Implementing a Self-Signed Certificate

These instructions explain how to generate a self-signed certificate in the Apache Tomcat environment. If you choose not to use a Certificate Authority, you can still use a https connection to connect to the Web Console by creating your own certificate.

Note:   Internet browsers will not recognize a self-signed certificate as legitimate and will display warnings before allowing you access.

Note:   Wavelink strongly recommends backing up server.xml and selfsignkeystore.keystore when you have implemented a self-signed certificate.

This section contains the following tasks for implementing a self-signed certificate:

Generating a Certificate
Activating SSL for Tomcat
Accessing the Web Console over a Secure Connection
Troubleshooting

Generating a Certificate

To create a self-signed certificate, use the keytool.exe utility. You will need to provide a Common Name (domain name), organizational unit, organization, city, state, and country code when creating your certificate. You will also need to provide a keystore name and passwords for the keystore and alias. These are arbitrary, but should be noted for future reference.

To generate a self-signed certificate:

1   From a command line, navigate to:
[Avalanche installation directory]\JRE\Bin
2   Use the command:
keytool -genkey -alias amcselfcert -keyalg RSA -keystore selfsignkeystore.keystore
3   At the prompt Enter keystore password, type the keystore password. When prompted, re-enter the password.
4   At the prompt What is your first and last name, type the Common Name.

Note:   The Common Name (domain name) you enter should be one that your company owns. Use a DNS entry if needed to resolve this computer to the Common Name.

5   At the prompts, enter your organizational unit, organization, city, state, and the country code.
6   When you are prompted to review your information, type yes to confirm that it is correct. If you type no, you will be guided through the prompts again.
7   At the prompt Enter key password for <amcselfcert>, type a password to use for the alias. If you want to use the same password for the alias as you used for the keystore, press Return.

An example of generating a self-signed certificate:

Enter keystore password: avalanche

Re-enter new password: avalanche

What is your first and last name?[Unknown]: avaself.wavelink.com

What is the name of your organizational unit?[Unknown]: Engineering

What is the name of your organization?[Unknown]: Wavelink Corporation

What is the name of your City or Locality?[Unknown]: Midvale

What is the name of your State or Province?[Unknown]: Utah

What is the two-letter country code for this unit?[Unknown]: US

Is CN=avaself.wavelink.com, OU=Engineering, O=Wavelink Corporation, L=Midvale, ST=Utah, C=US correct?[no]: yes

Enter key password for <amcselfcert>(RETURN if same as keystore password):

Activating SSL for Tomcat

Once you have generated a certificate, you must activate SSL for Tomcat. You must modify the server.xml file and then restart the Tomcat server.

To activate SSL for Tomcat:

1   Navigate to
[Avalanche Install location]\WebUtilities\tomcat\conf
and open the server.xml file with a text editor such as Notepad.
2   Find
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
3   Remove the comment markers so that the section is not commented out.
4   Modify the section to contain the following information:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\Wavelink\AvalancheMC\JRE\bin\selfsignkeystore.keystore" keystorePass="[keypass]"/>

Where [keypass] is the keystore password you entered when creating the certificate. For the above example, this would be avalanche.

keystorePass=”avalanche”

Note:   If you are not using port 443 for any other applications, you can change the connector port to 443. Changing the port to 443 will allow you to access the Web Console without typing the port as part of the URL.

5   Save your changes to the file.
6   Restart the Apache Tomcat for Wavelink service.

Accessing the Web Console over a Secure Connection

Once you have generated a certificate, activated SSL for Tomcat, and restarted the Tomcat server, you can access the Web Console over a https connection.

To access the Web Console over a secure connection:

In the address field of your browser, type:

https://<Domain Name>:8443/AvalancheWeb

-Or-

If you changed the connector port to 443, type:

https://<Domain Name>/AvalancheWeb

Troubleshooting

To troubleshoot issues connecting to the Apache Tomcat server using SSL after changes are made, go to

[Avalanche installation directory]\WebUtilities\Tomcat\logs

to find Catalina Tomcat logs.

Note:   You need to stop the Tomcat service to get all the log messages.

Example log file: catalina.2010-02-24.log

 

© 2012 Wavelink Corporation. All Rights Reserved.