

Add the class fully qualified name to the _framingFilteringPlugsClasses property in theii.master.config file (separated by a comma).

For example, com.company.sitescope.examples.plug.ExamplePlug should be appended to the list.

Create a jar that contains all your own plugs, and add it to the <SiteScope rootiii.directory>\WEB-INF\lib folder.

Restart SiteScope (required after making any changes to the master.config file).3.

SiteScope 2019.11


Automatically Terminating SessionsAfter you have logged in to SiteScope, you can set a time period for terminating session identifiers.

Open the <SiteScope root directory>\groups\master.config file, and change the value of the1._maxSessionTimeMinutes property. For example, if you enter 2, after two minutes, the session will expireand automatically redirect you to the SiteScope login page.

Note that the default value is 20, which indicates the session will expire in 20 minutes.

Restart the SiteScope server.2.

SiteScope 2019.11


Configure SiteScope to Operate in FIPS 140-2Compliant ModeIn this section

FIPS 140-2 Compliancy OverviewEnable FIPS 140-2 Compliant ModeDisable FIPS 140-2 Compliant Mode

SiteScope 2019.11


FIPS 140-2 Compliancy OverviewFIPS 140‑2, or Federal Information Processing Standard, is a U.S. and Canadian government certification standardfor encryption and cryptographic modules where each individual encryption component in the overall solutionrequires an independent certification. It was developed to define procedures, architecture, algorithms, and othertechniques used in computer systems. The full FIPS text is available online from the National Institute of Standardsand Technology (NIST).To operate in FIPS 140-2 complaint mode, the SiteScope administrator must enable FIPS 140-2 mode using theSiteScope Hardening Tool. SiteScope runs self-tests at startup, performs the cryptographic modules integritycheck, and then regenerates the keying materials. At this point, SiteScope is operating in FIPS 140-2 mode.

Reasons to Enable FIPS Mode:

Your organization might need to use SiteScope in FIPS mode if:

You are a Federal Government department or contractor.You want to increase your security to protect your business from advanced attacks and data theft.

Software RequirementsFIPS compliance requires that your operating system and browser meet specific requirements for versions andsettings.While all browsers supported in SiteScope are supported in FIPS mode, not all versions of operating systems canhandle the cryptographic demands FIPS requires. As a result, some operating systems SiteScope normally supportsare not supported in FIPS mode.To run in FIPS mode, SiteScope must be installed on the following operating system:• Windows Server 2012 R2 (64‑bit)

JDBC Drivers

When running SiteScope in FIPS mode, you should consider using your JDBC driver instead of the default driversthat are provided with SiteScope.SiteScope Connected With Non-FIPS Compliant ApplicationsWhen SiteScope is connected to an application that uses an algorithm that is not FIPS approved, the connectionbetween SiteScope and that application will not be FIPS compliant (even if FIPS-140-2 mode was enabled onSiteScope).

http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

SiteScope 2019.11


Enable FIPS 140-2 Compliant ModeTo enable SiteScope to run in FIPS 140-2 compliant mode when using a secure connection, you must perform thefollowing steps:

Step 1: Configure LDAP integration

You need to enable LDAP user authentication to log in to SiteScope using client certificates.

Configure the LDAP server on SiteScope. For details, see "How to Set Up SiteScope to Use LDAP1.Authentication" in the Using SiteScope Guide in the SiteScope Help.

Create a new role in SiteScope user management for LDAP users.2.

Change the SiteScope administrator login name to the email address of the user located in LDAP. This should3.be the same as the user in the client certificate (that is entered in step 3 of Step 6: Configure ClientAuthentication). Do not enter a password.

Step 2: Configure Your Windows operating system forFIPS 140-2 compliant mode

Configure your Windows operating system for FIPS 140-2 mode.1.

Use administrative credentials to log on to the computer.a.

Click Start, click Run, type gpedit.msc, and then press ENTER. The Local Group Policy Editor opens.b.

In the Local Group Policy Editor, double-click Windows Settings under the Computer Configurationc.node, and then double-click Security Settings.

Under the Security Settings node, double-click Local Policies, and then click Security Options.d.

SiteScope 2019.11


In the details pane, double-click System cryptography: Use FIPS-compliant algorithms fore.encryption, hashing, and signing.

In the System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing dialogf.box, click Enabled, and then click OK to close the dialog box.

Close the Local Group Policy Editor.g.

Make sure that this security option was enabled.h.

Open Registry Editor. Click Start, click Run, type regedit, and then press ENTER. The Registryi.

http://docs.microfocus.com/itom/File:SiS_2018.08_config_OS_for_FIPS.png

http://docs.microfocus.com/itom/File:SiS_2018.08_config_OS_for_FIPS2.png

SiteScope 2019.11


Editor opens.

Find the following key and verify the value.ii.

Key: HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled.

This registry value reflects the current FIPS setting. If this setting is enabled, the value is 1. If thissetting is disabled, the value is 0.

Value: 1.

For additional information, see:

http://technet.microsoft.com/en-us/library/cc750357.aspx

http://support.microsoft.com/kb/811833

Step 3:Run SiteScope Hardening Tool Runtime

Start the Hardening Tool by running the following command:<SiteScope_home_directory>\tools\SiteScopeHardeningTool\runSSLConfiguration.bat

Step 4:Disable JMX remote access to the SiteScopeserver

Use the Hardening Tool to disable JMX remote access to the SiteScope server:

Run the Hardening Tool. For details, see How to Run the Hardening Tool.1.

http://docs.microfocus.com/itom/File:SiS_2018.08_config_OS_for_FIPS3.png

http://technet.microsoft.com/en-us/library/cc750357.aspx

http://support.microsoft.com/kb/811833

SiteScope 2019.11


Select the option "Configure JMX remote access".2.

Follow the instructions in the tool for disabling JMX remote access.3.

Changes in configuration take effect only after you exit the Hardening Tool.

Step 5: Configure SSL

Start the Hardening Tool by running the command line:1.

<SiteScope_home_directory>\tools\SiteScopeHardeningTool\runSSLConfiguration.bat

Enter 1 to select the "SiteScope hardening configuration" option.2.

Enter a name to use for the backup file that is created. This is required if you need to disable FIPS 140-23.mode and restore the previous SiteScope configuration that existed before running the Hardening Tool. Fordetails, see Disable FIPS 140-2 Compliant Mode.

Enter 2 to select the "Configure SiteScope Standalone to work over SSL (https)" option.4.

Enter Y to confirm that you want to configure SiteScope to work over SSL.5.

