Introduction
Orchestra is installed with a default keystore and a default truststore. The truststore is a copy of the JRE truststore and the keystore is empty.
Both files are located in the folder <installation directory>/conf/security.
Keystore files for standalone Queue Agents also follow the same structure and the files are included in the default Queue Agent profiles.
In order to use another keystore or truststore the settings are located in the following files:
• Central Orchestra: <installation directory>/app/<jboss or wildfly>/bin/standalone.conf.bat (standalone.conf for Linux).
• Standalone Queue Agent: <Queue Agent installation directory>/conf/agent.conf
The values that affect keystore and truststore settings:
-Djavax.net.ssl.trustStore
-Djavax.net.ssl.trustStorePassword
-Djavax.net.ssl.keyStore
-Djavax.net.ssl.keyStorePassword
When upgrading to Orchestra 6.0, it will be required to import any certificates previously used when running Glassfish, as they will not be included in the upgrade to JBoss/Wildfly.
TP3115, TP Touch and Intro 8 do not support encrypted communication at all. Those units need to go through HTTP.
Notes on certificate host names and IP addresses:
When creating a certificate, the certificate is only valid for the actual host name that it is created for (the "CN" attribute).
This should be the only host name which is used when communicating securely with an Orchestra system.
For example, if the host orchestra-central.company.com is used when setting up SSL for the central system (on JBoss / Wildfly), all distributed Queue Agents should be configured (in agent.conf) to communicate towards that hostname and not the IP-address of the host.
If a mix of hostnames and IP-address needs to be used for self-signed certificates, the "-ext san=..." flag should be used when creating the certificate.
An example keytool command that has both DNS name and IP addresses can look like this (see Java documentation on keytool command for complete documentation):
keytool -keysize 2048 -genkey -alias myhost.company.com -keyalg RSA -dname "CN=myhost.company.com" -ext san=dns:myhost.company.com,ip:192.168.13.37 -storepass changeit -keystore keystore.jks
Notes on self-signed certificates:
It is possible to run Orchestra using self-signed certificates or certificates that do not originate from a well-known CA authority (e.g. Verisign and Thawte).
An example of the latter is if the customer has their own CA authority and signs their own certificates.
If the Orchestra installation is done like this, a number of additional steps need to be taken in addition to the ones defined below:
• Any such self-signed certificates need to have the public key exported from the originating keystore and imported into the relevant trust stores.
Export can be done with the following command:
keytool -export -alias <host_name_alias> -file mycertfile.cer -keystore keystore.jks -storepass changeit
Import can be done with this command:
keytool -import -trustcacerts -file mycertfile.cer -alias orchestra_cert -keystore truststore.jks -storepass changeit
• For central self-signed certificate setup, the certificate should be imported into the truststore both on central and on any distributed Queue Agents that connect to it.
• For distributed Queue Agents with self-signed certificates, the certificate needs to also be imported in the truststore of that Queue Agent.
• For customers that have their own CA-certificates, the public parts of the signer certificates (usually called "root" certificate) and any intermediary certificates should also be imported into the truststores of both the central installation and any distributed Queue Agents.
Port and Protocol Handling
Configure Central Orchestra Ports and Protocol
1. Protocol (i.e. whether to use http or https):
Set as JVM parameter in file <installation directory>\app\jboss-eap-6.0\bin\standalone.conf.bat (or <installation directory>\app\wildfly-8.2.0.Final\bin\standalone.conf.bat, when running Orchestra with Wildfly 8.2.0).
JVM parameter is -Dcentral.http.protocol=http. (Replace http with https, to use https port instead).
2. Central http and https ports:
If you have changed Orchestra Central to run on another port than 8080, it is no longer possible to synchronize a new Agent Profile to the distributed Queue Agents. Therefore, you must first upgrade the distributed Queue Agents, using Remote Upgrade, see
“Remote Update Overview” , with the new port,
before the central port number is changed.
Browse to the Wildfly/JBoss admin console (http://localhost:9990, username: admin, password: ulan) and click on the Configuration tab (at the top of the page), then navigate to General Configuration -> Socket Binding (bottom left sidebar), click on the View link, next to Standard Sockets and change the http and https values, as needed. A system restart is needed after any changes.
Configure Port for Orchestra Business Intelligence
Open the file <installation directory>\pentaho-solutions\system\security.properties and configure the parameter central.orchestra.url to https://<ip-adress>:8443.
A system restart is needed for the change to have effect.
Configure Ports and Protocol, globally, for all Queue Agents
Global protocol and port settings for all Queue Agents are done in the
System Administration application, in the
Agent Parameters section of the
Parameters tab. For more information, see
“Agent Parameters” . A system restart is needed for changes to have effect.
Configure Ports and Protocol for individual Queue Agents
• In order to override global protocol and port settings for a single Queue Agent, browse to the System Administration application. Select the Queue Agents tab and the Agent Profiles sub tab. Select the wanted Agent Profile and look for the Queue Agent Settings section. The greyed out values above the input fields are the current global values. To override a global value, enter a new value in the desired input field and click Save. The changed Agent Profile needs to be synchronized to the wanted Queue Agent(s) via a Remote Upgrade.