MicroStrategy ONE
Certificate Store Integration with MicroStrategy Library
Certificate Store primarily serves as a data source exposed via a REST API. This data source provides the data for display in the Certificates section of the Workstation window.
Integration with MicroStrategy Library
To integrate Certificate Store with MicroStrategy Library, you can select Certificate Store when installing Library. This will ensure that the Certificate Store REST API appears to be a part of the entire MicroStrategy REST API suite.
So while it looks as if the Certificate Store REST API (/api/serviceCertificates) is served from the same web endpoint as the other APIs, in reality requests made to the /api/serviceCertificates endpoint are actually redirected to the Certificate Store Server. This redirection is accomplished by a proxy servlet configured in the Library web.xml file.
The servlet is configured by the installer and takes all URLs that match the url-pattern property, and redirects them to the URL specified in the targetUri property. If you are altering these settings to add or remove SSL support, you must update the targetUri property so that it specifies either "http" or "https".
If self-signed certificates are used then the trustAllCertificates and disableHostnameVerification properties must be set to true. If a user switches from self-signed to CA-assigned certificates, they should set both certificates to false to receive the benefits of the CA-assigned cert.
<servlet>
<servlet-name>CertificateManagerService</servlet-name>
<servlet-class>org.mitre.dsmiley.httpproxy.ProxyServlet</servlet-class>
<init-param>
<param-name>targetUri</param-name>
<param-value>http://localhost:5050/api/serviceCertificates</param-value>
</init-param>
<init-param>
<param-name>log</param-name>
<param-value>true</param-value>
</init-param>
<!-- SSL SUPPORT START - The following group of parameters are only relevant when the targetUri above uses the "https" protocol. -->
<init-param>
<param-name>truststorePath</param-name>
<param-value>{PATH_TO_TRUSTSTORE}</param-value>
</init-param>
<init-param>
<param-name>truststoreType</param-name>
<param-value>PKCS12</param-value>
</init-param>
<init-param>
<param-name>truststorePassword</param-name>
<param-value>{TRUSTSTORE_PASSWORD_OR_BLANK_IF_NONE}</param-value>
</init-param>
<init-param>
<param-name>keyPassword</param-name>
<param-value>{KEY_PASSWORD_OR_BLANK_IF_NONE}</param-value>
</init-param>
<!-- DEVELOPMENT - START - The following parameters are for development/debugging use only and should not be set to TRUE in production systems. -->
<init-param>
<param-name>trustAllCertificates</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>disableHostnameVerification</param-name>
<param-value>false</param-value>
</init-param>
<!-- DEVELOPMENT END -->
<!-- SSL SUPPORT END -->
</servlet>
<servlet-mapping>
<servlet-name>CertificateManagerService</servlet-name>
<url-pattern>/api/serviceCertificates/*</url-pattern>
</servlet-mapping>
Where:
- truststorePath is used to load the truststore which is handled by ServletContext.getResourceAsStream().
The path rules for this method can be found in the Oracle documentation. The path must begin with a slash (/) and is interpreted as relative to the current context root or relative to the /META-INF/resources directory of a JAR file inside the web application's /WEB-INF/lib directory. The path separator is a slash (/) on both Unix and Windows.
- truststoreType accepts a variety of keystore/truststore types, for a full list, see the Java SE Documentation. MicroStrategy supports JKS and PKCS12.
Certificate Store Configuration Properties
Settings for the Certificate Store can be changed by editing the application.properties file. All parameters are case sensitive and must be entered correctly for changes to take effect.