Enter Y to confirm you want SiteScope to be FIPS 140-2 compliant.6.

When FIPS 140-2 compliant mode is successfully configured, select one of the following methods to create7.the SiteScope server keystore to hold the SiteScope server certificate:

Import a server keystore in .pkcs12 format

The tool prompts you to select an alias in which the key for SiteScope SSL authentication is located.

Note if you later configure SiteScope and SiteScope public API client for client certificate authentication(see Configure SiteScope to Require Client Certificate Authentication), SiteScope uses this alias to exportthe key to the client TrustStore of the SiteScope API.

Follow the instructions in the tool.

SiteScope 2019.11


Create a server keystore by signing a request on a certified Certificate Authority server.

Selecting this option creates a new keystore and generates a key request to a certificate authority for asigned certificate. The generated certificate is then imported into the keystore.

The tool prompts you to enter server keystore parameters. For the Common Name, you must enter thesame URL used on your machine, including FQDN if used (for example, yourserver.domain.com), and forthe alias name, your machine's name (for example, yourserver).

Copy the signed SiteScope server certificate to create a signed certificate by your Certificate Authority server.8.

Enter the full path to the signed certificate that you received from the Certificate Authority server.9.

Enter the full path to the root CA certificate that was used to issue the above certificate.10.

Type yes to trust the certificate you received from the Certificate Authority server. The certificate is added to11.the SiteScope server keystore.

Step 6: Configure Client Authentication

Enter a password for the SiteScope server TrustStore for client certificate authentication. The password must1.be at least 6 characters long, and should not contain any special characters.

Enter Y to confirm that you want to enable client certification authentication.2.

If you enable client authentication, SiteScope performs full client authentication upon the handshake andextracts a client certificate. This client certificate is checked against the SiteScope user management (LDAP)system. For details, see Step 1: Configure LDAP integration.

Enter a username property for the client certificate in the client certificate AlternativeSubjectName field. The3.default username is Other Name.

Enter Y to confirm you want to enable smart card enforcement.4.

If you enable smart card enforcement, SiteScope verifies that the client certificate originates from a hardwaredevice, and adds the certificate to the SiteScope TrustStore.

SiteScope 2019.11


For more details about smart card enforcement, see Configure Smart Card Authentication.

Enter Y to confirm you want to add CA certificates to the SiteScope TrustStore.5.

Note for SiteScope to trust a client certificate, SiteScope must trust the Certificate Authority that issued theclient certificate. For SiteScope to trust a Certificate Authority, the Certificate Authority's certificate must beimported into the SiteScope server TrustStore.

Enter the full path to the root CA certificate file in CER format.6.

The CA certificate is added to the SiteScope TrustStore.7.

If the certificate already exists in the keystore a message is displayed. Type yes to confirm you still want toadd the certificate to the SiteScope TrustStore.

(Optional) To add additional CA certificates to the SiteScope server TrustStore, enter Y, and repeat steps 1-3.8.

Note that no additional CA certificates are required.

Enter Q to complete the Hardening Tool process.9.

SiteScope 2019.11


Disable FIPS 140-2 Compliant ModeIf FIPS 140-2 compliant mode was enabled and you are using a secure connection, you cannot use the disable FIPSoption in the Hardening Tool to disable FIPS 140-2 compliant mode. Instead, you must restore the previousSiteScope configuration that existed before FIPS mode was enabled.If FIPS 140-2 compliant mode was enabled using a non-secure connection, you use the disable FIPS 140-2compliant mode option in the Hardening Tool.

Disable FIPS 140-2 Compliant Mode for a SecureConnection



Enter 2 to select the "Restore SiteScope configuration from backup" option.2.

Enter the number of the backup configuration you want to restore from the list of available backups.3.

Enter y to confirm you want to restore the selected backup configuration.4.


Disable FIPS 140-2 Compliant Mode for a Non-SecureConnection



Enter 1 to select the "SiteScope hardening configuration" option.2.

When prompted in the tool, select the "Configure FIPS 140-2 compliancy for a non-secure connection" option.3.

SiteScope 2019.11


Enter 2 to disable FIPS 140-2 compliant mode.4.

Enter y to confirm that you want to disable FIPS 140-2 compliant mode.5.


SiteScope 2019.11


Configure SiteScope to Use a Custom Key forData EncryptionIn this section

Key Management OverviewHow to Configure SiteScope to Use a Custom Key for Data EncryptionHow to Export and Import Configuration Data When Using a Custom Key for Data Encryption

SiteScope 2019.11


Key Management OverviewBy default, SiteScope encrypts the persistency data using a standard encryption algorithm (persistency dataincludes configuration data of all the defined monitors, groups, alerts, templates, and many other SiteScopeentities found in the <SiteScope root>\persistency directory).You can use the Key Management for data encryption option in the Hardening Tool to change the cryptographickey used for encrypting SiteScope persistency data. Changing cryptographic keys provides stronger encryptionthan the standard SiteScope encryption.Using Key Management for data encryption is supported on the following SiteScope tools: Hardening Tool,Persistency Viewer, and Persistency Logger. Key Management for data encryption can also be configured tooperate when SiteScope is in FIPS 140-2 compliant mode.When Key Management is enabled, you configure SiteScope to use a custom key for data encryption. You do thisby entering a passphrase which SiteScope uses to generate a new key and encrypt the persistency data. You mustenter this passphrase when exporting SiteScope persistency data from your current SiteScope for later import intoSiteScope. When importing the persistency data (either during installation, or after installation using the SiteScopeConfiguration Tool), you must enter the same passphrase for the SiteScope server key. Note that the key is notsaved to the persistency.

SiteScope 2019.11


How to Configure SiteScope to Use a Custom Keyfor Data EncryptionUsing Key Management, you can manage and change the cryptographic keys that are used for encrypting theSiteScope configuration data (persistency).

Install SiteScope.1.

Start SiteScope (in order to generate SiteScope persistency data).2.

Stop SiteScope.3.

Run the Hardening Tool.4.

When prompted in the tool, select the option "Enable or re-encrypt key management data encryption".a.

Enter 1 to re-encrypt persistency data using a custom key. Changing cryptographic keys for encryptingb.the configuration provides stronger encryption than the standard SiteScope encryption.

To restore persistency data to the standard key encryption, enter 2.

Confirm you want to re-encrypt persistency data using a custom key.c.

Enter a new passphrase to use for the custom key (this passphrase is not the one that is already in use;d.it is for the new iteration of the encryption). The passphrase cannot contain empty spaces or escapedcharacters.

Choose the encryption key size (128, 192 or 256).e.

