Configuring the Web Server to Use HTTPS

The Web Server uses a Jetty embedded web server that can be configured to use HTTPS for secure communications between the Web Server and the Web Client.

Requirements

A keystore containing a valid web server certificate chain generated by a Certificate Authority (CA). The CA can be a third party one (i.e. Digicert, Comodo, VeriSign, and so on etc) or a corporate one if your company has created their own CA for internal use. A certificate chain consists of the certificate for the web server, any Intermediate CAs and the Root CA. The browser(s) need to have the Root CA and Intermediate certificates in their Root Certificate Store.

The config.xml file of the Web Server configured to use SSL for the web communications.

These are the prerequisites to create a keystore:

  • The <servername> is what you will be typing in for the URL. This will most likely be a Fully Qualified Domain Name (i.e. webserver.asg.com).
  • The alias must be jetty.

  • Web browsers require the san extension. The san extension should include the FQDN. You can also define aliases (i.e. just the hostname) or the ipaddress of the server. This allows for the use of these values in the url instead of the FQDN.

    • The san format is comma separated list (no spaces) of dns:<dns resolvable string> or ip:<ipaddress>. Examples contained in the samples below.

  • Pkcs12 is the recommended keystore format for java 1.8 and newer.

To create a keystore

  1. Create a keystore containing a web server keypair

    2. keytool -genkeypair -keyalg RSA -keysize 2048 -alias jetty -ext

    SAN=dns:<fqdn_servername>,dns:<hostname>,ip:<10.10.10.10> -keystore

    <\path\to\certificate\keystore> -storetype pkcs12 -dname "CN=<servername>"

    Sample keystore with web server keypair and san extensions

    keytool -genkeypair -keyalg RSA -keysize 2048 -alias jetty -ext

    SAN=dns:zekeweb.asg.com,dns:zekeweb

  2. Create a signing request. Include the -ext SAN=dns:<servername> in the command.

    3. Sample Signing Request

    keytool -certreq -alias jetty -keystore C:\temp\keystore>

    -file c:/temp/jetty.csr -ext

    SAN=dns:zekeweb.asg.com,dns:zekeweb,ip:10.10.10.10

  3. Send the signing request (i.e. jetty.csr) to your Certificate Authority Service.
    4. The Certificate Authority Service will return a signed certificate. It will need to be imported into keystore created in step 1. The keystore must include the Root CA, any Intermediate CAs, and the signed server certificate. The Root CA and Intermediate CAs should be available from your Certificate Provider. The keytool is designed to import PEM (Privacy Enhanced Mail) style keys (Base-64 encoded X.509). You may have to convert yours to PEM. It depends on what your CA service provides.
  4. Import the Root CA:

    5. keytool -importcert -file <rootCA.crt> -keystore <keystore name> -alias "rootCA"

    Sample CA import

    keytool -importcert -file ASG-CA.crt -keystore C:\temp\keystore -alias "ASG-CA"

  5. Import Intermediate CA(s):

    6. keytool -importcert -file <intermediate.crt> -keystore <keystore name> -alias "IntermediateCA"

    Sample Intermediate CA(s) import

    keytool -importcert -file ASG-Intermediate.crt -keystore C:\temp\keystore -alias "ASG-IntermediateCA"

    It is possible there may be more than one Intermediate CA and you will need to import each of them into the keystore in the correct order. Remember each key imported must have a unique alias in the keystore.
  6. Import the signed certificate:

    7. keytool -keystore <keystore name> -import -alias jetty -file <jetty.crt>

    Sample Import Signed Certificate

    keytool -keystore C:\temp\keystore -import -alias jetty -file zekeweb.cert

  7. Copy the keystore into the Web Server config directory.

To enable SSL in the Web Server

  1. These are the additional parameters required in the config.xml file of the Web Server to enable SSL communication:
  • SSL_ENABLED="Yes"
  • KEYSTORE="</path/to/Zeke/clientmgr>/config/keystore"
  • KEYSTORE_PASSWD="<keystore password>"
  • KEY_PASSWD="<key password>" (Only required If the keystore password and keypassword are not the same value)
  1. Restart the Controller.
Sample Modified config.xml

<CONFIG ID="9FFD8422BE26" PORT="7921" RIS_ENABLED="NO"

RIS_CLASS="" AUTH_CLASS="com.asg.esc.framework.clientmanager.AuthManagerZena">

<WEB ENABLED="YES" PORT="7980" SSL_ENABLED="Yes"

KEYSTORE="C:\Program Files\ASG\Zeke\clientmgr\config\keystore"

KEYSTORE_PASSWD="MyPassword" KEY_PASSWD="MyPassword"/>

</CONFIG>

The keystore password and key password can be obfuscated if desired. From a command shell you can enter:
java -cp <path\to\Zeke>\clientmgr\lib\jetty.jar org.eclipse.jetty.util.security.Password "MyPassword".

It will return the output similar to this format: OBF:1o4o1zly1qw01vu11ym71ym71vv91qxq1zlk1o5y MD5:48503dfd58720bd5ff35c102065a52d7 And KEYSTORE_PASSWD and KEY_PASSWD would then be: KEYSTORE_PASSWD="OBF:1o4o1zly1qw01vu11ym71ym71vv91qxq1zlk1o5y" KEY_PASSWD="OBF:1o4o1zly1qw01vu11ym71ym71vv91qxq1zlk1o5y"