Tomcat (Windows)

Prerequisites

  • General Prerequisites
    • Ensure that the following packages are installed to facilitate device addition:
      • sudo/dzdo (optional, as per the access elevation selected)
      • timeout
      • base64
    • Ensure that the target IP address is accessible from the cloud connector and the port is open.
    • Make sure that the language setting for the Tomcat (Linux) Server is set to English. Ensure that the sudo prompt string follows the standard Linux format, which is typically "[sudo] password for <your_username>:"
    • Only certificate and key files in PEM, CRT, CER, and JKS formats are detected.
    • SSH private keys cannot be used in conjunction with password-enabled sudo/dzdo settings. Therefore, if an SSH key is used for authentication, ensure that the sudo/dzdo configuration is set to passwordless.
    • Certificates are not identified from the path that does not have the required permission such as 640 for the user. Ensure that the file is the same as configured in device addition; hence, configure the certificates in the config files with accessible path or change file permissions to make the files accessible
  • Prerequisites for Service Account Preparedness
    • Ensure that access elevation is enabled for the service account.
      When using a service account, all command executions related to the specified use cases occur within the context of the service account. The selected access elevation is relevant only when switching to the service account using a command like:
      sudo su - serviceAccountUserName

      When configuring the service account username with access elevation, an option becomes available to enable access elevation for the service account. Enabling accesselevation allows commands to be executed with the selected elevation level.

      If disabled, commands run without access elevation. If enabled, commands are executed with the chosen access elevation and may require a password, depending on the sudo/dzdo settings.

      If a password is required, ensure that the service account password is entered in the interface when prompted.
      Note: If an SFTP connection is set up for the current user, they may not have the requisite access to the service account's directory. It is recommended to configure a directory path in the File Upload Temp Path in the UI where both the current user and the service account user have read and write access.

Onboarding Tomcat (Windows) Server

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
    The Device details page is displayed.
  4. Select Apache Microsoft from the Vendors list.
  5. In the Server details section, enter the details as follows.
    Table 1. Server Details - Field Description Table
    Field Description
    *Server Type Select the Tomcat radio button.
    *Server name Enter the name of the designated Apache Tomcat server.
    *Hostname Enter the hostname of the Apache Server.
    Data center Choose the desired data center.
    Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    Communication mode Select the Gateway or SSM protocol to be used for communication between the AppViewX node and the Apache server. Gateway is the preferred communication mode.
    Cert Sync Choose from the any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, select the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the Apache (Tomcat) server device.
    If Communication mode = Gateway the fields are as follows:
    Table 2. Credentials - Field Description Table
    Field Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • Credential List - Appviewx
    Note: If Credential list - Appviewx is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
    *Username Enter the designated username for authentication.. (field displayed for manual entry and SSH)
    *Password Enter the secure password. (field displayed for manual entry only)
    *: Mandatory fields
    If Communication mode = SSM the fields are as follows:
    Table 3. Credentials - Field Description Table
    Field Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • Credential List - cloudAccount
    Note: If Credential list - cloudAccount is selected, the *Account name dropdown field is displayed. Select any of the preconfigured credential values.
    *Access key Enter the access key to login to the EC2 instance of the AWS cloud machine.
    *Secret key Enter the secret key to login to the EC2 instance of the AWS cloud machine.
    *Region Enter the geographic region of the AWS instance.

    Example: us-east-2
    *Instance id Enter the unique identifier for an EC2 instance in AWS.

    It is required to perform actions or execute commands on a specific EC2 instance

    Example: i-02573cafcftext
    *SSM document name Enter the name of the SSM document that contains the script or action to be executed on the EC2 instance.

    Example: AWS-RunShellScript is an SSM document that allows you to execute shell scripts on EC2 instances.
    *SSM document version Specify the version of the SSM document to be executed.

    Example: 1
    *S3 bucket name Enter the S3 bucket name used to store command output or logs executed in the EC2 instance.

    Example: avxdiscoverydocument-c2
    Proxy required Select the checkbox to enable the secure proxy service.
    *: Mandatory fields
  7. Enter the Windows gateway details.
    Note: This section is displayed only when Communication mode = Gateway.
    Table 4. Windows Gateway Details - Field Description Table
    Field Description
    *Windows Gateway Mode For communicating with Windows-based devices, from the following options, select the gateway agent mode to be used:
    • External

      This mode will use the AppViewX Windows Gateway Agent that is set up on a Windows device.

    • Integrated

      This mode will use the prepackaged gateway that is integrated in the AppViewX Cloud Connector (enabled only in the SaaS and Managed Kubernetes installations).