SiteScope generates a new key, and uses it to encrypt the persistency data.

Note that you must enter this passphrase when using the SiteScope Configuration Wizard or theSiteScope Configuration Tool to export or import SiteScope configuration data that was encrypted usingthis custom key. Note that the passphrase is not stored with the zip file in the exported configuration.

SiteScope 2019.11


Start SiteScope.5.

Restore Default Data Encryption Mode

To restore default data encryption mode, follow these steps:

Stop SiteScope service.1.

Start the Hardening tool by running the following command:2.

On Windows:<SiteScope_home_directory>\tools\SiteScopeHardeningTool\runSSLConfiguration.batOn Linux:./opt/HP/SiteScope/tools/SiteScopeHardeningTool/runSSLConfiguration.sh

Hardening tool opens.

Enter 1 for selecting the option to do a SiteScope hardening configuration.3.

Enter 9 for selecting the option to configure key management data encryption.4.

Enter 2 for selecting the option to restore default data encryption mode.5.The changes in configuration take effect only after you exit the Hardening Tool.

SiteScope 2019.11


How to Export and Import Configuration DataWhen Using a Custom Key for Data EncryptionWhen SiteScope is configured to use Key Management for data encryption, you enter a passphrase that SiteScopeuses to generate a new key. SiteScope uses this key to encrypt the persistency data. When you later export orimport this encrypted data into SiteScope, you must enter the same passphrase for the SiteScope server key.

Export SiteScope configuration data from your current SiteScope for later import into SiteScope.1.

When using the SiteScope Configuration Tool:

In the Export Configuration screen, enter the passphrase used for the SiteScope server KeyStore ini.the Passphrase box. This box is disabled when the default SiteScope encryption is used.

Click Next to complete the export operation. The configuration data is encrypted and exportedii.using the custom key.

Note that these input fields are disabled when the default SiteScope encryption is used.

When running the Configuration Tool in console mode using the Configuration Tool: In the ExportConfiguration screen, enter the passphrase used for the SiteScope server KeyStore when prompted, andthen press ENTER to complete the export operation.

When using silent mode: Enter the key management data encryption passphrase in the relevant section ofthe ovinstallparams.ini file.

Import SiteScope configuration data.2.

User interface (during installation in the SiteScope Configuration Wizard, or post-installation in theSiteScope Configuration Tool):

In the Import Configuration screen, enter the name of the user data (zip) file to import, or enter thei.SiteScope installation directory from which to import the user data file.

In the Passphrase box, enter the passphrase used for the SiteScope server KeyStore. Confirm theii.passphrase by entering the same passphrase in the Match passphrase box.

Note that these boxes are disabled when the default SiteScope encryption is used.

SiteScope 2019.11


Click Next to complete the import operation.iii.

Console mode (during installation, or post-installation using the Configuration Tool): In the ImportConfiguration screen, enter the passphrase used for the SiteScope server key when prompted, and thenpress ENTER to complete the import operation.

Silent installation: Enter the passphrase for the custom key used for data encryption in the relevantsection of the ovinstallparams.ini file.

The imported configuration data is encrypted using the custom key.

SiteScope 2019.11


Configure SiteScope to Communicate With APMOver a Secure ConnectionIn this section

Configure SiteScope to Connect to an APM Server That Requires a Secure ConnectionConfigure SiteScope to Connect to an APM Server That Requires a Client CertificateConfigure APM to Connect to SiteScope When SiteScope Requires a Client Certificate

SiteScope 2019.11


Configure SiteScope to Connect to an APM ServerThat Requires a Secure ConnectionTo configure SiteScope to connect to an APM server that requires a secure connection, you must establish trust toenable secure communication between SiteScope and APM. This means that SiteScope must trust the CertificateAuthority that issued the APM server certificate. For SiteScope to trust a Certificate Authority, theCertificate Authority's certificate must be stored in the SiteScope server and main TrustStores. For details, seeImport Certificate Authority Certificates into SiteScope TrustStores.

SiteScope 2019.11


Configure SiteScope to Connect to an APM ServerThat Requires a Client CertificateYou can configure SiteScope to connect to an APM server that requires a client certificate. This involves importingthe APM server certificate into a SiteScope keystore.We recommend that you do this by using the Hardening Tool. For details, see How to Use the Hardening Tool toConfigure SiteScope to Connect to an APM Server That Requires a Client Certificate.It is also possible to use the manual procedures.

SiteScope 2019.11


Configure APM to Connect to SiteScope WhenSiteScope Requires a Client CertificateIn APM, perform the following steps on both the Gateway and Data Processing Servers:

Copy the file <SiteScope Home>\templates.certificates\BSMClientKeystore from the SiteScope1.machine file to any folder on the APM machine.

Stop APM.2.

Edit <APM root directory>\EjbContainer\bin\product_run.bat and add the following:3.

set SECURITY_OPTS=-Djavax.net.ssl.keyStore=FULL_PATH_TO_COPIED_BSMClientKeyStore_File -Djavax.net.ssl.keyStorePassword=PASSWORD_FOR_BSMClientKeyStore_File -Djavax.net.ssl.keyStoreType=JKS set JAVA_OPTS=%JAVA_OPTS% %SECURITY_OPTS%

where FULL_PATH_TO_COPIED_BSMClientKeyStore_File is a keystore path, andPASSWORD_FOR_BSMClientKeyStore_File is the keystore password.

Restart APM.4.

Configure APM and SiteScope in System Availability Management (SAM) Administration.5.

Change the Gateway Server name/IP address property in SAM Administration > New/Edit SiteScope6.> Distributed Settings to the Fully Qualified Domain Name (FQDN) of the secure reverse proxy.

SiteScope 2019.11


Use the Hardening ToolThe Hardening Tool is a command-line tool that enables you to configure SiteScope to perform a full or partialhardening of SiteScope.Note each time the tool runs, it performs a full backup of the existing SiteScope configuration, enabling you to rollback to a backed up configuration. For details, see How to Use the Hardening Tool to Restore a Backed UpConfiguration.You can use the Hardening Tool to perform the following tasks:

How to Run the Hardening ToolHow to Use the Hardening Tool to Configure SiteScope to Require a Secure ConnectionHow to Use the Hardening Tool to Configure SiteScope to Verify Certificate RevocationHow to Use the Hardening Tool to Import Certificate Authority Certificates into SiteScope TrustStoresHow to Use the Hardening Tool to Configure SiteScope to Connect to an APM Server That Requires a ClientCertificateHow to Use the Hardening Tool to Enable FIPS 140-2 Compliant ModeHow to Use the Hardening Tool to Enable Key Management for Data EncryptionHow to Use the Hardening Tool to Configure SiteScope and SiteScope Public API Client Certificate AuthenticationHow to Use the Hardening Tool to Configure JMX Remote AccessHow to Use the Hardening Tool to Restore a Backed Up Configuration

SiteScope 2019.11


How to Run the Hardening ToolThis topic describes how to open and run the Hardening Tool. To perform the other tasks described in the topics inthis chapter, you must first perform the steps in this topic.

