This requires editing server.xml and web.xml on your server in the server configuration (Server/conf) directory.
Several clients have success using the following instructions on their Windows Server. However, certificate vendors often have their own documentation on how their certificates need to be installed, so if it varies from ours please use the certificate vendor's instructions.
Creating a Keystore – Installing the SSL Certificate – Optional: Force Traffic
Creating a Keystore
To Generate a Keystore through KeyTool and a CSR in Tomcat:
- First go to the following directory using CMD or Powershell:
-
cd C:\Program Files\iDashboards_SRV\jre\lib
-
-
C:\Program Files\iDashboards_SRV\jre\lib>
-
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
-
-
Enter a Password
-
changeit
-
- Enter Distinguished Information - Could change per vendor, Network Solutions and GoDaddy currently use this format.
First and Last Name |
Important: When prompted for the first and last name, DO NOT type your first and last name. Instead, type the Fully Qualified Domain Name (FQDN), for the site you are securing with this certificate (e.g., www..coolexample.com, mail.coolexample.com). If you are requesting a Wildcard Certificate then, your FQDN must begin with an asterisk (*), for example *.coolexample.com. |
Organizational Unit | Optional. If applicable, you can enter the DBA name in this field. |
Organization | The full legal name of your organization. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor's name in Organization, and the DBA (doing business as) name in Organizational Unit. |
City/Locality | Name of the city in which your organization is registered/located — do not abbreviate. |
State/Province | Name of state or province where your organization is located — do not abbreviate. |
Country Code | The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered. |
- Now to create the CSR enter the following into keytool
-
keytool -certreq -keyalg RSA -alias tomcat -file csr.txt -keystore tomcat.keystore
-
-
Open the CSR file, and copy all of the text, including
-
----BEGIN NEW CERTIFICATE REQUEST----
and
----END CERTIFICATE REQUEST----
-
- Paste all of the text into the online request form from you cert vendor and complete your application
Creating a Keystore – Optional: Force Traffic
Installing the SSL Certificate
After the certificate is issued, download it from the Certificate Manager and place it in the same folder as your keystore. Then, using keytool, enter the following commands to install the certificates in Tomcat.
SHA-1 root certificate: gd_class2_root.crt - AddTrustExternalCARoot.crt
SHA-2 root certificate: gdroot-g2.crt - AddTrustExternalCARoot2.crt
SHA-1 intermediate certificate: gd.intermediate.crt OV_NetworkSolutionsOVServerCA.crt
SHA-2 intermediate certificate: gdig2.crt - OV_NetworkSolutionsOVServerCA2.crt
(Java 6/7 only) SHA-2 Root Certificate: gdroot-g2_cross.crt - *.companyname.crt
You should not use SSL certificates employing the SHA-1 algorithm if possible. Installing the certificates notes that order does matter.
- Install the root certificate by running the following command:
-
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file [name of root certificate]
-
- Install the issued certificate into the keystore by running the following command:
-
keytool -import -alias INT1 -keystore tomcat.keystore -trustcacerts -file [name of certificate]
-
- Some Vendors have a second intermediate cert you will need to insert.
- Just change the alias to INT2
-
keytool -import -alias INT2 -keystore tomcat.keystore -trustcacerts -file [name of certificate]
- Install the named certificate by running the following command (change the alias to "tomcat"):
-
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file [name of root certificate]
-
- Update the server.xml file with the correct keystore location in the Tomcat directory.
The HTTPS connector is commented out by default. Remove the comment tags to enable HTTPS.- Tomcat 5.x, 6.x and 7.x — Update the following elements in server.xml
<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keyAlias="tomcat" keystoreFile="C:/Program Files/iDashboards_SRV/jre/lib/tomcat.keystore" keystorePass="changeit"/>
- Tomcat 5.x, 6.x and 7.x — Update the following elements in server.xml
- Save your changes to server.xml, and then restart Tomcat to begin using your SSL. Your SSL Certificate is now installed. Please follow up with: Tomcat: Implementing SSL
Creating a Keystore – Installing the SSL Certificate
Optional: Force Traffic
If you would like to force all traffic to go to HTTPS, add the following to the WEB.xml. This needs to be added between the <web-app></web-app> tags
<!-- To force Tomcat to redirect and revert all requested HTTP traffic over to HTTPS, configure the `conf/web.xml` file with the below block. This should be placed at the very end of the file near and above the ending `</webapp>` tag: --> <security-constraint> <web-resource-collection> <web-resource-name>Automatic Forward to HTTPS/SSL </web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> |
OPENSSL
- Exporting/Backing Up to a .pfx File
- On the Start menu click Run and then type mmc.
- Click File > Add/Remove Snap-in.
- Click Certificates > Add.
- Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
- Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
- Right-click on the certificate you want to backup and select ALL TASKS > Export.
- Choose Yes, export the private key and include all certificates in certificate path if possible.
Warning: Do not select the delete private key option. - Leave the default settings and then enter your password if required.
- Choose to save the file and then click Finish. You should receive an export successful message. The .pfx file is now saved to the location you selected.
- After exporting the .pfx you will need to use openSSL to extract the different component of the certificate
- Extract certificate (.cer):
- openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
- Generate Certificate Authority (CA) certificate(.crt):
- openssl pkcs12 -in domain.pfx -out domain-ca.crt -nodes -nokeys –cacerts
- Extract certificate (.cer):
- Then change server.xml ssl connector to APR
- You will need to be sure that your cert paths are correct for your system
- <Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="6700" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="C:/Program Files (x86)/iDashboards_SRV/cert/domain.cer"
SSLCertificateKeyFile="C:/Program Files (x86)/iDashboards_SRV/cert/domain.key"
SSLCACertificateFile="C:/Program Files (x86)/iDashboards_SRV/cert/domain-ca.crt"
SSLVerifyClient="optional" />
- <Connector
- You will need to be sure that your cert paths are correct for your system
- You should now restart Tomcat/iDashboardsSRV
- Change your iDashboards URL to use https
Creating a Keystore – Installing the SSL Certificate – Optional: Force Traffic
PLEASE NOTE: iDashboards does NOT support ANY 3rd party SSL certificates. If you run into issues with the installation of your SSL certificate please refer to the certificate issuer's support as they should have a support group who can assist you more efficiently.
For More Information:
- Apache Tomcat 8 SSL
- Apache Tomcat 9 SSL
- Apache Tomcat 10 SSL
- Previously Read: Tomcat: Securing the iDashboards Application
- Read Next: Tomcat: SSL Implementation
If the above is unable to resolve the issue, then please contact iDashboards Support for further assistance.
Comments
1 comment
These instructions do not produce a keyfile.
Please sign in to leave a comment.