clear text passwords to Viewpoint SSL Configuration

Viewpoint
Enthusiast

clear text passwords to Viewpoint SSL Configuration

We have Viewpoint v14 and unfortunately when users logon to the server, their passwords they use to connect to the viewpoint server is being sent in clear text.  Our security folks are not happy.  We went through the process to setup the SSL Configuration for Viewpoint to allow HTTPS communication, we were unable to disable the existing HTTP: connection option.  If we logon through https:/ptservername version of our server  the user passwords will connect, after a certificate error and their passwords are not in clear text.  Unfortunately, there is nothing stopping the users from still using the old http:/ptservername connection, which still works and shows their passwords in clear text. Does anyone know how to rememdy this?

Thanks,

      Mike

3 REPLIES
Teradata Employee

Re: clear text passwords to Viewpoint SSL Configuration

Mike,

You can refer to the "Configuring All Teradata Viewpoint Access to be Over SSL" section of the Viewpoint Config guide, which states:

  1. 1  Log on to the Teradata Viewpoint server (Linux) as root.

  2. 2  Open /opt/teradata/viewpoint/portal/conf/web.xml.

  3. 3  Add the following XML block near the end of the file, immediately before the existing </

    web-app> tag at the end of the file:

                       <security-constraint>
    <web-resource-collection>

                             <web-resource-name>Viewpoint</web-resource-name>

                             <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>

                             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>

                       <security-constraint>

  4. 4  Save the web.xml file. 



Enthusiast

Re: clear text passwords to Viewpoint SSL Configuration

Thanks Stever.  That is the exact process we followed and the new secured connection does work.  Unfortunately, we just can see how to disable the old non-secured connection, which also works.  

There were some addtional changes we tried, which I've listed below.

CONFIGURATION - PRD

I was looking through the knowledge base on Teradata’s website and found a fix to problems with SSL after an upgrade.  Basically the server.xml and web.xml files were overwritten.  They define how they should be written below.

I found these differences in our files:  (You may have tried these and already put them back.)

server.xml:

we are missing the last line in red

keystorePass="cia2011"/>

web.xml:

<url-pattern>/c</url-pattern>    we have a /* instead of /c

</security-constraint>     our last line doesn’t have the forward slash

Once the files are edited; restart the Viewpoint service only.  (/etc/init.d/viewpoint restart)

Probable Cause:

https://teradatanet0.teradata.com/MQUdHR5TXF4D/icons/ecblank.gif

To determine if your Viewpoint server uses SSL you can review the server.xml and web.xml files.  Sometimes only the server.xml file is edited, other times both the server.xml and web.xml files are edited.

In the server.xml file, if the customer does use SSL it should resemble the following in the 443 section at the bottom of the file.  Notice the additional information highlighted in red and the lack of comments indicating SSL is configured.

<!-- Define a SSL HTTP/1.1 Connector on port 443 -->

  <Connector port="443"

   maxHttpHeaderSize="8192"

   maxThreads="350"

   minSpareThreads="25"

   maxSpareThreads="75"

   enableLookups="false"

   disableUploadTimeout="true"

   acceptCount="350"

   scheme="https"

   secure="true"

   clientAuth="false"

   sslProtocol="SSL"

   algorithm="IbmX509"

   URIEncoding="UTF-8"

   keystoreFile="/etc/opt/teradata/viewpoint/certs"

   keystorePass="cia2011"/>

  <!-- Define the top level container in our container hierarchy -->

In the web.xml file, if the customer does  use SSL it should resemble the following at the bottom of the file.  Notice the section highlighted in red.

<welcome-file-list>

        <welcome-file>index.html</welcome-file>

        <welcome-file>index.htm</welcome-file>

        <welcome-file>index.jsp</welcome-file>

    </welcome-file-list>

    <security-constraint>

        <web-resource-collection>

                <web-resource-name>Viewpoint</web-resource-name>

                <url-pattern>/c</url-pattern>

        </web-resource-collection>

        <user-data-constraint>

                <transport-guarantee>CONFIDENTIAL</transport-guarantee>

        </user-data-constraint>

    </security-constraint>

</web-app>




Solution:

https://teradatanet0.teradata.com/MQUdHR5TXF4D/icons/ecblank.gif

In order to fix the SSL configuration you need to do the following.

1.  Make a copy of the new server.xml and web.xml files - (cp /opt/teradata/viewpoint/conf/server.xml & web.xml to /home/support/)

2.  Edit the new files under /opt/teradata/viewponit/conf/ directory to match the values before the upgrade.  Refer to the files you saved and attached to your CC.

3.  Once the files are edited; restart the Viewpoint service only.  (/etc/init.d/viewpoint restart)

     

We made the changes listed above and the website would not come up at all, so I reverted it back.

-Mike

Teradata Employee

Re: clear text passwords to Viewpoint SSL Configuration

There are improvements coming for this process in the next Viewpoint release.  For now, this is the only feasible way to implement this.  You can disable the HTTP connector on port 80 in the server.xml file, but then you don't get the redirect from HTTP to HTTPS and all users have to manually enter https://viewpoint.