Implementing a Certificate from a Certificate Authority
You can choose to use Avalanche with a certificate from a Certificate Authority. Note that the following instructions are based upon acquiring a certificate through the certificate authority Verisign. The steps may vary somewhat when using another certificate authority vendor.
Wavelink strongly recommends that you backup the keystore file, the actual certificate file, the intermediate certificate, the certificate request, and the server.xml document after you have implemented your certificate. This would include the following files:
• | amckeystore.keystore |
• | [your certificate].cer |
• | intermediateCA.cer |
• | certreq.csr |
• | server.xml |
This section contains the following tasks for obtaining an SSL certificate from a certificate authority:
• | Creating a Keystore |
• | Generating the Certificate Signing Request |
• | Importing an Intermediate Certificate |
• | Importing a Certificate |
• | Activating SSL for Tomcat |
• | Accessing the Web Console over a Secure Connection |
• | Troubleshooting |
To create a keystore for the certificate, use the keytool.exe utility. You will need to provide a Common Name (domain name), organizational unit, organization, city, state, and country code. You will also need to provide a keystore name and passwords for the keystore and alias. These are arbitrary, but should be noted for future reference.
To generate a keystore for the certificate:
1 | From a command line, navigate to: [Avalanche installation directory]\JRE\Bin |
2 | Use the command: keytool -genkey -alias amccert -keyalg RSA -keystore amckeystore.keystore |
3 | At the prompt Enter keystore password, type the keystore password. When prompted, re-enter the password. |
4 | At the prompt What is your first and last name, type the Common Name. |
Note: The Common Name (domain name) you enter should be one that your company owns. Add a DNS entry if needed to resolve this computer to the Common Name.
5 | At the prompts, enter your organizational unit, organization, city, state, and the country code. |
6 | When you are prompted to review your information, type yes to confirm that it is correct. If you type no, you will be guided through the prompts again. |
7 | At the prompt Enter key password for <amccert>, type a password to use for the alias. If you want to use the same password for the alias as you used for the keystore, press Return. |
An example of generating a keystore:
Enter keystore password: avalanche
Re-enter new password: avalanche
What is your first and last name?[Unknown]: avaself.wavelink.com
What is the name of your organizational unit?[Unknown]: Engineering
What is the name of your organization?[Unknown]: Wavelink Corporation
What is the name of your City or Locality?[Unknown]: Midvale
What is the name of your State or Province?[Unknown]: Utah
What is the two-letter country code for this unit?[Unknown]: US
Is CN=avaself.wavelink.com, OU=Engineering, O=Wavelink Corporation, L=Midvale, ST=Utah, C=US correct?[no]: yes
Enter key password for <amccert>(RETURN if same as keystore password):
Generating the Certificate Signing Request
Once you have created the keystore, you can use the keytool.exe utility to generate a certificate signing request (certreq.csr) file to send to a certificate authority.
To generate a certificate signing request:
1 | From a command line, navigate to: [Avalanche installation directory]\JRE\Bin |
2 | Use the command: keytool -certreq -keyalg RSA -alias amccert -file certreq.csr -keystore "[Avalanche installation directory]\JRE\bin\amckeystore.keystore" |
3 | Enter your keystore password. |
When you apply to a certificate authority for an SSL web server certificate, you will need to submit the certreq.csr file. This file should be created in the[Avalanche installation directory]\JRE\bin folder.
Importing an Intermediate Certificate
When you acquire an intermediate certificate from your certificate authority, import it into the keystore. You may need to copy the contents of the intermediate certificate to a text editor and save the file as intermediateCA.cer. This file must be saved in the [Avalanche installation directory]\JRE\bin directory before you can import it.
To import an intermediate certificate:
1 | From a command line, navigate to: [Avalanche installation directory]\JRE\bin |
2 | Use the command: keytool -import -alias intermediateCA -keystore "[Avalanche installation directory]\JRE\bin\amckeystore.keystore" -trustcacerts -file intermediateCA.cer |
Note: In this command, the filename intermediateCA.cer is used. If your intermediate certificate has a different name, use it instead.
3 | Enter your keystore password. |
The intermediate certificate is added to the keystore.
Once you have received your certificate, you need to import it into the keystore. Your certificate will probably come as a file with the extension .cer or in the body of an e-mail. If it comes in the body of an e-mail, copy the contents to a text editor and save the file with a .cer extension. This file must be saved in the [Avalanche installation directory]\JRE\bin directory before you can import it.
To import a certificate:
1 | From a command line, navigate to: [Avalanche installation directory]\JRE\bin |
2 | Use the command: keytool -import -alias amccert -keystore "[Avalanche installation directory]\JRE\bin\amckeystore.keystore" -trustcacerts -file ava-wavelink-com.cer |
Note: As an example, ava-wavelink-com.cer is used as the filename. Replace this filename with the name of your certificate.
3 | Enter your keystore password. |
The certificate is added to the keystore.
Once you have generated a certificate, you must activate SSL for Tomcat. You must modify the server.xml file and then restart the Tomcat server.
To activate SSL for Tomcat:
1 | Navigate to [Avalanche Install location]\WebUtilities\tomcat\conf and open the server.xml file with a text editor such as Notepad. |
2 | Find <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> |
3 | Remove the comment markers so that the section is not commented out. |
4 | Modify the section to contain the following information: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\Wavelink\AvalancheMC\ JRE\bin\amckeystore.keystore" keystorePass="[keypass]"/> |
Where [keypass] is the keystore password you entered when creating the certificate. For the above example, this would be avalanche.
keystorePass=”avalanche”
Note: If you are not using port 443 for any other applications, you can change the connector port to 443. Changing the port to 443 will allow you to access the Web Console without entering the port within the URL.
5 | Save your changes to the file. |
6 | Restart the Apache Tomcat for Wavelink service. |
Accessing the Web Console over a Secure Connection
Once you have generated a certificate, activated SSL for Tomcat, and restarted the Tomcat server, you can access the Web Console over a https connection.
To access the Web Console over a secure connection:
• | In the address field of your browser, type: |
https://[Your Domain Name]:8443/AvalancheWeb
-Or-
• | If you changed the connector port to 443, type: |
https://[Your Domain Name]/AvalancheWeb
To troubleshoot issues connecting to the Apache Tomcat server using SSL after changes are made, go to
[Avalanche installation directory]\WebUtilities\Tomcat\logs
to find Catalina Tomcat logs.
Note: You need to stop the Tomcat service to get all the log messages.
Example log file: catalina.2010-02-24.log
© 2012 Wavelink Corporation. All Rights Reserved.