If you want to enable LDAP user authentication (required if you intend to log in to SiteScope by using client1.certificates only), configure LDAP integration before running the tool:

Configure the LDAP server on SiteScope. For details, see "How to Set Up SiteScope to Use LDAPa.Authentication" in the Using SiteScope Guide in the SiteScope Help.

Create a new role in SiteScope user management for LDAP users.b.

Change the SiteScope administrator login name to the email address of a user located in LDAP. Do notc.enter a password.

Stop the SiteScope service:2.

Windows:

If you are running SiteScope from go.bat, close the command-line terminal or press CTRL+C.

If you are running SiteScope as a service:

In Windows Explorer, search for services. The Component Services window opens.i.

In the left pane, select Services (Local).ii.

In the services list in the center pane, select SiteScope.iii.

In the area to the left of the service list, click Stop the service.iv.

Linux:

Run the command line:

SiteScope 2019.11


cd /opt/HP/SiteScope/ ./stop

Do not run the Hardening Tool when SiteScope is running.

Start the tool by running the command line:3.

Windows:

cd <SiteScope_home_directory>\tools\SiteScopeHardeningTool

runSSLConfiguration.bat

Linux:

cd /opt/HP/SiteScope/tools/SiteScopeHardeningTool

./runSSLConfiguration.sh

The Hardening Tool opens.

When prompted in the tool, select the option "SiteScope hardening configuration". The existing SiteScope4.configuration is automatically backed up.

When prompted, enter a backup description to allow easy recognition in case you want to restore that backup5.in the future. To restore a backed up configuration, see How to Use the Hardening Tool to Restore a BackedUp Configuration.

Note when using the Hardening Tool, the Tomcat configuration server.xml file in the/opt/HP/SiteScope/Tomcat/conf directory is overwritten and any modifications made to that file beforerunning the tool are removed. To restore these modifications, you must reapply them to this file after runningthe tool.

Select one or a combination of the tasks listed in the tool.6.

For details on using the Hardening Tool to perform configuration tasks, see the other topics in this chapter.

Note that changes in configuration take effect only after you exit the Hardening Tool.

SiteScope 2019.11


How to Use the Hardening Tool to ConfigureSiteScope to Require a Secure ConnectionNote that if you plan to enable SiteScope to run in FIPS 140-2 compliant mode, follow the procedures in Enable FIPS140-2 Compliant Mode.You can use the Hardening Tool to configure SiteScope to require a secure connection (https).


When prompted in the tool, select the option "Configure SiteScope Standalone to work over SSL (https)".2.

Alternatively, if you want to perform all the hardening configuration tasks available in the tool, select theoption "Full SiteScope hardening configuration (all of the configuration options)".

Confirm that you want to configure SiteScope to work over SSL.3.

Confirm whether you want to configure SiteScope to be FIPS 140-2 compliant. For details, see Enable FIPS4.140-2 Compliant Mode.

Select one of the following methods to create the SiteScope server keystore to hold the SiteScope server5.certificate:

Import a server keystore in .jks format.

The tool prompts you to select an alias in which the key for SiteScope SSL authentication is located.

Note if you later configure SiteScope and SiteScope public API client for client certificate authentication(see Configure SiteScope to Require Client Certificate Authentication), SiteScope uses this alias to exportthe key to the client TrustStore of the SiteScope API.

Follow the instructions in the tool.

Create a server keystore by signing a request on a certified Certificate Authority server.

Selecting this option creates a new keystore and generates a key request to a certificate authority for asigned certificate. The generated certificate is then imported into the keystore.

The tool prompts you to enter server keystore parameters. We recommend that for the Common Name,you enter your machine's URL (for example, yourserver.domain.com), and for the alias name, your

SiteScope 2019.11


machine's name (for example, yourserver).

Import a server keystore from a server certificate in .pfx format.

Selecting this option creates a keystore from a certificate in .pfx format. This certificate must contain itsprivate key.

The Hardening Tool automatically ensures that the keystore password and the private key are the sameeach time a keystore is created.

Note when you are creating the server certificate in .pfx format, you must create it with a password.

Enter a username property for the client certificate. The default username is Other Name.6.

The server certificate is imported to the server keystore. The certificate alias appears in the tool.

Confirm if you want to enable SiteScope client authentication.7.

If you enable client TLS authentication, SiteScope performs full client TLS authentication upon theTLS handshake and extracts a client certificate. This client certificate is checked against the SiteScope usermanagement system.

Confirm if you want to enable smart card enforcement.8.

If you enable smart card enforcement, SiteScope verifies that the client certificate originates from a hardwaredevice. For more details about smart card enforcement, see Configure Smart Card Authentication.

Enter a password for the SiteScope server TrustStore.9.

For SiteScope to trust a client certificate, SiteScope must trust the Certificate Authority that issued the clientcertificate. For SiteScope to trust a Certificate Authority, the Certificate Authority's certificate must be storedin the SiteScope server and main TrustStores. To import Certificate Authority certificates into SiteScopeTrustStores, see How to Use the Hardening Tool to Import Certificate Authority Certificates into SiteScopeTrustStores.


SiteScope 2019.11


How to Use the Hardening Tool to ConfigureSiteScope to Verify Certificate RevocationYou can use the Hardening Tool to configure SiteScope to verify revocation of client certificates using the followingmethods:

Certificate Revocation List (CRL)

Enables you to verify client certificate revocation through a CRL list. The URL of the CRL list is located in theclient certificate properties. The list is downloaded to the local server. You are prompted to enter a life time ofthe CRL list cached on the local server.

The following table describes the CRL lifetime:

CRL value Description

-1 The CRL is cached locally and reloaded only if changed on the server. This value isrecommended for better performance.

0 The CRL is reloaded with each verification request.

≥1 The CRL lifetime in seconds. At the expiration of this time, the CRL is reloaded.

Online Certificate Status Protocol (OCSP)

Enables you to verify client certificate revocation through a connection to a remote server. SiteScope passes theserial number of the client certificate to the remote server and waits for a response. The default OCSP responderURL is located in the client certificate properties, but you can override this URL.

