This article describes how to manually set up an Accelerator Product (Adoption Center, Connect and Revision Manager) to run over TLS (Transport Layer Security - https). If you need to setup TLS for Definition Center, please see this article. This article assumes you have installed the JRE in the default location. If your JRE is in a different location, modify the paths below accordingly.
1. Generate the Keystore, create an Alias and Key Pair
Stop the product's service if it is running.
Open a command prompt and navigate to the following directory:
C:\Program Files\java\jre7\bin.Type the following command, entering whatever name you like for the alias (make note of the name you use for the alias as you will use this later):
keytool -genkeypair -alias <alias> -keyalg RSA -sigalg SHA256withRSA -keypass <key password> -keystore C:\Program Files\<Accelerator Product>\apache-tomcat-7.0.23\conf\keystore.jks -storepass <keystore password> -validity <number of days key is valid> -keysize 2048Enter the following information when prompted:
first and last name - the Keytool program is looking for the common name here. The common name is the fully-qualified domain name (FQDN), Host name or URL - to which you plan to apply your certificate. Do not enter your personal name in this field. NOTE: If you are requesting a Wildcard certificate, please add an asterisk on the left side of the Common Name (e.g., "*.coolexample.com" or "*www.coolexample.com"). This will secure all subdomains of the Common Name.
organizational unit - Use this field to differentiate between divisions within your organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.
organization - The name under which your business is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor's name in the Organization field, and the DBA (doing business as) name in the Organizational Unit field.
city/locality - Name of the city in which your organization is registered/located. Please spell out the name of the city. Do not abbreviate.
state/province - Name of state or province where your organization is located. Please enter the full name. Do not abbreviate.
country code - The two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered. Confirm that the Distinguished Name information is correct.
2. Modify the server.xml file
Back up the file before making any modifications. Make a copy of the
C:\Program Files\<Accelerator Product>\apache-tomcat-7.0.23\conf\server.xmlfileEdit the original
server.xmlfile with a text editor.Find the connector that looks similar to the text below, (Search for:
Service name="Catalina"). The connector will only contain the port. You will need to modify the port, and add the rest.
Here is an example of a configured SSL connector for Revision Manager running on port 8443:
<Service name="Catalina">
<Connector
port="8443"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
SSLEnabled="true"
keystoreFile="C:\Program Files\<Accelerator Product>\apache-tomcat-7.0.23\conf\keystore.jks"
keystorePass="<password to your keystore>"
keyPass="<password to private key>"
keyAlias="<alias to your key created above>"```
3. Test your settings and your self-signed certificate
Start the iRise Accelerator Product service, then open a browser on the server and try to login to the product. If you used a port other than 443 type:
https://URL:<port>:<product>
replacing <port> with the port number you used. An example using Revision Manger would be:
https://<hostname>:<port>/revisionmanager/login.htmAttempt to login to the Accelerator product you are using and navigate around. You will get a security warning in your browser indicating that the certificate for the server is not yet correct. This is expected, as the certificate is self-signed at this point. If you do not intend on having a certificate authority (CA) sign your certificate, you can export your certificate from the keystore and import it into your system's trusted store. If you require a trusted CA to sign your certificate, continue to step 5 to create a certificate signing request (CSR). Otherwise, run this command to export your certificate:
keytool -export -keystore <path to keystore file> -alias <alias> -file <certificate name>.cer
3. Run these commands to import self-signed certificate into Windows client:
certutil -addstore "TrustedPublisher" <certificate name>.cer
certutil -addstore root <certificate name>.cer
Import self-signed certificate into Mac client:
sudo /usr/bin/security add-trusted-cert -d -r trustRoot -k "<certificate name>.cer"
4. Generate a Certificate Signing Request (CSR) and Obtain a Certificate
Open a command prompt and navigate to the following directory: C:\Program Files\java\jre7\bin
Generate the CSR using the following command:
keytool -certreq -alias <alias> -sigalg SHA256withRSA -file <filename.csr> -keypass <key password> -storetype jks -keystore <path to keystore.jks> -storepass <keystore password>
You should now have a CSR in the directory specified in the above command. Open the file with a text editor and cut and paste the contents into your certificate authority’s enrollment form and follow the instructions to generate your certificate.
5. Install and Test your Certificate
If given a choice, choose a P7B type certificate, as it contains the full chain, including the root and intermediate certificates. Open a command prompt and navigate to the following directory: C:\Program Files\java\jre7\bin
Place the certificate you receive back from the certificate authority in the C:\Program Files\java\jre7\bin directory and import it into the keystore with the following command
keytool -import -file <signed certificate> -alias <alias> -trustcacerts -keystore <path to keystore> -storepass <keystore password>
If you used a certificate from a trusted root authority (Verisign, Thawte, etc.) you don't need to do anything more. Start the Accelerator Product service and go to:
https://URL:<port>:<product>
replacing <port> with the port number you used. An example using Revision Manager would be:
https://<hostname>:<port>/revisionmanager/login.htm
Non-trusted Certificate Authority - additional steps
If you used a certificate from a non-trusted or internal certificate authority there are some additional steps you need to take. You need to import that certificate authority's root & intermediate (if using) certificate(s) into the C:\Program Files\java\jre7\lib\security\cacerts file. Additionally, if there are intermediate certificate signing servers between the root authority and your certificate, you need to import the root certificates for those intermediate signing servers to the C:\Program Files\<Accelerator Product>\apache-tomcat-7.0.23\conf\keystore.jks file. You can do this using the keytool program as well. Here is a sample command for importing a root certificate (rootcert.cer) into the cacerts file:
keytool -import -trustcacerts -file rootcert.cer -alias <mycompanyroot> -keystore C:\Program Files\java\jre7\lib\security\cacerts
and here is a sample command for importing an intermediate signing authority certificate (intermediate.cer) into the keystore.jks file:
keytool -import -trustcacerts -alias <mycompanyintermediate> -file intermediate.cer -keystore C:\Program Files\<Accelerator Product>\apache-tomcat-7.0.23\conf\keystore.jks
You can use the free Keystore Explorer tool (available for Windows and Mac) to create and read keystore files and examine and import certificates. Further details can be found on their website: http://keystore-explorer.sourceforge.net.