Skip to main content
Version: Next

Secure Connection Configuration (HTTPS)

This section describes how to install a certificate from a Certificate Authority into Tomcat. Self-signed certificate is already installed in $NFO_HOME/tomcat/conf/.tomcat_keystore, the keystore password is password and private key password is the same.

To change the default password, see Changing the Keystore Password section below.

If you want to replace self-signed certificate to a new one from a Certificate Authority, use following steps from https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

HTTPS parameters are configured in the tomcat/conf/server.xml configuration file (Connector section). All Connector attributes are described here: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html. If keystore path or password are changed, corresponding Connector attributes should be modified.

Using your Existing Key and Signed Certificate

If you have the key and signed certificates, perform the following:

  1. Merge all certificates into a single file (chain):
cat tomcat.pem [intermediate.pem [intermediate-2.pem ... ]] root.pem > chain
  1. Convert the chain to a PKCS12 using OpenSSL:
openssl pkcs12 -export -in chain -inkey tomcat_key.pem -out .tomcat_keystore -name tomcat
  1. Validate .tomcat_keystore using keytool:
$NFO_HOME/java/jre/bin/keytool -list -v -keystore .tomcat_keystore

The output is expected like following:

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Jan 1, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
******* TOMCAT CERTIFICATE INFO IS HERE *******
Certificate[2]:
******* INTERMEDIATE CERTIFICATE INFO IS HERE *******
Certificate[3]:
******* ROOT CERTIFICATE INFO IS HERE *******
  1. Backup and replace $NFO_HOME/tomcat/conf/.tomcat_keystore with the new .tomcat_keystore using the following command:
cp .tomcat_keystore $NFO_HOME/tomcat/conf/.tomcat_keystore

Create a Local Certificate Signing Request (CSR)

If you don't have the key and signed certificate, follow these steps:

In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as "secure". To create a CSR follow these steps:

  1. Delete preinstalled self-signed certificate:

  2. Create a local Certificate:

$NFO_HOME/java/jre/bin/keytool -keysize 2048 -genkey -alias tomcat \
-ext "SAN=dns:${domain_name},ip:${host_ip}" \
-keyalg RSA -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore

Where ${domain_name} is your server domain name and ${host_ip} is a host IP address. SubjectAlternativeName (SAN) and all its parts are optional. If host has different IP addresses or domain names, several comma separated dns:${domain_name} and ip:${host_ip} parts have to be added.

note

In some cases you will have to enter the domain of your website (i.e. www.domain.org) in the field "first- and lastname" in order to create a working Certificate.

  1. The CSR is then created with:
$NFO_HOME/java/jre/bin/keytool -certreq -keyalg RSA -alias tomcat \
-file certreq.csr -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore

Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at the documentation of the Certificate Authority website on how to do this). In return you get a Certificate.

Import the Certificate

Now that you have your Certificate you can import it into your local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.

  1. Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.

For Verisign.com commercial certificates go to:

http://www.verisign.com/support/install/intermediate.html

For Verisign.com trial certificates go to:

http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html

For Trustcenter.de go to: http://www.trustcenter.de/certservices/cacerts/en/en.htm#server

For Thawte.com go to:

http://www.thawte.com/certs/trustmap.html

  1. Import the Chain Certificate into your keystore
$NFO_HOME/java/jre/bin/keytool -import -alias root \
-keystore $NFO_HOME/tomcat/conf/.tomcat_keystore \
-trustcacerts -file <filename_of_the_chain_certificate>
  1. And finally import your new Certificate
$NFO_HOME/java/jre/bin/keytool -import -alias tomcat \
-keystore $NFO_HOME/tomcat/conf/.tomcat_keystore \
-file <your_certificate_filename>
note

If signed certificate is imported successfully, you will see this message: "Certificate reply was installed in keystore".

Import the Certificate into External Data Feeder for NFO (EDFN)

warning

You must import the certificate into EDFN truststore. Please see Import the Certificate into External Data Feeder for NFO truststore in EDFN Administration Guide.

Changing the Keystore Password

This section outlines the procedure for updating the keystore passwords used by the Tomcat server for NetFlow Optimizer (NFO).

Prerequisites

  • Administrative access to the server where NFO is installed.
  • Knowledge of the current keystore passwords. Default passwords are password.
important
  • Backup: Before making any changes, it is highly recommended to create a backup of both the .tomcat_keystore, .truststore, and server.xml files in /opt/flowintegrator/tomcat/cong directory.
  • Consistency: Ensure that the new passwords in the server.xml file exactly match the passwords you set using keytool.

Instructions

  1. Navigate to the Tomcat configuration directory:

    cd /opt/flowintegrator/tomcat/conf/
  2. To change the password for the .tomcat_keystore, use the keytool command. You will be prompted to enter the current password and then the new password.

    /opt/flowintegrator/java/jre/bin/keytool -storepasswd -keystore .tomcat_keystore

    Note: Since the .tomcat_keystore is in the PKCS12 format, the keystore password and the key password are the same. You do not need to change them separately.

  3. Similarly, change the password for the .truststore using keytool. You will be prompted for the current and new passwords.

    /opt/flowintegrator/java/jre/bin/keytool -storepasswd -keystore .truststore
  4. Update the server.xml file to reflect the new passwords. Open the file for editing:

    vi server.xml
  5. Change flowintegrator/tomcat/conf/server.xml attributes truststorePassword, certificateKeystorePassword, and certificateKeyPassword to your new password.

  6. Save the server.xml file and exit the editor.

  7. Restart the Tomcat service for the changes to take effect.

    • On Linux, use the appropriate command for your system (e.g., systemctl restart tomcat_nfo.service).
    • On Windows, restart the NFOSvc service.