Configure DX NetOps Mediation Manager to Use HTTPS
You can configure DX NetOps Mediation Manager to use https for secure connections.
To configure https, follow these steps:
- Log in to the machine where MultiController (CAMM web GUI) is running.
- Stop CAMM by executing thestopallscript at/<installation_directory>/tools./opt/CA/CAMMis the default installation directory.
- Generate a new KeyStore
- Navigate to the desired directory to place keystore and other certificates by entering the following command.
If you want to configure using a self-signed certificate, skip the Steps 4 & 5 and proceed to Step 6.
- keytool -genkey -keyalg RSA -alias hostname -keystore keystore.jks
- Create a password for your Keystore when prompted.This password is used in the Tomcat configuration file and also used to generate the CSR and to import the certificate.
- Save the password.
- Enter the SSL/TLS certificate information when prompted accordingly.When you are prompted for the first and last name, provide the fully qualified hostname of the server.
- Enter the organization information.
- When prompted to verify your information, type "y" or "yes" to confirm.
- When asked for a "key password for <hostname>", press enter to use the password you just created for the keystore file.
- Your keystore file (keystore.jks) is created in the current working directory.
- Generate Certificate Signing Request (CSR)
- Enter the following command to create the CSR file from the keystore obtained from the step 3.
- keytool -certreq -keystore keystore.jks -ext SAN=dns:<fqdn_of_server> -alias <hostname> -file hostname.csr
- When prompted, enter the password that you have created earlier while creating the keystore.
- In the current directory,hostname.csrnow contains CSR.
- Submit the CSR file to certificate authority and get the CA Signed Certs.
- Save and backup your keystore file (keystore.jks) to install the SSL/TLS certificate later.
- Always take backup of the keystore file to resolve any issues during installing the certificate.
- Import the signed certificate into the keystore.Depending on the certificate format from the Certificate Authority, there are multiple ways of importing the files into the keystore.You must install the SSL/TLS Certificate file to the same keystore and under the same alias name that you have used to generate your CSR. If you try to install the certificate to a different keystore or under a different alias, the import command does not work
- PKCS#7 (.p7b):If the certificate is in the PKCS#7 format (files with the .p7b extension), it already includes the necessary intermediate and root certificates. Run the following command to import it into the keystore:
- keytool -import -trustcacerts -alias hostname -keystore example.jks -file hostnmeDomain.p7b
- After the certificate is imported successfully, you see the message “Certificate reply was installed in keystore”.
- PEM (.crt):If the signed certificates are in the PEM format (files with the .crt extension), you must import the root, intermediate, and domain name certificates to the keystore. The certificates must be imported starting with a root certificate and ending with the certificate for your domain name.
Store the certificate and private key files, such as *.pem, *.cer, *.crt, *.key files, that are referenced in configuration files during this process in a secure location. If the certificate and private key files are temporary files that are not referenced in configuration files after this process is complete, move or delete them.
- Run the following command to import the root certificate.keytool -import -alias root -keystore keystore.jks -trustcacerts -file root.crt
- Run the following command to import the intermediate certificate.keytool -import -alias intermediate -keystore keystore.jks -trustcacerts -file intermediate.crtIf there are multiple intermediate certificates, import them in an order. You must use different aliases for different intermediate certificates.
- Run the following command to import the domain name certificate.keytool -import -alias mohra10-da -keystore keystore.jks -file domain_name_cert.The alias must be the same that is used when creating the keystore.
- Configure java keystore in tomcat obtained from the Step 3.Change to the following directory from the default installation directory:cd /<installation_directory>/WEBCAMM/conf
- Make the following changes in the server.xml file.
- Take a backup of the server.xml file.
- Edit the server.xml file from the directory, and update the<Connector>parameter with the following changes:<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" keystoreFile="/path/to/keystore.jks" keystorePass="keystore_passswod" />
- Make the following changes in the web.xml file.
- Take a backup of the web.xml file under the same directory.
- Edit the web.xml file under the same directory:Add the following section at the end of the file just before web-app end tag</we-app>.<security-constraint> <web-resource-collection> <web-resource-name>securedapp</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
- Start the DX NetOps Mediation Manager by executing thestartallscript at the/<installation_directory>/tools.The new link to DX Mediation Manager GUI ishttps://<cammweb-host>:8443. For more information on tomcat configurations, refer the Tomcat documentation.
- In case if you want to revert the changes back to http, follow these steps:
- Stop the DX NetOps Mediation Manager.
- Replace the server.xml and the web.xml files with the backup files that are taken in the steps 4a and 4b.
- Start the DX NetOps Mediation Manager.