You can verify client certificate revocation via a CRL, or via a CRL and the OCSP.To verify client certificate revocation:


Select the option "Configure SiteScope SSL certificate revocation verification via CRL and OCSP".2.

Follow the instructions in the tool.3.

The Tool prompts you to activate the forward HTTP proxy.

SiteScope 2019.11


If you activate the forward HTTP proxy, all certificate revocation requests are redirected through the proxyserver to CRL and OCSP URLs.

You can also configure SiteScope to comply with the Federal Information Processing Standard (FIPS)Publication 140-2 if required. For details, see Configure SiteScope to Operate in FIPS 140-2 Compliant Mode.


SiteScope 2019.11


How to Use the Hardening Tool to ImportCertificate Authority Certificates into SiteScopeTrustStoreFor more information about importing Certificate Authority certificates into SiteScope TrustStores, see ImportCertificate Authority Certificates into SiteScope TrustStores.To import Certificate Authority certificates into SiteScope TrustStores:

Prerequisites (if configuring SiteScope to require a secure connection)1.

Before importing Certificate Authority certificates into SiteScope TrustStores, you must configure SiteScope towork over TLS by importing a SiteScope server certificate into the SiteScope server keystore. For details, seeHow to Use the Hardening Tool to Configure SiteScope to Require a Secure Connection.


When prompted in the tool, select the option "Import CA certificates into SiteScope main and server3.trustStores".


The tool accepts file paths in regular Windows format only. In UNIX format, where a blank space in a file path ispreceded by a backslash (“\”) to indicate that a blank space follows, you should remove the backslash.

Format File path

Windows /user/temp dir/certificate.cer

UNIX /user/temp\ dir/certificate.cerchange to:/user/temp dir/certificate.cer


SiteScope 2019.11


How to Use the Hardening Tool to ConfigureSiteScope to Connect to an APM Server ThatRequires a Client CertificateYou use the Hardening Tool to configure client TLS authentication for APM integration. The tool enables you toconfigure SiteScope to allow APM to integrate with SiteScope. You can also use this tool to configure SiteScopeFailover for TLS with client certificate authentication. In both cases, you must follow the procedure describedbelow.Note that before configuring TLS Client Authentication for APM integration, you must configure SiteScope to workover TLS by importing a SiteScope server certificate into the SiteScope server keystore. For details, see How to Usethe Hardening Tool to Configure SiteScope to Require a Secure Connection.If you have not already done this, the Hardening Tool prompts you to perform a full SiteScope hardeningconfiguration.To configure client TLS client authentication for APM integration:

Run the Hardening Tool. For details, see Using the Hardening Tool.1.

Select the option "Configure SiteScope client certificate authentication for APM Integration"2.


When prompted, enter a full path in .cer format to the Certificate Authority certificate that issued thea.APM server certificate. The APM server certificate is imported into the SiteScope TrustStore.

When prompted, confirm that you trust the APM server certificate. The APM server certificate is importedb.to the keystore.

When prompted, select one of the following methods to create the SiteScope server keystore to hold thec.SiteScope server certificate:

Import a server keystore in .jks format.i.The tool prompts you to select an alias in which the key for SiteScope TLS authentication is located.Note that if you later configure SiteScope and SiteScope public API client for client certificateauthentication (see Configure SiteScope to Require Client Certificate Authentication), SiteScopeuses this alias to export the key to the client TrustStore of the SiteScope API.

Create a server keystore by signing a request on a certified Certificate Authority server.ii.Selecting this option creates a new keystore and generates a key request to a certificate authorityfor a signed certificate. The generated certificate is then imported into the keystore.The tool prompts you to enter server keystore parameters. We recommend that for the Common

SiteScope 2019.11


Name, you enter your machine's URL (for example, anyserver.domain.com), and for the alias name,your machine's name (for example, anyserver).

Import a server keystore from a server certificate in .pfx format.iii.Selecting this option creates a keystore from a certificate in .pfx format. This certificate mustcontain its private key.The Hardening Tool automatically ensures that the keystore password and the private key are thesame each time a keystore is created.Note when you are creating the server certificate in .pfx format, you must create it with apassword.

When prompted, enter the password for the client keystore that will be used to authenticate APM.d.SiteScope creates the APM client certificate keystore.

When prompted, enter the password for the Discovery Agent TrustStore MAMTrustStoreExp.jks. Thee.default password is logomania. We highly recommend that you do not change the default password.

During the configuration process, SiteScope automatically imports the APM server certificate intof.SiteScope TrustStore.

When prompted, confirm that you trust the APM server certificate.The APM server certificate is importedg.into the SiteScope keystore.The tool accepts file paths in regular Windows format only. In UNIX format, where a blank space in a filepath is preceded by a backslash (“\”) to indicate that a blank space follows, you should remove thebackslash.

Format File path


UNIX /user/temp\ dir/certificate.cer

change to:

/user/temp dir/certificate.cer


SiteScope 2019.11


How to Use the Hardening Tool to Enable FIPS140-2 Compliant Mode for a Non-SecureConnectionYou can use the Hardening Tool to configure SiteScope to be FIPS 140-2 compliant. FIPS 140-2 is a cryptographicmodule validation program, administered by the National Institute of Standards and Technology (NIST), thatspecifies the security requirements for cryptographic modules.

SiteScope 2019.11


How to Use the Hardening Tool to Enable KeyManagement for Data EncryptionYou can use Key Management in the Hardening Tool to change the cryptographic key used for encrypting thepersistency data in SiteScope. This is a stronger encryption method than the standard method used in SiteScope.For details, see How to Configure SiteScope to Use a Custom Key for Data Encryption.

SiteScope 2019.11


How to Use the Hardening Tool to ConfigureSiteScope and SiteScope Public API ClientCertificate AuthenticationYou use the Hardening Tool to configure SiteScope and SiteScope public API client for client certificateauthentication as follows:


Select the option "Configure SiteScope and SiteScope public API client for client certificate authentication".2.


If you enable LDAP user authentication for SiteScope public APIs, the username extracted from the APIa.client certificate is authenticated by the LDAP server.

When you are prompted to add a client certificate signing authority to the SiteScope server TrustStore,b.the certificate is imported into SiteScope server TrustStore and main TrustStore. Created APIconfiguration files are placed under the script directory in the API_Configuration directory.

The tool accepts file paths in regular Windows format only. In UNIX format, where a blank space in a filec.path is preceded by a backslash (“\”) to indicate that a blank space follows, you should remove thebackslash.

