QUESTION:
How do I configure or change the SSL certificate used by the Web App?
Since the Traverse Web application is pure HTML based, the GUI component can be accessed using both regular and secure (SSL) HTTP protocol. By default SSL is already enabled on the default port 443 with a Kaseya certificate, but to enable or change the certificate for SSL, use the following steps:
SOLUTION:
The changes below must re-applied when you install or update to a new version of Traverse.
The password used to create the the 'keystore' file must not contain any special characters, otherwise the Web Application will be unable to load the file.
Configuring SSL for the Web Application:
- The application server (Apache Tomcat) used by Traverse uses a JKS format keystore. Traverse by default ships with a keystore with self-signed certificate. If you are not ready to install a valid key yet, you can skip to Step 10. Otherwise, first rename or move the existing keystore located at <TRAVERSE_HOME>/plugin/web/webapp.keystore
- Create a private/public (RSA) key pair using the following command:
<TRAVERSE_HOME>/apps/jre/bin/keytool -genkey -keyalg RSA -storepass changeit -alias tomcat -keystore <TRAVERSE_HOME>/plugin/web/webapp.keystore
- Answer the questions, making sure to specify the fully-qualified domain name when asked for first/last name. Do not use comma (,) in any of the answers as it will cause problems. When asked for key password for tomcat, press return/enter
- Generate a Certificate Signing Request (CSR) using the following command:
<TRAVERSE_HOME>/apps/jre/bin/keytool -certreq -storepass changeit -alias tomcat -keystore <TRAVERSE_HOME>/plugin/web/webapp.keystore -file my_new_key.csr
- You will need to send the CSR (my_new_key.csr) to a valid certificate authority (CA) such as Verisign or Thawte. Usually the CA will send you a signed certificate via email. If you are acting as your own CA, the CSR can be signed using OpenSSL or other SSL tools.
- Save the certificate in my_new_cert.pem and make sure that the certificate begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. All other text above/below the specified section should be deleted
- Import the new certificate into a new keystore using:
<TRAVERSE_HOME>/apps/jre/bin/keytool -import -v -trustcacerts -alias tomcat -storepass changeit -file my_new_cert.pem -keystore <TRAVERSE_HOME>/plugin/web/webapp.keystore
- When asked "Trust this certificate?", answer yes and The certificate will be installed into the keystore.
- Verify that the certificate has been imported correctly using:
<TRAVERSE_HOME>/apps/jre/bin/keytool -list -v -storepass changeit -keystore <TRAVERSE_HOME>/plugin/web/webapp.keystore
For example, compare the listed fingerprint with the fingerprint of the cert.
Also look for “Entry type: PrivateKeyEntry" in the tomcat alias section.
- Edit <TRAVERSE_HOME>/apps/tomcat/conf/server.xml using a text editor and check that the following section is uncommented and not enclosed between (<!-- .. -->) :
<Connector port="443"
minProcessors="20" maxProcessors="80"
enableLookups="false" allowChunking="false"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystorePass="changeit"
keystoreFile="../../plugin/web/webapp.keystore"
compression="off" debug="0"
URIEncoding="UTF-8" />
Make sure that the keystore, keystorepass and port parameters are set correctly. On a Windows platform, the path would be specified as C:/Program Files (x86)/Traverse/plugin/web/webapp.keystore in this file.
- To configure Tomcat to use only SSL (https), you can disable the standard http request handler as described below.
- Save the file and restart the Web application if already running. On Linux or Solaris hosts:
<TRAVERSE_HOME>/etc/webapp.init restart
On Windows hosts, use the Traverse Service Controller. First, clear the Web application check box to stop the web application. Then wait 15-30 seconds, select the Web application check box to start the web application.
- Wait 15-30 seconds for the Web application to initialize and use your web browser to connect to https://your_traversetraverse_host/ and you should see the Traverse login page.
If you want to use only SSL, you can disable the non-SSL server of the Web application by performing the following steps:
Disabling non-SSL Web Application server
- Edit <TRAVERSE_HOME>/apps/tomcat/conf/server.xml using a text editor and locate the following Connector section for port 80:
<!-- define standard http request handler -->
<Connector port="80" minProcessors="20" maxProcessors="80" enableLookups="false" allowChunking="false" acceptCount="100" redirectPort="443" compression="off" debug="0" URIEncoding="UTF-8" />
- Comment out the section by adding "<!--" and "-->" as follows:
<!-- define standard http request handler -->
<!-- disabled
<Connector port="80" minProcessors="20" maxProcessors="80" enableLookups="false" allowChunking="false" acceptCount="100" redirectPort="443" compression="off" debug="0" URIEncoding="UTF-8" />
-->
- Save the file and restart the Web application as described above.
The Web application should now be accessible only via the https://your_traversetraverse_host/ URL and not http (plain text).
Redirecting non-SSL Port to SSL Port Automatically
- Edit <TRAVERSE_HOME>/webapp/WEB-INF/web.xml and add the following block of data immediately after the opening <web-app> tag structure:
<!-- This block forces SSL for all connections -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
- Now restart the Web application to activate the new settings.
RELATED ARTICLES: