Configuring the Web Server to Use HTTPS
The Web Server uses a Jetty embedded web server that can be configured to use HTTPS for secure communications between the Web Server and the Web Client.
Requirements
A keystore containing a valid web server certificate chain generated by a Certificate Authority (CA). The CA can be a third party one (i.e. Digicert, Comodo, VeriSign, and so on etc) or a corporate one if your company has created their own CA for internal use. A certificate chain consists of the certificate for the web server, any Intermediate CAs and the Root CA. The browser(s) need to have the Root CA and Intermediate certificates in their Root Certificate Store.
The config.xml file of the Web Server configured to use SSL for the web communications.
These are the prerequisites to create a keystore:
- The <servername> is what you will be typing in for the URL. This will most likely be a Fully Qualified Domain Name (i.e. webserver.asg.com).
- The alias must be jetty.
-
Web browsers require the san extension. The san extension should include the FQDN. You can also define aliases (i.e. just the hostname) or the ipaddress of the server. This allows for the use of these values in the url instead of the FQDN.
-
Pkcs12 is the recommended keystore format for java 1.8 and newer.
The san format is comma separated list (no spaces) of dns:<dns resolvable string> or ip:<ipaddress>. Examples contained in the samples below.
To create a keystore
- Create a keystore containing a web server keypair
- Create a signing request. Include the -ext SAN=dns:<servername> in the command.
- Send the signing request (i.e. jetty.csr) to your Certificate Authority Service.
- Import the Root CA:
- Import Intermediate CA(s):
- Import the signed certificate:
- Copy the keystore into the Web Server config directory.
keytool -genkeypair -keyalg RSA -keysize 2048 -alias jetty -ext
SAN=dns:<fqdn_servername>,dns:<hostname>,ip:<10.10.10.10> -keystore
<\path\to\certificate\keystore> -storetype pkcs12 -dname "CN=<servername>"
Sample keystore with web server keypair and san extensions
keytool -genkeypair -keyalg RSA -keysize 2048 -alias jetty -ext
SAN=dns:zekeweb.asg.com,dns:zekeweb
Sample Signing Request
keytool -certreq -alias jetty -keystore C:\temp\keystore>
-file c:/temp/jetty.csr -ext
SAN=dns:zekeweb.asg.com,dns:zekeweb,ip:10.10.10.10
keytool -importcert -file <rootCA.crt> -keystore <keystore name> -alias "rootCA"
Sample CA import
keytool -importcert -file ASG-CA.crt -keystore C:\temp\keystore -alias "ASG-CA"
keytool -importcert -file <intermediate.crt> -keystore <keystore name> -alias "IntermediateCA"
Sample Intermediate CA(s) import
keytool -importcert -file ASG-Intermediate.crt -keystore C:\temp\keystore -alias "ASG-IntermediateCA"
keytool -keystore <keystore name> -import -alias jetty -file <jetty.crt>
Sample Import Signed Certificate
keytool -keystore C:\temp\keystore -import -alias jetty -file zekeweb.cert
To enable SSL in the Web Server
- These are the additional parameters required in the config.xml file of the Web Server to enable SSL communication:
- SSL_ENABLED="Yes"
- KEYSTORE="</path/to/Zeke/clientmgr>/config/keystore"
- KEYSTORE_PASSWD="<keystore password>"
- KEY_PASSWD="<key password>" (Only required If the keystore password and keypassword are not the same value)
- Restart the Controller.
Sample Modified config.xml |
<CONFIG ID="9FFD8422BE26" PORT="7921" RIS_ENABLED="NO"
RIS_CLASS="" AUTH_CLASS="com.asg.esc.framework.clientmanager.AuthManagerZena">
<WEB ENABLED="YES" PORT="7980" SSL_ENABLED="Yes"
KEYSTORE="C:\Program Files\ASG\Zeke\clientmgr\config\keystore"
KEYSTORE_PASSWD="MyPassword" KEY_PASSWD="MyPassword"/>
</CONFIG>
java -cp <path\to\Zeke>\clientmgr\lib\jetty.jar org.eclipse.jetty.util.security.Password "MyPassword".
It will return the output similar to this format: OBF:1o4o1zly1qw01vu11ym71ym71vv91qxq1zlk1o5y MD5:48503dfd58720bd5ff35c102065a52d7 And KEYSTORE_PASSWD and KEY_PASSWD would then be: KEYSTORE_PASSWD="OBF:1o4o1zly1qw01vu11ym71ym71vv91qxq1zlk1o5y" KEY_PASSWD="OBF:1o4o1zly1qw01vu11ym71ym71vv91qxq1zlk1o5y"