Format File path


UNIX /user/temp\ dir/certificate.cer

change to:

/user/temp dir/certificate.cer


SiteScope 2019.11


How to Use the Hardening Tool to Configure JMXRemote AccessYou can use the Hardening Tool to enable or disable JMX remote access to the SiteScope server as follows:


Select the option "Configure JMX remote access".2.



Enable JMX Remote Access with Authentication

By default JMX port is disabled in SiteScope without authentication. You can enable or disable JMX remote accesswith authentication using the SiteScope Hardening Tool.Note the Hardening tool user and SiteScope log on user must be the same. For example, if SiteScope log on user is'Admin' then you must be logged in as 'Admin' to the server.

Enable JMX remote access

Stop the SiteScope service.1.

Go to <SiteScope_Directory>\tools\SiteScopeHardeningTool.2.

Run runSSLConfiguration.bat (for Windows) or runSSLConfiguration.sh (for Linux).3.

Select Option 1 - SiteScope hardening configuration.4.

Enter a description for the backup.5.

Select Option 7 - Configure JMX remote access.6.

Type 'y' to "Would you like to configure JMX remote access ([y]/n)?"7.

Type 'y' to "Would you like to allow JMX remote access (y/[n])?"8.

SiteScope 2019.11


Enter Username and Password for JMX remote access.9.

Start the SiteScope service.10.

Disable JMX remote access

Stop the SiteScope service.1.

Go to <SiteScope_Directory>\tools\SiteScopeHardeningTool.2.

Run runSSLConfiguration.bat (for Windows) or runSSLConfiguration.sh (for Linux).3.

Select Option 1 - SiteScope hardening configuration.4.

Enter a description for the backup.5.

Select Option 7 - Configure JMX remote access.6.

Type 'y' to "Would you like to configure JMX remote access ([y]/n)?"7.

Type 'n' to "Would you like to allow JMX remote access (y/[n])?"8.

Start the SiteScope service.9.

SiteScope 2019.11


How to Use the Hardening Tool to Restore aBacked Up ConfigurationWhen you run the Hardening Tool, the existing SiteScope configuration is automatically backed up. You can use theHardening Tool to restore a backed up configuration as follows:


Select the option "Restore SiteScope configuration from backup".2.


Backup names contain the time and date of the backup.


SiteScope 2019.11


Configuration of USGCB (FDCC) CompliantDesktopThe United States Government Configuration Baseline (USGCB), formerly known as the Federal Desktop CoreConfiguration (FDCC), is a standard for desktop configuration that provides guidance on improving and maintainingeffective configuration settings focusing primarily on security.SiteScope is certified with USGCB (FDCC) compliant clients. To enable compliancy, you must add the SiteScopeURL to the trusted sites security zone and to the pop-up allow list. It is also recommended to allow file downloads.For more information on USGCB (FDCC), see:

http://usgcb.nist.gov/usgcb/microsoft_content#$filename|http://nvd.nist.gov/fdcc/index.cfm

Prerequisites:Install the latest JRE version supported by SiteScope as listed in the "Client System Requirements" .How to Enable Group Policy Editor (gpedit.msc) in Windows 7:

Add the SiteScope URL to the Trusted sites security zone:1.

Open the Group Policy Editor by running the command: run gpedit.msc.a.

Navigate to: Computer Configuration > Administrative Templates > Windows Components >b.Internet Explorer > Internet Control Panel > Security Page:

In the setting panel on the right, double-click Site to Zone Assignment List, select the Enabledi.option, and click Show. In the Show Content dialog box, click Add.

In the Enter the name of the item to be added box, enter the name of the SiteScope server.ii.For example, http://MySiteScope.com. If you are using SiteScope over HTTPS, enterhttps://MySiteScope.com.

In the Enter the value if item to be added box, enter the number to denote the zone type:iii.

Value Zone Type Description

1 Intranet zone Sites on your local network

2 Trusted Site Zone Sites that have been added to your trusted sites

http://usgcb.nist.gov/usgcb/microsoft_content

http://nvd.nist.gov/fdcc/index.cfm

http://docs.microfocus.com/itom/SiteScope:2019.11/ClientSystemRequirements

http://MySiteScope.com

https://MySiteScope.com

SiteScope 2019.11


Value Zone Type Description

3 Internet zone Sites that are on the Internet

4 Restricted Sites zone Sites that have been specifically added to your restricted sites

Add the SiteScope URL to the Pop-up allow list.2.


Navigate to: Computer Configuration > Administrative Templates > Windows Components >b.Internet Explorer:

In the setting panel on the right, double-click Pop-up allow List, select the Enabled option, andi.click Show. In the Show Content dialog box, click Add.

In the Enter the name of the item to be added box, enter the name of the SiteScope server.ii.For example, http://MySiteScope.com. If you are using SiteScope over HTTPS, enterhttps://MySiteScope.com.

Allow file downloads (optional, used for log grabber and release notes).3.


Navigate to: Computer Configuration > Administrative Templates > Windows Components >b.Internet Explorer > Security Features > Restrict File Download, and in the setting panel on theright, double-click Internet Explorer Process, and select the Disabled option.

http://MySiteScope.com

https://MySiteScope.com

SiteScope 2019.11


Configure SiteScope FailoverIn this section

How to Configure SiteScope FailoverHow to Configure SiteScope Failover for SSL With Client Certificate AuthenticationTest SiteScope Failover ConfigurationSiteScope Failover and APM IntegrationSiteScope Failover and Operations Manager Integration

SiteScope 2019.11


How to Configure SiteScope FailoverThis section includes information about configuring SiteScope Failover for its initial use.

Access the user interface1.

After you have installed SiteScope Failover, access the user interface to configure SiteScope Failover.

Open a supported web browser and enter the SiteScope Failover server name with the port number selectedduring the installation.

For example, http://localhost:8080/SiteScope.

The user interface to SiteScope Failover is very similar to the primary user interface. However, title barindicates SiteScope Failover.

Verify the License2.

You activate SiteScope Failover by installing SiteScope Failover and entering the SiteScope Failover licensefile (supplied at no additional cost when purchasing a Premium, Ultimate, or System Collector edition license).The Failover license is dependent on the primary SiteScope license being active. SiteScope Failover canmirror and provide failover functionality for any regular SiteScope installation of the same version number.

In the SiteScope Failover user interface, choose Preferences > General Preferences.a.

Expand the Licenses group.b.

Enter a new license file if needed, and click Save.c.

Configure Lightweight Single Sign-On (LW-SSO) for the Authentication Strategy3.

This is the default single sign-on authentication strategy for SiteScope. LW-SSO is embedded in SiteScope anddoes not require an external machine for authentication.

