vRealize Application Remote Collector requires a working Internet connection to connect to Wavefront to send OS and application metrics.
If a direct Internet connection is not available, a working HTTP/HTTPS proxy must be available through which vRealize Application Remote Collector can connect to the Internet. vRealize Application Remote Collector uses pure HTTPS connections to connect to Wavefront. As a result, the HTTP/HTTPS proxy must be configured to support HTTPS connections. HTTPS ensures that the connection between vRealize Application Remote Collector and the Wavefront server is fully encrypted and prevents man-in-the middle attacks.
There are two ways in which the HTTP/HTTPS proxy servers handle HTTPS connections.
- Pass-thru Mode. In this mode, the HTTP/HTTPS proxy server forwards the HTTPS requests directly to the web server and does not attempt to inspect the content transferred between the client and the server. The SSL connection is established directly between the client and the server.
- Intercept Mode. In this mode, the HTTP/HTTPS proxy server acts as a man-in-the middle and establishes two different SSL connections. One connection between the client and the HTTP/HTTPS proxy and the other between the HTTP/HTTPS proxy and the web server. So, the client does not have a direct SSL connection to the web server and the client identifies this as a man-in-the middle attack and terminates the connection. In this mode, the CA certificate must be added to the trusted certification authorities of the client so that it accepts the SSL connection with the HTTP/HTTPS proxy server.
- Add the HTTP/HTTPS proxy details in /ucp/config/config.properties and in /ucp/wavefront-proxy/config/wavefront.conf.
Note: For authentication, if the proxy server requires a user name and password, do not use Basic Authentication as the authentication method. Basic Authentication is not supported because the password is transmitted in clear text over the network and is not secure.
proxyHost. The IP or FQDN of the HTTP/HTTPS proxy server.
proxyPort. The port of the HTTP/HTTPS proxy server.
proxyUser. The user name. If the HTTP/HTTPS proxy server needs authentication, you can provide the user name.
proxyPassword. The password. If the HTTP/HTTPS Proxy server needs authentication, you can provide the password.
- Add the HTTP/HTTPS proxy server's CA certificate to the trust store of vRealize Application Remote Collector.
- Export the CA certificate from the HTTP/HTTPS proxy server. You can refer to the HTTP/HTTPS Proxy server's documentation for information about how to export the CA certificate.
- Copy the exported CA certificate to the vRealize Application Remote Collector.
- To import the CA certificate into the trust store of vRealize Application Remote Collector, run the following command:
- keytool -import -alias charles -keystore /usr/java/jre-vm^Cre/lib/security/cacerts –file PATH_TO_CERT
- Enter the password when prompted. The password is changeit.
- Restart the vRealize Application Remote Collector API server and the Wavefront proxy components.
- docker restart ucp-apis.
- docker restart wavefront-proxy.
The Wavefront proxy components do not run if you have not configured Wavefront details in vRealize Operations Manager. In such a scenario, you do not have to restart the Wavefront proxy components.