Implementing a Self-Signed Certificate
These instructions explain how to generate a self-signed certificate in the Apache Tomcat environment. If you choose not to use a Certificate Authority, you can still use a https connection to connect to the Web Console by creating your own certificate.
Note: Internet browsers will not recognize a self-signed certificate as legitimate and will display warnings before allowing you access.
Note: Wavelink strongly recommends backing up server.xml and selfsignkeystore.keystore when you have implemented a self-signed certificate.
This section contains the following tasks for implementing a self-signed certificate:
• | Generating a Certificate |
• | Activating SSL for Tomcat |
• | Accessing the Web Console over a Secure Connection |
• | Troubleshooting |
To create a self-signed certificate, use the keytool.exe utility. You will need to provide a Common Name (domain name), organizational unit, organization, city, state, and country code when creating your certificate. You will also need to provide a keystore name and passwords for the keystore and alias. These are arbitrary, but should be noted for future reference.
To generate a self-signed certificate:
1 | From a command line, navigate to: [Avalanche installation directory]\JRE\Bin |
2 | Use the command: keytool -genkey -alias amcselfcert -keyalg RSA -keystore selfsignkeystore.keystore |
3 | At the prompt Enter keystore password, type the keystore password. When prompted, re-enter the password. |
4 | At the prompt What is your first and last name, type the Common Name. |
Note: The Common Name (domain name) you enter should be one that your company owns. Use a DNS entry if needed to resolve this computer to the Common Name.
5 | At the prompts, enter your organizational unit, organization, city, state, and the country code. |
6 | When you are prompted to review your information, type yes to confirm that it is correct. If you type no, you will be guided through the prompts again. |
7 | At the prompt Enter key password for <amcselfcert>, type a password to use for the alias. If you want to use the same password for the alias as you used for the keystore, press Return. |
An example of generating a self-signed certificate:
Enter keystore password: avalanche
Re-enter new password: avalanche
What is your first and last name?[Unknown]: avaself.wavelink.com
What is the name of your organizational unit?[Unknown]: Engineering
What is the name of your organization?[Unknown]: Wavelink Corporation
What is the name of your City or Locality?[Unknown]: Midvale
What is the name of your State or Province?[Unknown]: Utah
What is the two-letter country code for this unit?[Unknown]: US
Is CN=avaself.wavelink.com, OU=Engineering, O=Wavelink Corporation, L=Midvale, ST=Utah, C=US correct?[no]: yes
Enter key password for <amcselfcert>(RETURN if same as keystore password):
Once you have generated a certificate, you must activate SSL for Tomcat. You must modify the server.xml file and then restart the Tomcat server.
To activate SSL for Tomcat:
1 | Navigate to [Avalanche Install location]\WebUtilities\tomcat\conf and open the server.xml file with a text editor such as Notepad. |
2 | Find <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> |
3 | Remove the comment markers so that the section is not commented out. |
4 | Modify the section to contain the following information: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\Wavelink\AvalancheMC\JRE\bin\selfsignkeystore.keystore" keystorePass="[keypass]"/> |
Where [keypass] is the keystore password you entered when creating the certificate. For the above example, this would be avalanche.
keystorePass=”avalanche”
Note: If you are not using port 443 for any other applications, you can change the connector port to 443. Changing the port to 443 will allow you to access the Web Console without typing the port as part of the URL.
5 | Save your changes to the file. |
6 | Restart the Apache Tomcat for Wavelink service. |
Accessing the Web Console over a Secure Connection
Once you have generated a certificate, activated SSL for Tomcat, and restarted the Tomcat server, you can access the Web Console over a https connection.
To access the Web Console over a secure connection:
• | In the address field of your browser, type: |
https://<Domain Name>:8443/AvalancheWeb
-Or-
• | If you changed the connector port to 443, type: |
https://<Domain Name>/AvalancheWeb
To troubleshoot issues connecting to the Apache Tomcat server using SSL after changes are made, go to
[Avalanche installation directory]\WebUtilities\Tomcat\logs
to find Catalina Tomcat logs.
Note: You need to stop the Tomcat service to get all the log messages.
Example log file: catalina.2010-02-24.log
© 2012 Wavelink Corporation. All Rights Reserved.