Configuring the HACloud Session Server

HACloud Session Server comes with some out-of-the-box default configuration settings for ESCWA and MFDS. The settings are available in a HACloud settings file in the product installation.

Micro Focus recommends that you edit this file before you start using HACloud and change the default passwords as a minimum in the configuration file. In addition, if ESCWA and MFDS are configured with non-default settings or you want to use an HTTPS connection, secure credentials, and trusted certificates for the server sessions, you need to configure these as well.

Settings available in the HACloud configuration file

The configuration settings file, hacloud.properties, is available in the %ALLUSERSPROFILE%\Micro Focus\Enterprise Developer folder (Windows) or in the etc subfolder in the product installation (UNIX).

You need to review and update the settings as required. To edit the file, start a text editor with administrator's (Windows) or with root (UNIX) permissions.

Important: Micro Focus recommends that you create a copy of this file before you modify it.

The contents of the file on Windows are:

#logging.level.com.microfocus.zfe.enterprise.ConfigurationServiceEnterprise=INFO
# HTTP URL on which ESCWA should be contacted
hacloud.es.escwaurl=http://localhost:10086
# MFDS host on which to query available 3270 endpoints
hacloud.es.mfdshost=127.0.0.1
# MFDS port
hacloud.es.mfdsport=86
# Port on which HA Cloud Session Server will accept inbound HTTP requests
server.port=7443
# Session Server keystore, holds server certificate
server.ssl.key-store=../../etc/keystore.bcfks
# Session Server keystore password
server.ssl.key-store-password=changeit
# Trusted certificate store for outbound HTTP and TN3270 connections
server.ssl.trust-store=../../etc/trustcerts.bcfks
# Trusted certificiate store password
server.ssl.trust-store-password=changeit
# Listen over HTTP
spring.profiles.active=no-tls,extensions-enabled
# Listen over HTTPS (if a server certificate is supplied using the keystore)
#spring.profiles.active=extensions-enabled

The contents of the file on UNIX are:

#logging.level.com.microfocus.zfe.enterprise.ConfigurationServiceEnterprise=INFO
# HTTP URL on which ESCWA should be contacted
hacloud.es.escwaurl=http://localhost:10086
# MFDS host on which to query available 3270 endpoints
hacloud.es.mfdshost=127.0.0.1
# MFDS port
hacloud.es.mfdsport=86
# Port on which HA Cloud Session Server will accept inbound HTTP requests
server.port=7443
# Session Server keystore, holds server certificate
server.ssl.key-store=../../etc/keystore.bcfks
# Session Server keystore password
server.ssl.key-store-password=changeit
# Trusted certificate store for outbound HTTP and TN3270 connections
server.ssl.trust-store=../../etc/trustcerts.bcfks
# Trusted certificiate store password
server.ssl.trust-store-password=changeit
# Listen over HTTP
spring.profiles.active=no-tls,extensions-enabled
# Listen over HTTPS (if a server certificate is supplied using the keystore)
#spring.profiles.active=extensions-enabled

The parameters you can change in this file are as follows:

hacloud.es.escwaurl
The URL on which ESCWA is running. The default one is http://localhost:10086.
hacloud.es.mfdshost
The host on which MFDS is running.
hacloud.es.mfdsport
The port on which MFDS is running.
server.port
server.port=7443 is the HTTP server end-point on which you can contact the HACloud Session Server.
server.ssl.key-store
The location of the Session Server keystore that holds server certificate. An empty keystore.bcfk keystore is provided in the etc folder in the product installation. The default password for the keystore is changeit and Micro Focus recommends that you change it.

You need to provide your own certificate if you want the HACloud Session Server to listen over an HTTPS connection. The keystore to use must be in a Bouncy Castle format. You can secure it with a password.

server.ssl.key-store-password
Specify the password to use to secure the Server Session keystore. The default password for the keystore is changeit and Micro Focus recommends that you change it.
server.ssl.trust-store
A keystore for trust certificates. An empty keystore, trustcert.bcfk is provided in the etc folder in the product installation. The default password for the trust store is changeit and Micro Focus recommends that you change it.

When the Session Server itself has to talk to another endpoint such as ESCWA or a TN3270 endpoint, and that endpoint has a certificate, either this certificate or the CA root attached to this certificate needs to be added to the trust store to enable the Session Server to trust that server. If you do not perform this step, then you might encounter SSL errors when the Session Server attempts to communicate with these endpoints.

See Import a Certificate into the Session Server's Truststore for more details. Note that some of the paths in the HACloud product Help are specific to the standalone HACloud product.

server.ssl.trust-store-password
Specify the password to use to secure the trust store. The default password for the keystore is changeit and you need to change it.
spring.profiles.active
Specify whether the Session Server listens to HTTP or HTTPS, a server-side setting.

By default, this is set to no-tls,extensions-enabled. no-tls means the connection is not TLS-enabled. extensions-enabled enables the Session Server to talk to ESCWA.

To enable TLS and listen over HTTPS, remove no-tls and only set this to extensions-enabled. In this case, you must provide your own keystore certificate in the specified keystore, server.ssl.key-store=../etc/keystore.bcfk.

Providing credentials for ESCWA and MFDS

If ESCWA is running in secured mode and has a security manager assigned to it, you need to provide the credentials to sign into it. Passwords are stored in a vault which is either an encrypted file on the disk or a server that provides the information.

You need to provide these credentials through the mfsecrecretsadmin utility and store them in the microfocus/hacloud location. The format of these secrets is the JSON payload for the ESCWA logon. See ESCWA Client Web APIs.

If you need to provide login credentials for ESCWA, supply them in the escwacreds secret.

If different credentials are required to sign in to MFDS, or single sign-on is not enabled in ESCWA, then you also need to provide the MFDS credentials in the mfdscreds secret.

If you want to verify that these secrets are available:

  1. Windows: Start an Enterprise Developer command prompt or Enterprise Server command prompt.
  2. UNIX: Open a terminal and set up the COBOL environment in it.
  3. To show a list of the secrets available for HACloud, execute mfsecrecretsadmin with the following options:
    mfsecretsadmin list microfocus/hacloud/*

    These should show the escwacreds and mfdscreds, if available.

  4. To read the contents of either file, execute mfsecrecretsadmin with the following options - for example:
    mfsecretsadmin read microfocus/hacloud/escwacreds