Secure Connection Configuration (HTTPS)
This section describes how to install a certificate from a Certificate Authority into Tomcat. Self-signed certificate is already installed in $NFO_HOME/tomcat/conf/.tomcat_keystore, the keystore password is password
and private key password is the same.
To change the default password, see Changing the Keystore Password section below.
If you want to replace self-signed certificate to a new one from a Certificate Authority, use following steps from https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
HTTPS parameters are configured in the tomcat/conf/server.xml configuration file (Connector section). All Connector attributes are described here: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html. If keystore path or password are changed, corresponding Connector attributes should be modified.
Using your Existing Key and Signed Certificate
If you have the key and signed certificates, perform the following:
- Merge all certificates into a single file (chain):
cat tomcat.pem [intermediate.pem [intermediate-2.pem ... ]] root.pem > chain
- Convert the chain to a PKCS12 using OpenSSL:
openssl pkcs12 -export -in chain -inkey tomcat_key.pem -out .tomcat_keystore -name tomcat
- Validate .tomcat_keystore using keytool:
$NFO_HOME/java/jre/bin/keytool -list -v -keystore .tomcat_keystore
The output is expected like following:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: tomcat
Creation date: Jan 1, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
******* TOMCAT CERTIFICATE INFO IS HERE *******
Certificate[2]:
******* INTERMEDIATE CERTIFICATE INFO IS HERE *******
Certificate[3]:
******* ROOT CERTIFICATE INFO IS HERE *******
- Backup and replace $NFO_HOME/tomcat/conf/.tomcat_keystore with the new .tomcat_keystore using the following command:
cp .tomcat_keystore $NFO_HOME/tomcat/conf/.tomcat_keystore
Create a Local Certificate Signing Request (CSR)
If you don't have the key and signed certificate, follow these steps:
In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as "secure". To create a CSR follow these steps:
-
Delete preinstalled self-signed certificate:
-
Create a local Certificate:
$NFO_HOME/java/jre/bin/keytool -keysize 2048 -genkey -alias tomcat \
-ext "SAN=dns:${domain_name},ip:${host_ip}" \
-keyalg RSA -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore
Where ${domain_name}
is your server domain name and ${host_ip}
is a host IP address. SubjectAlternativeName (SAN) and all its parts are optional. If host has different IP addresses or domain names, several comma separated dns:${domain_name}
and ip:${host_ip}
parts have to be added.
In some cases you will have to enter the domain of your website (i.e. www.domain.org) in the field "first- and lastname" in order to create a working Certificate.
- The CSR is then created with:
$NFO_HOME/java/jre/bin/keytool -certreq -keyalg RSA -alias tomcat \
-file certreq.csr -keystore $NFO_HOME/tomcat/conf/.tomcat_keystore
Now you have a file called certreq.csr
that you can submit to the Certificate Authority (look at the documentation of the Certificate Authority website on how to do this). In return you get a Certificate.
Import the Certificate
Now that you have your Certificate you can import it into your local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.
- Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.
For Verisign.com commercial certificates go to:
http://www.verisign.com/support/install/intermediate.html
For Verisign.com trial certificates go to:
http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html
For Trustcenter.de go to:
http://www.trustcenter.de/certservices/cacerts/en/en.htm#server
For Thawte.com go to:
http://www.thawte.com/certs/trustmap.html
- Import the Chain Certificate into your keystore
$NFO_HOME/java/jre/bin/keytool -import -alias root \
-keystore $NFO_HOME/tomcat/conf/.tomcat_keystore \
-trustcacerts -file <filename_of_the_chain_certificate>
- And finally import your new Certificate
$NFO_HOME/java/jre/bin/keytool -import -alias tomcat \
-keystore $NFO_HOME/tomcat/conf/.tomcat_keystore \
-file <your_certificate_filename>
If signed certificate is imported successfully, you will see this message: "Certificate reply was installed in keystore".
Import the Certificate into External Data Feeder for NFO (EDFN)
You must import the certificate into EDFN truststore. Please see Import the Certificate into External Data Feeder for NFO truststore in EDFN Administration Guide.
Changing the Keystore Password
This section outlines the procedure for updating the keystore passwords used by the Tomcat server for NetFlow Optimizer (NFO).
Prerequisites
- Administrative access to the server where NFO is installed.
- Knowledge of the current keystore passwords. Default passwords are
password
.
- Backup: Before making any changes, it is highly recommended to create a backup of both the
.tomcat_keystore
,.truststore
, andserver.xml
files in/opt/flowintegrator/tomcat/cong
directory. - Consistency: Ensure that the new passwords in the
server.xml
file exactly match the passwords you set usingkeytool
.
Instructions
-
Navigate to the Tomcat configuration directory:
cd /opt/flowintegrator/tomcat/conf/
-
To change the password for the
.tomcat_keystore
, use thekeytool
command. You will be prompted to enter the current password and then the new password./opt/flowintegrator/java/jre/bin/keytool -storepasswd -keystore .tomcat_keystore
Note: Since the
.tomcat_keystore
is in the PKCS12 format, the keystore password and the key password are the same. You do not need to change them separately. -
Similarly, change the password for the
.truststore
usingkeytool
. You will be prompted for the current and new passwords./opt/flowintegrator/java/jre/bin/keytool -storepasswd -keystore .truststore
-
Update the
server.xml
file to reflect the new passwords. Open the file for editing:vi server.xml
-
Change flowintegrator/tomcat/conf/server.xml attributes truststorePassword, certificateKeystorePassword, and certificateKeyPassword to your new password.
-
Save the
server.xml
file and exit the editor. -
Restart the Tomcat service for the changes to take effect.
- On Linux, use the appropriate command for your system (e.g.,
systemctl restart tomcat_nfo.service
). - On Windows, restart the
NFOSvc
service.
- On Linux, use the appropriate command for your system (e.g.,