Securing Analytics to use SSL

Analytics uses Apache and mod_ssl to provide SSL for all of the different types of communication needed. It is assumed that if you are running Resource Manager 4.x you already have secured the Resource Manager behind SSL (this is in place as a matter of course in Resource Manager 5.x). This is a required prerequisite for securing Analytics.

The following procedure will install Apache and mod_ssl and set it to use a self-signed SSL certificate. You may also choose to purchase a SSL certificate signed by a third-party Certificate Authority or to generate your own SSL certificate.

Log in to the Analytics server as the root user, or as a user with superuser privileges. Install Apache and mod_ssl, configure Apache to start on server boot and start it for the first time:
yum -y install httpd
yum -y install mod_ssl
systemctl enable httpd
systemctl start httpd

You can check this was successful by visiting both http://<analytics server fqdn>/ and https://<analytics server fqdn/ in a web browser.

To support potential use of Internet Explorer 8 (IE8), Apache must be configured to strip out the "Pragma" statements from the headers of HTTP files. To do this, navigate to the following Apache configuration folder and edit the config file as follows:
cd /etc/httpd/conf
# Backup the existing config file
cp httpd.conf original_httpd.conf_original
# Edit the file
vi httpd.conf
# Add the following line right at the top of the file.
Header unset Pragma

Save the file and exit the editor.

Next, we configure SSL to add an internal proxy rule for Apache to proxy any request to the Analytics server and to turn on the Rewrite Engine. Navigate to the Apache SSL configuration folder and edit the SSL config file as follows:
cd /etc/httpd/conf.d
# Backup the existing config file
cp ssl.conf original_ssl.conf_original
# Edit the file
vi ssl.conf
The last line of the file should be the closing tag </VirtualHost>. Add the following text just above this closing </VirtualHost> tag:
#Internal proxy rules instructing Apache to proxy any request to the
#Analytics server and data warehouse on 7070						
ProxyPass /reports http://127.0.0.1:7070/reports
ProxyPassReverse /reports http://127.0.0.1:7070/reports
ProxyPass /etl http://127.0.0.1:7070/etl
ProxyPassReverse /etl http://127.0.0.1:7070/etl						
#Turn on the RewriteEngine
RewriteEngine On
#Redirect any just / over to /reports
RewriteRule ^/+$ https://%{SERVER_NAME}:443/reports/ [R]
Save and close the ssl.conf file and then restart Apache.
systemctl restart httpd

Next we lockdown tomcat to localhost only so that the Analytics server will not respond to requests on its internal port (7070). An alternate solution is to simply close port 7070 altogether via firewall configuration. Note that if you are intending to use 3rd party tools with Jaspersoft you should NOT lockdown this port or make this server level config change.

Log in to the Analytics server as the root user, or as a user with superuser privileges and navigate to the server configuration file and edit it as follows:
cd /opt/zenoss_analytics/conf
# Make a backup of the server.xml file.
cp server.xml original_server.xml_original
# Edit the file
vi server.xml
Locate the following section in the file (/7070 in vi will locate it).
<Connector port="7070" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"/>
Change it to add in address="127.0.0.1" so that the section looks like the following:
<Connector port="7070" address="127.0.0.1" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"/>
Save and close the file and restart tomcat by restarting the service to pick up the changes.
service zenoss_analytics stop
service zenoss_analytics start

This completes the Analytics Server installation. Proceed with the next section to install extraction daemon services in Resource Manager and to connect the Analytics server into your Resource Manager deployments.