SiteScope Failover and primary SiteScope must be configured with the same LW-SSO passphrase.

Access the primary SiteScope user interface.a.

SiteScope 2019.11


Select Preferences > General Preferences > LW SSO Settings.b.

Write down or copy the text from the Communication security passphrase field.c.

Access the SiteScope Failover user interface.d.

Navigate to Preferences > General Preferences > LW SSO Settings.e.

Paste or enter the communication security passphrase, and then click Save.f.

Restart SiteScope Failover.g.

Add Certificates to SSL-Enabled SiteScope Failover4.

SiteScope Failover must be enabled for SSL if the primary SiteScope is enabled for SSL. Also, if the primarySiteScope is not enabled for SSL then SiteScope Failover cannot be enabled for SSL.

The procedure to enable SiteScope Failover to use SSL is the same as the procedure for standard SiteScope.

Note: The serverKeystore string used when generating the certificates must be typed in the same case asspecified in the documentation, otherwise it will fail when using SiteScope Failover with SSL.

If self-signed certificates are used, both primary and SiteScope Failover must have the same certificatesimported. For example, assume the following SiteScope server URLs:

Primary: https:\\primary.company.com:8443\

Failover: https:\\failover.company.com:8443\

On the primary.company.com server, the certificates for primary.company.com andfailover.company.com should be added. Similarly, on the failover.company.com server, the certificatesfor primary.company.com and failover.company.com should also be added:

On primary SiteScope:

SiteScope 2019.11


On SiteScope Failover:

For information about viewing and importing certificates by using the Certificate Management page, see theSiteScope Help.

Specify Schedule Settings5.

The schedule settings can determine how often the mirroring operation occurs and how often the SiteScopeFailover checks the primary SiteScope availability.

In the SiteScope Failover user interface, select Preferences > Schedule Preferences.a.

In the Failover Schedule Preferences group, create a new absolute or range schedule.b.

For information about creating absolute or range schedules, see the SiteScope Help.

Note that you do not need to define schedule settings if you want to use the default schedule for theseoperations.

Specify Notification Settings6.

The notification settings determine the email server configuration, the notifications template, and otherrelated settings.

http://docs.microfocus.com/itom/File:11.41/Use/images/certificates.gif

http://docs.microfocus.com/itom/File:11.41/Use/images/certificates_failover.gif

SiteScope 2019.11


In the SiteScope Failover user interface, select Preferences > Failover Preferences.a.

Select Default Settings > Edit.b.

The Default Failover Settings dialog appears.

For information about notification settings, see the SiteScope Help.

Specify the settings as required, and then click OK.c.

Create a New Failover Profile7.

You define a profile to store the configuration settings that control how SiteScope Failover operates. Thesebehaviors include frequency of checking primary SiteScope availability and mirroring.

In the SiteScope Failover user interface, select Preferences > Failover Preferences.a.

In the right panel, click New Profile to open the New Failover Profile dialog.b.

For information about defining a profile by using this dialog, see the SiteScope Help.

Note that for an SSL environment, make sure that the primary SiteScope host name is identical to thatused in the server certificate (the name is case sensitive), otherwise the connection will fail due to anSSL error.

Specify the settings as required, and then click OK.c.

Note that when using the Merge back configuration option in the Advanced Settings panel, you canenable this setting on the SiteScope Failover server even when the primary SiteScope is already down;this setting does not need to be set in advance in order to send configuration data created whenSiteScope Failover was active back to the primary SiteScope when it becomes active.

The profile is created and displayed by name in the Failover Preferences page.

The new profile is also listed on the primary SiteScope Failover Preferences page.

Test the SiteScope Failover Configuration8.

SiteScope 2019.11


For details, see Test SiteScope Failover Configuration.

SiteScope 2019.11


How to Configure SiteScope Failover for SSL WithClient Certificate AuthenticationThis section includes information about configuring SiteScope Failover for SSL with client certificate authenticationwhen the primary SiteScope server requires SSL. SiteScope Failover must be enabled for SSL if the primarySiteScope is enabled for SSL. Also, if the primary SiteScope is not enabled for SSL then SiteScope Failover cannotbe enabled for SSL.

Prerequisites1.

Client certificate authentication must be enabled and configured on the primary SiteScope and SiteScopeFailover servers. This can be done either:

Using the SiteScope Hardening Tool (recommended).

Manually.

Create a Failover Profile for SSL SiteScope Before Enabling Client Certificate Authentication2.

For task details, see How to Configure SiteScope Failover.

Create the Keystore with the Client Certificate Signed by the Trusted CA3.

This client certificate will be sent for SSL authentication between the primary and SiteScope Failover server.

To create the keystore using the SiteScope Hardening Tool (recommended)

To manually create the keystore:

On Windows platforms, run the command:

C:\SiteScope\java\bin\keytool -import -alias sitescope_client_cert -fileC:\SiteScope\templates.certificates\client_cert.cer -keystoreC:\SiteScope\templates.certificates\clientKeystore.jks -storepass <your_keystore_password>

On Linux platforms, run the command:

/opt/HP/SiteScope/java/bin/keytool -import -alias sitescope_client_cert -file

SiteScope 2019.11


/opt/HP/SiteScope/templates.certificates/client_cert.cer -keystore/opt/HP/SiteScope/templates.certificates/clientKeystore.jks –storepass<your_keystore_password>

Add Service Parameters to the Primary SiteScope and SiteScope Failover4.

On the primary SiteScope and SiteScope Failover server, perform the following:

On Windows platforms, open the Windows registry(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SiteScope (or SiteScopeFailover)\serviceParam), and add the following string to the beginning of the (Default) entry:

-Djavax.net.ssl.keyStore="C:\SiteScope\templates.certificates\clientKeystore.jks-Djavax.net.ssl.keyStorePassword=<your_ keystore_password>-Djavax.net.ssl.keyStoreType=JKS

Note that if you created the keystore using the SiteScope Hardening Tool, the file name will beBSMClientKeystore (without an extension). This file can be used as it is, or it can be copied andrenamed.

Alternatively, you can use the go.bat option from the <SiteScope root directory>\bin directory to addservice parameters.

On Linux platforms, in the /opt/HP/SiteScope/bin/start-monitor file, modify the java parameters usingLinux file path as follows:

-Djavax.net.ssl.keyStore="/opt/HP/SiteScope/templates.certificates/clientKeystore.jks-Djavax.net.ssl.keyStorePassword=<your_ keystore_password>-Djavax.net.ssl.keyStoreType=JKS

SiteScope 2019.11


How to Configure SiteScope Failover profile whenPrimary and Failover SiteScope Servers are ClientCertificate authenticatedYou must follow these steps to configure SiteScope Failover profile when both Primary and Failover SiteScopeServers are Client Certificate authenticated.