      Prerequisites for using the Integrated Windows Gateway mode

      Note: The integrated gateway functionality is not compatible with the following features:
      • Server addition using the import feature
      • Endpoint CSR generation
    *Gateway type From the following options, select the required gateway type:
    • PowerShell
    • WMI
    Note: The integrated gateway uses only the PowerShell gateway command execution mode and therefore, this field is not displayed when Windows Gateway Mode = Integrated.
    *Gateway location From the following options, select the gateway location:
    • Remote
    Note: By default, the integrated gateway is remotely located. and therefore, this field is not displayed when Windows Gateway Mode = Integrated.
    *Select gateway
    Note: This field is displayed only when Windows Gateway Mode = External.
    From the following options, select the gateway:
    • New
    • Existing
    *Windows gateway
    Note: This field is displayed only when Select gateway = Existing.
    From the dropdown list, select an existing Windows gateway.
    *Windows gateway name For Windows Gateway Mode = External and Select gateway = New, enter a name for the Windows Gateway.

    For Windows Gateway Mode = Integrated, this field is auto-populated with the value integrated-gateway.
    *Windows gateway URL
    Note: This field is displayed only when Windows Gateway Mode = External and Select gateway = New.
    Enter the URL of the Windows Gateway endpoint.
    Client authentication certificate
    Note: This field is displayed only when Windows Gateway Mode = External and Select gateway = New.
    Upload the client certificate used while installing Windows Gateway. You can use the default client certificate (ClientCertificateGateway.pfx) or a custom certificate.
    *: Mandatory fields
  8. Enter the Vendor Specific Details.
    Note: This section is displayed only when Communication mode = SSM.
    Table 5. Vendor Specific Details - Field Description Table
    Field Description
    *Region Enter the geographic region of the AWS instance.

    Example: us-east-2
    *Instance Id Enter the unique identifier for an EC2 instance in AWS. It is required to perform actions or execute commands on a specific EC2 instance

    Example: i-02573cafcftext

    Note: Click the (Settings) icon next to the field to configure the ARN Advanced Settings.
    *SSM document name Enter the name of the SSM document that contains the script or action to be executed on the EC2 instance.

    Example: AWS-RunShellScript is an SSM document that allows you to execute shell scripts on EC2 instances.
    *SSM document version Specify the version of the SSM document to be executed.

    Example: 1
    *S3 bucket name Enter the S3 bucket name used to store command output or logs executed in the EC2 instance.

    Example: avxdiscoverydocument-c2

    Note: Click the (Settings) icon next to the field to configure the S3 Advanced Settings.
    Proxy Required Select the checkbox to enable the secure proxy service.
    *: Mandatory fields
  9. In the Certificate details section, select the details as indicated below:
    Table 6. Certificate Details - Field Description Table
    Field Description
    *Installation directory path Enter the directory/path where the application is installed.
    Tomcat ADManager & Self Service Plus has to be integrated under Windows Tomcat. so the paths can be defined as follows:
    • C:\<parent_folder> e.g. C:\ProgramFiles - Certificates will be discovered from Tomcat, ADManager & Self Service.
    • C:\ProgramFiles\Apache-Tomcat-8.5.35 - Certificates will be discovered only from Tomcat.
    • C:\ProgramFiles\ManageEngine\ADManager - here the certificates will be discovered only from ADManager.
    • C:\ProgramFiles\ManageEngine\ADSelfService - here the certificates will be discovered only from ADSelfService
    *: Mandatory fields
  10. Click Add.
    Once the server is added successfully, the path will be listed in the table.
  11. (optional step) Click the (Delete) icon, if you want to delete the server path from the list.
  12. Click Save.
    The device is onboarded successfully.

Limitations

When ManageEngine ADManager is deployed as a Windows Tomcat service, the following limitation applies during service restarts:

  • The default stop and start scripts (ADSShutdown.bat and ADSStartup.bat) executed by AppViewX only control the Java process and do not restart the actual Windows service.

    Consequently, the Windows service continues running with the previous configuration, and newly deployed certificates are not applied until the service is manually restarted through Windows Services. To ensure the updated certificate takes effect, a custom post-deployment script should be implemented to restart the ADManager Windows service after certificate installation.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:
  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
    The Server Inventory page is displayed.
  3. Check that the device name appears in the inventory (Name column) with the specified Status column.
    The status column will have the value Managed/Monitored/Ignored if the connection is successful or displays Failed/Unresolved in case of failure.
  4. From the Status column, click the Managed/Monitored/Ignored/Failed/Unresolved.
    Device Status Log pop-up is displayed.
  5. Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.

What's Next

Once you have onboarded and validated the device connection, you are ready to proceed with the any of the following certificate actions: