Integration Server 10.3 | Integration Server Administrator's Guide | Configuring Ports | Adding an HTTPS Diagnostic Port
 
Adding an HTTPS Diagnostic Port
The diagnostic port is a special port that uses threads from a dedicated thread pool to accept requests via HTTP/S. The diagnostic port uses a dedicated thread pool so that you can access Integration Server when it becomes unresponsive.
Each Integration Server can have only one diagnostic port. If you want to add a new diagnostic port, you must delete the existing port first. For information about how to delete a port, see Deleting a Port.
If you are running multiple Integration Servers on the same machine, you specified the diagnostic port number for each server instance during the instance creation process. If the diagnostic port numbers are not unique between Integration Server instances, the first Integration Server to start on the machine will have a functioning diagnostic port, but Integration Servers that start after the first one will not. For more information about running multiple Integration Servers on the same machine, see Running Multiple Integration Server Instances.
*To add an HTTPS diagnostic port
1. Open Integration Server Administrator if it is not already open.
2. In the Security menu of the Navigation panel, click Ports.
3. Click Add Port.
4. Under Add Port, select HTTPS Diagnostic.
5. Click Submit.
6. On the Edit Diagnostic Port Configuration screen, under Diagnostic HTTPS Listener Configuration, enter the following information:
For this parameter...
Specify...
Enable
Select whether to enable (Yes) or disable (No) this HTTPS diagnostic port.
Port
The number you want to use for the diagnostic port. Select a number that is not already in use on this host machine.
Note:
The watt.server.diagnostic.port server configuration parameter overrides this port number.
Important:
If you are running multiple Integration Servers on the same host machine, make sure the diagnostic port number on each server is unique.
Alias
An alias for the port that is unique for this Integration Server. An alias must be between 1 and 255 characters in length and include one or more of the following: letters (a -z, A-Z), numbers (0-9), underscore (_), period (.), and hyphen (-).
Description
A description of the port.
Package Name
The package associated with this port. The default package is WmRoot. When you enable the package, the server enables the port. When you disable the package, the server disables the port.
If you replicate this package, Integration Server creates a port with this number and the same settings on the target server. If a port with this number already exists on the target server, its settings remain intact. This feature is useful if you create an application that expects input on a specific port. The application will continue to work after it is replicated to another server.
Note:
You cannot change the Package Name associated with this port. The diagnostic port must always be associated with the WmRoot package.
Bind Address (optional)
The IP address to which you want to bind this port. Specify a bind address if your machine has multiple IP addresses and you want the port to use a specific address. If you do not specify a bind address, the server picks one for you.
Backlog
The number of requests that can remain in the queue for an enabled port before Integration Server begins rejecting requests. The default is 200. The maximum value is 65535.
Note:
This parameter does not apply to disabled ports. Integration Server refuses requests sent to disabled ports.
Keep Alive Timeout
When to close the connection if the server has not received a request from the client within this timeout value (in milliseconds); or when to close the connection if the client has explicitly placed a close request with the server.
Threadpool
Whether the listener will use this pool exclusively for dispatching requests. The existing Integration Server thread pool is a global thread pool. If there is a very high load on this resource, the user may have to wait for the global thread pool to process his request. However, with the private thread pool option enabled, requests coming into this port will not have to compete with other server functions for threads. Click Enable if you wish to employ the private thread pool settings. You can change or accept the default settings given below:
Threadpool Min refers to the minimum number of threads for this private threadpool. The default is 1.
Threadpool Max refers to the maximum number of threads for this private thread pool. The default is 5.
Threadpool Priority refers to the Java thread priority. The default is 5.
Important:
Use this setting with extreme care because it will affect server performance and throughput.
If you do not need to use the Threadpool feature, click Disable.
When you view the port’s details, the server reports the total number of private threadpool threads currently in use for the port.
7. Under Security Configuration, enter the following information:
For this parameter...
Specify...
Client Authentication
The type of client authentication you want Integration Server to perform for requests that arrive on this HTTPS port. See Authenticating Clients for more information.
Select one of the following:
Option
Description
Username/Password
Integration Server prompts the client for a user ID and password.
Digest
Integration Server uses password digest for authentication of all requests. If the client does not provide the authentication information, Integration Server returns an HTTP WWW-Authenticate header with digest scheme to the client requesting for authentication information. If the client provides the required authentication information, Integration Server verifies and validates the request.
Note:
A port that is configured to use password digest for authentication of client requests will process a request from a user only if the user is configured to allow password digest for authentication. For more information about configuring a user for digest authentication, see Adding User Accounts.
