This guide helps you during the setup of SSL/TLS of your (product)'s installation. It will guide you through all the necessary steps needed to setup an encrypted connection between your installation and the browser of the users.
2. Create a keystore with a self signed certificate using the following command:
> "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore tomcat-keystore.jks -storepass myTomcatKeystorePassword
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=localhost, OU=YOUR_UNIT, O=YOUR_ORGANIZATION, L=YOUR_CITY, ST=YOUR_STATE, C=AT correct?
Enter key password for <tomcat>
(RETURN if same as keystore password):
Note that you have to use the hostname / domain of your AWI instance as your first and last name, e.g. localhost in our example. This command will create a new keystore file named tomcat-keystore.jks protected with the password myTomcatKeystorePassword located in the configuration directory. You can change those values, i.e. the passwords as you like. The keystore contains a self-signed certificate for your AWI instance. If you do not want to used certificates signed by a certificate authority you can skip the next step.
4. You now have to import the certificate into your created keystore. If you have a chain certificate or root certificate, you have to import them first into your keystore using the following command.
> "%JAVA_HOME%\bin\keytool" -import -alias root -keystore tomcat-keystore.jks -trustcacerts -file <filename_of_the_chain_certificate>
5. Afterwards you can import your certificate.
> "%JAVA_HOME%\bin\keytool" -import -alias tomcat -keystore tomcat-keystore.jks -file <your_certificate_filename>
6. Be aware that the tomcat only supports keys and certificates in the JKS, PKCS11 or PKCS12 format. To import an existing certificate signed by your own CA into a PKCS12 keystore using OpenSSL you would execute a command like:
openssl pkcs12 -export -in mycert.crt -inkey mykey.key
-out mycert.p12 -name tomcat -CAfile myCA.crt
-caname root -chain
7. For more advanced cases, please consult the OpenSSL documentation.
1. Open the server.xml file located in the configuration directory of your tomcat instance.
2. Add the following Connector configuration to your configuration file
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
keyAlias="tomcat" keystoreFile="conf\tomcat-keystore.jks" keystorePass="myTomcatKeystorePassword"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
4. Restart you tomcat instance to apply the changes.
Access Automic Web Interface
2. If you are using a
self-signed certificate you may receive a warning that the connection is
untrusted, because is not possible to verify the identity. You can only avoid
this warning if you are using signed certificates by a trusted authority.
However the connection is encrypted in the same way as using a signed
certificate. You have to confirm that you want to use the self-signed
JAVA Key Generation