Import the Certificate Authority Certificate (CAC), which was used to issue the Client Certificate to the1.Primary SiteScope server and Failover SiteScope server.Go to Preferences > Certificate Management, click Import Certificates, and select the CA certificatefile.

Export the client certificate from the Internet Explorer browser as below. Note that the steps are not needed if2.you already have the client certificate.

Click Content tab in Internet options window. a.

Click Certificates.b.

Select the required certificate.c.

Click Exportd.Certificate Export Wizard dialog box opens.Note that client certificate to be imported into a keystore must have the same name as the failovermachine hostname.

Click Next.e.

Select the option, Yes, export the private key to export the private key with certificate.f.

Select the format in which you want to export the certificate. You can select the option Personalg.Information Exchange – PKCS # 12 (.PFX), and click Next.

Type Password.h.

Specify the name of the file you want to export.i.

Click Finish.j.

Copy the exported Client certificate in Failover machine to the Sitescope\groups folder, and run the3.

SiteScope 2019.11


following commands to import using Keytool.

Keytool -importkeystore -destkeystore C:\SiteScope\groups\serverKeystore -srckeystore"failoverclientCert.pfx" -srcstoretype pkcs12 -storepass <password>

Add Service Parameters to SiteScope Failover as below.4.

On WindowsOpen the Windows registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SiteScope(or HP SiteScopeFailover)\serviceParam) and add the following text to the file.

-Djavax.net.ssl.keyStore="C:\SiteScope\groups\serverKeystore"

-Djavax.net.ssl.keyStorePassword=<your_ keystore_password>

When you start SiteScope using go.bat file present in the <SiteScope root directory>\bin directory, youmust edit the file to add the above service parameters.

On Linux :

Open the following file:/opt/HP/SiteScope/bin/start-monitor

Modify the java parameters :-Djavax.net.ssl.keyStore="/opt/HP/SiteScope/ groups/serverKeystore"

-Djavax.net.ssl.keyStorePassword=<your_ keystore_password>

Restart the Failover Sitescope server, and you can create the Failover profile.5.

SiteScope 2019.11


Test SiteScope Failover ConfigurationSiteScope Failover configuration is tested from both the SiteScope Failover user interface and the primarySiteScope interface.To test the SiteScope Failover configuration from the SiteScope Failover machine:

In the SiteScope Failover user interface, select Preferences > Failover Preferences.1.

In the right panel, select Default Settings > Test.2.

The Test Failover dialog box appears.

(Optional) To test the email notifications, enter an email address and click Send Test Notifications.3.

To test the SiteScope Failover configuration, click Test. The test results appear:4.

Review the results for failure information, then click OK.5.

To test the SiteScope Failover configuration from the primary SiteScope machine:

In the SiteScope user interface, select Preferences > Failover Preferences.1.

In the right panel, select Default Settings > Test. The Test Failover dialog box appears. The test results2.

http://docs.microfocus.com/itom/File:SiS_2018.08_failovertests.png

SiteScope 2019.11


appear:

Review the results for failure information, then click OK.3.

http://docs.microfocus.com/itom/File:SiS_2018.08_failovertests_prim.png

SiteScope 2019.11


SiteScope Failover and APM IntegrationThe process for integrating SiteScope Failover with APM is the same as for the primary SiteScope. For details onthe integration process, see the section on "How to Configure SiteScope to Communicate with APM" in the UsingSiteScope Guide or in the APM Application Administration Guide in the APM Help.Make sure in step 3: "Connect the installed SiteScope with APM", when adding the SiteScope to SAM Administrationin APM, that you enter the Failover host name in the New/Edit SiteScope Page in the Advanced Settings >Failover Host field.If the SiteScope Primary goes down, and SiteScope Failover is activated, the SiteScope Failover re-registers on theAPM-side and sends topology and metrics under the Primary Display Name. When the primary is operational again,it re-registers on the same profile and starts sending data.

Disabling Reporting to APM From SiteScope Failover

If a primary SiteScope is configured for reporting to APM and the failover SiteScope is activated, SiteScope Failoverautomatically configures itself to report topology and metrics to APM. In some cases, you may want to disablereporting topology and metrics to APM from SiteScope Failover.To disable reporting to APM from SiteScope Failover:

In the SiteScope Failover user interface, select Preferences > Failover Preferences.1.

Select the profile for which you want to disable reporting to APM and click Edit.2.

Expand the Advanced Settings panel.3.

Click Disable APM Integration, and then click OK.4.

Note that SiteScope Failover reports to APM only after the first mirroring occurred since the primary SiteScope wasregistered to APM.

SiteScope 2019.11


SiteScope Failover and Operations ManagerIntegrationThe SiteScope Failover (automated mirroring) solution provides support for Operations Manager event and metricsintegration.

Event Integration

To enable SiteScope Failover support for OM event integration, perform the steps in How to Enable SiteScope toSend Events to OM both for the primary SiteScope and for the SiteScope Failover.Event flow and host discovery flow work without any additional steps. For the Monitor Discovery integration, followthe steps in Enable the SiteScope Monitor Discovery Policy for the primary SiteScope only.Notes and Limitations

Since there is only one SiteScope service tree (and it is affected by events), it is not possible to know if it isaffected by what was reported from the primary or failover SiteScope.When the primary is down, events triggered from monitors that are monitoring the SiteScope server (in this case,the SiteScope server is the failover) do not affect the service tree.Groups and monitors added when the primary is down are not displayed in the service tree.The Drill Down to SiteScope tool works only when the primary SiteScope is running.If there are different agent configurations on the primary and SiteScope Failover (for example, an agent isinstalled on a different path), the agent command on the failover server will not run from the Event Integrationpreferences user interface and you need to enter the agent path manually beforehand.

Metrics Integration

SiteScope Failover provides support for OM metrics integration.Note when using the Operations Agent as the data source for reporting metrics to Operations Management,SiteScope Failover reports metrics to the Operations Agent and not to the primary's agent.

http://docs.microfocus.com/itom/SiteScope:2019.11/EnableSendEventsOM

http://docs.microfocus.com/itom/SiteScope:2019.11/EnableSendEventsOM

http://docs.microfocus.com/itom/SiteScope:2019.11/EnableMonitorDiscoveryPolicy

sitescope - help.sap.com

Documents