Request Client Certificates
Integration Server requests client certificates for all requests. If the client does not provide a certificate, the server prompts the client for a userid and password. If the client provides a certificate:
*Integration Server checks whether the certificate exactly matches a client certificate that is on file and signed by a trusted authority. If so, the client is logged in as the user to which the certificate is mapped in Integration Server. If not, the client request fails, unless central user management is configured.
*If central user management is configured, Integration Server checks whether the certificate is mapped to a user in the central user database. If so, the server logs the client on as that user. If not, the client request fails.
Require Client Certificates
Integration Server requires client certificates for all requests. The server behaves as described for Request Client Certificates, except that the client must always provide a certificate.
Use Identity Provider
Integration Server uses an OpenID Provider to authenticate requests. Integration Server redirects all requests sent to this port to the OpenID Provider specified in Identity Provider.
Request Kerberos Ticket
Integration Server looks for a Kerberos ticket in the HTTP Authorization header using the Negotiate authentication scheme. If it does not find the ticket, Integration Server uses user name and password for basic authentication. If the client does not provide any authentication information, Integration Server returns an HTTP WWW-Authenticate header with negotiate scheme to the client requesting for authentication information. If the client provides the required authentication information, Integration Server verifies and validates the request.
Require Kerberos Ticket
Integration Server looks for a Kerberos ticket in the HTTP Authorization header using the Negotiate authentication scheme. If it does not find the ticket, Integration Server fails the authentication. If the client does not provide any authentication information, Integration Server returns an HTTP WWW-Authenticate header with negotiate scheme to the client requesting for authentication information. If the client provides the required authentication information, Integration Server verifies and validates the request.
Kerberos Properties(Optional)
Kerberos properties are used to enable Kerberos authentication by providing Kerberos-related details that will be used for handling service requests that come with a Kerberos ticket. For information on configuring Kerberos authentication, see Kerberos Authentication.
JAAS Context
Specify the custom JAAS context used for Kerberos authentication.
In the following example, JAAS Context is KerberosClient:
KerberosClient {
com.sun.security.auth.module.
Krb5LoginModule required
useKeyTab=true
keyTab=alice.keytab;
};
The is_jaas.cnf file distributed with Integration Server includes a JAAS context named IS_KERBEROS_INBOUND that can be used with inbound requests.
Principal
Specify the name of the principal to use for Kerberos authentication.
Principal Password
Specify the password for the principal that is used to authenticate the principal to the KDC. Specify the principal password if you do not want to use the keytab file that contains the principals and their passwords for authorization. The passwords may be encrypted using different encryption algorithms.
If the JAAS login context contains useKeyTab=false, you must specify the principal password.
Retype Principal Password
Re-enter the principal password.
Service Principal Name Format
Displays username, which indicates that the principal name of the service is represented as a named user defined in the LDAP or central user directory used for authentication to the KDC.
Service Principal Name
Specify the name of the principal used with the service that the Kerberos client wants to access. Specify the Service Principal Name in the following format:
principal-name.instance-name@realm-name
Use JSSE
If this port should support TLS 1.1 or TLS 1.2, click Yes to create the port using the Java Secure Socket Extension (JSSE) socket factory. The default is Yes.
If you set this value to No, the port supports only SSL 3.0 and TLS 1.0.
Note:
To control the cipher suites used on Integration Server ports that use JSSE and handle inbound requests, set the watt.net.jsse.server.enabledCipherSuiteList. For more information, see Server Configuration Parameters.
8. Under Listener Specific Credentials, enter the following information:
Note:
Use these settings only if you want to use a different set of credentials from the ones specified on the Certificates Screen.
For this parameter...
Specify...
Keystore Alias
Optional. A user-specified, text identifier for an Integration Server keystore.
The alias points to a repository of private keys and their associated certificates. Although each listener points to one keystore, there can be multiple keys and their certificates in the same keystore, and more than one listener can use the same keystore alias.
Key Alias
Optional. The alias for the private key, which must be stored in the keystore specified by the above keystore alias.
Truststore Alias
Optional. The alias for the truststore. The truststore must contain the trusted root certificate for the CA that signed Integration Server certificate associated with the key alias. The truststore also contains the list of CA certificates that Integration Server uses to validate the trust relationship.
9. Click Save Changes.
10. On the Ports screen, click Edit to change the Access Mode if necessary. You may Set Access Mode to Allow by Default or Reset to default access settings.
For more information about setting access mode for a port and controlling IP access for a port, see Controlling Access to Resources by Port
11. On the Portsscreen, also check the list of ports to ensure that the status in the Enabled column is Yes. If it is not, click No to enable the port.