Management Service Transport Layer Security (TLS)#

With TLS enabled in the Management Service, the CUAE command-line tool and Cisco Unified Application Environment Administration consume the Management Service API using TLS. By default, encryption is ON but authentication is OFF.

The Cisco Unified Application Environment Platform Services installer automatically generates the key store during installation for production and places it in \MgmtServiceLauncher\conf. The keystore name is "default.keystore".

Managing the CUAE Command-line Tool Protocol#

When using CUAE command-line tool commands that communicate with the Management Service (cuae install, cuae remove, and cuae upgrade), you are prompted to supply the communication protocol (TCP or TLS). You should select the protocol that is set on the Management Service. TLS is the default supported protocol. If you want to use TCP, follow the instructions below to change the default URI of the Management Service before running these commands.

If you select TLS, you have the option to enable only encryption or to enable encryption and authentication.

Note: There are two types of authentication possible between the CUAE command-line tool and the Management Service. Server authentication is on by default and developers are always prompted for the administration username and password to install, remove, or upgrade applications. Protocol authentication using TLS is configurable, but disabled by default.

Enabling Encryption and Authentication#

When using TLS, encryption is enabled by default. To enable TLS authentication, follow these steps:

1. Provide developers with the security certificate.

Note: The private key's matching certificate is saved to a binary file in \MgmtServiceLauncher\conf\default.cer for ease of use. You can export the certificate using keytool.

2. Instruct developers to import the certificate into the keystore on the machine where they will run the CUAE command-line tool.

keytool -import -keystore <name of keystore> -alias myalias -file <certificate absolute file path>

3. When running one of the CUAE command-line tools, such as cuae install, the developer can run in CLI or interactive mode.

• In CLI mode, the developer types the following command:

           cuae install --uri tls://<serverIP>:9001?TlsConnection.authReqd=true --username <username>

--password <password> --truststore <absolute path to truststore location>}}}

• In interactive mode, the developer types only the cuae install command. The tool then prompts for the Management Service URI or host/IP address. If the user enters a complete URI, for example: tls://<serverIP>:9001, the tool prompts for TLS trust store location and authentication is enabled. If, however, the user enters only the host/IP address, the tool assumes the user does not want to enable authentication.

Enable/Disable TLS on the Management Service#

To toggle TLS support for Management Service, follow these procedures:

1. Open \MgmtServiceLauncher\conf\production.properties on the Application Server

2. To Disable TLS:

      # use the following uri to start mgmt-service without tls

listenerUri=tcp://0.0.0.0:9001

1. uncomment the following line to enable tls
2. listenerUri=tls://0.0.0.0:9001}}}

3. To Enable TLS:

      # use the following uri to start mgmt-service without tls

1. listenerUri=tcp://0.0.0.0:9001
2. uncomment the following line to enable tls

listenerUri=tls://0.0.0.0:9001}}}

4. Restart the CUAE Management Server service.

If you modify the connection URI for the Management Service in any way, you must also inform the Cisco Unified Application Environment Administration of the new connection details. To do so, follow these procedures:

1. Open the Management Service Launcher file: C:\Program Files\Cisco Systems\Unified Application Environment\MgmtServiceLauncher\conf\mgmt-service-launcher.conf.

2. In mgmt-service-launcher.conf, locate Java Additional Parameters section. It contains a series of wrapper.java.addtional.N properties, where N is an incrementing integer value.

3. Pass the cuae.managment-service-uri system parameter to the JVM. For example, wrapper.java.additional.5=-Dcuae.management-service-uri=tcp://localhost:9001/ will point the Cisco Unified Application Environment Administration to the local TCP connection on port 9001 configured previously.