The application.properties can be found in:
- Windows: <INSTALL_PATH>\MicroStrategy\Certificate Manager
- Linux: <INSTALL_PATH>/Certificate Manager
This file includes the following properties:
Property | Details | Notes |
---|---|---|
server.address |
IP address Certificate Store will use to listen for incoming REST API requests. By default this is set to 127.0.0.1 to restrict access to processes on the same machine. To listen on all IP addresses, specify 0.0.0.0 as the address. |
If you modify any of these three settings, be sure to make the corresponding change to the targetUri property of the proxy servlet described above.
|
server.port |
IP port Certificate Store will use to listen for incoming REST API requests. |
|
server.servlet.context-path |
Path to the Certificate Store endpoint. |
|
server.ssl.key-store |
The path to the PKCS12 or PFX keystore file, e.g. classpath:/opt/mstr/MicroStrategy/install/ your-cert.crt |
These settings are relevant only if Certificate Store's REST API is running over HTTPS.
|
server.ssl.key-store-password |
Passphrase for the keystore file |
|
server.ssl.key-password |
Passphrase for the key contained within the keystore |
|
server.ssl.keyStoreType |
Type of keystore, default is PKCS12 |
|
server.ssl.key-alias |
Alias of key in keystore, used if keystore contains multiple keys |
|
max.certificate.retrieval.time.seconds |
Maximum amount of time to allow for retrieval of all certificates from defined services. Default is 30 seconds which should be more than enough time for the services defined in 11.1. |
|
consul.host |
IP address of Consul agent |
These settings control which Consul agent is contacted for the list of defined services and how often the agent is contacted to refresh that list. The default settings should be sufficient for most installs and users should not need to change them. |
consul.port |
IP port of Consul agent |
|
consul.initialDelay.milliseconds |
Delay (in milliseconds) before initial connection to Consul |
|
consul.fixedRate.milliseconds |
Interval (in milliseconds) between each connection to Cosul |
|
wss.server.host |
Socket.io IP address |
These two settings control the Socket.io endpoint that GUIs can connect to to receive async. updates regarding the existing services and the state of their certificates. Note that the firewall must allow WebSocket access to this endpoint (similar to the Socket.io connection in Collaboration Server) |
wss.server.port |
Socket.io IP port |
|
spring.mail.host |
Mail server IP address |
These settings configure how Certificate Store communicates to an email host. The default is to use SMTP but user must provide the IP address, etc. By default this is not configured by the installer and must be manually enabled by the user. |
spring.mail.port |
Mail server IP port |
|
spring.mail.protocol |
Mail server protocol (SMTP) |
|
spring.mail.properties.mail.smtp.connectiontimeout |
Time out for connecting to mail host |
|
spring.mail.properties.mail.smtp.timeout |
|
|
spring.mail.properties.mail.smtp.writetimeout |
Time out sending data to mail host |
|
spring.mail.default-encoding |
Encoding used to send data to mail host |
|
expiry.notification.days |
|
Certificate Store periodically scans the certificates it finds to look for those that have expired or will expire within the next {expiry.notification.days} days. These settings control this certificate scanning process and defines which email address will receive the notifications. Multiple email addresses may be specified by comma-separated list, e.g. expiry.notification.email=user1@domain.net,user2@domain.net No notifications are sent if the expiry.notification.email is empty. expiry.notification.email.from must be specified for emails to be sent successfully. |
expiration.check.initialDelay.milliseconds |
Delay (in milliseconds) before certificates are scanned for expired certificates. |
|
expiration.check.fixedRate.milliseconds |
Interval between each scan for expired/expiring certificates. |
|
expiry.notification.email |
|
|
expiry.notification.email.from |
|
|
profile.name |
A Spring framework setting used to select a profile within the application. |
A profile collects different configuration properties together in one file so they can be applied together. It's not recommended to change the profile to anything other than prod. |
Considerations in Clustered Environments
The Certificate Store process normally listens for REST API requests on localhost:5050. The server is bound to the loopback interface so that only processes on the same machine may make API requests.
In a clustered environment, there is a Certificate Store process on each node. Because Certificate Store builds its data from the services registered with Consul, and Consul contains entries for all nodes, Certificate Store will contain entries for all services in the cluster and not those services on the current node. However, because some services are bound to the loopback address, some certificates will not be retrievable from other nodes in the cluster.
Other Library Considerations
If your Library installation does not have Certificate Store the proxy servlet may still be configured, however the targetUri will not point to a valid endpoint. Users with this configuration will receive a 502 Bad Gateway error (or other 5xx level HTTP errors). To resolve these errors, you can install Certificate Store or remove the proxy servlet configuration from the Library web.xml file.