SSL configuration guide

Note: Apply your SSL certificate from the product console by following the steps given in the Connection settings help page.

Applying Secure Sockets Layer (SSL) certificates to DataSecurity Plus ensures that all data transfers between users’ web browsers and the DataSecurity Plus server remain secure. This guide explains the steps to enable SSL for DataSecurity Plus.

Steps to enable SSL:

1. Create a keystore file
2. Create and submit a certificate signing request
3. Request a signed certificate from a certificate authority
   • From Microsoft Certificate Services (internal CA)
   • From an external CA
     • GoDaddy certificates
     • Verisign certificates
     • Comodo certificates
     • Entrust certificates
     • Thawte certificates
4. Binding the SSL certificate to DataSecurity Plus
   • Define the SSL port in the DataSecurity Plus console
   • Install the SSL certificate
5. Instructions for common certificate types
   • Installing a .p7b certificate
   • Installing a .pfx certificate

1. Create a keystore file

A keystore is a repository that contains the public and private keys required for encryption and decryption of data once a connection is established between the client and the server.

The steps below detail the procedure to create a keystore:

• Open Command Prompt from <installation_directory>\ManageEngine\ DataSecurity Plus\jre\bin.
• Then, execute either of the below commands in Command Prompt to create the Tomcat-specific certificate keystore file, which will be referred to as <domainName>.keystore in the rest of this document.
  • Command 1: To create a keystore without a Subject Alternative Name (SAN):

  keytool -genkey -alias tomcat -keypass <your key password> -keyalg RSA -validity 1000 -keystore <domainName>.keystore

  • Command 2: Some browsers, like Google Chrome and Microsoft Edge, require a SAN. To create a keystore with SAN, execute the below command:

  keytool -genkey -alias tomcat -keypass <your key password> -keyalg RSA -validity 1000 -keystore <domainName>.keystore -ext SAN=dns:servername.domainName

  
  
• Replace <your key password> with a password of your choice, and <domainName> with the name of your domain.
• When prompted, enter a password for the keystore.
• Provide information based on the following guidelines:

SNo	Question	Answer
1	What is the first and last name?	Provide the NetBIOS (if the DNS domain name is test.example.com, the NetBIOS domain name is test) or FQDN name (an FQDN for a hypothetical mail server might be mymail.example.com. The host name is mymail, and the host is located within the domain example.com) of the server on which DataSecurity Plus is running.
2	What is the name of your organizational unit?	Enter the department name that you want to appear in the certification.
3	What is the name of your organization?	Provide the legal name of your organization.
4	What is the name of your city?	Enter the city name in your organization’s registered address.
5	What is the name of your state/province?	Enter the state or province in your organization’s registered address.
6	What is your country code?	Provide the two-letter code of the country your organization is located in.

2. Create and submit a certificate signing request

The .csr file is temporary and should be submitted to a certificate authority (CA) to receive CA-signed certificate files. The following steps detail the procedure to create a .csr file.

2.1 Creating a certificate signing request (CSR)

There are two methods to create a CSR.

Method 1: Creating a .csr file from the installation location:

• Open Command Prompt.
• From the location <installation directory>\ManageEngine\DataSecurity Plus\jre\bin, execute the following command:

keytool -certreq -alias tomcat -keyalg RSA -keystore <domainName>.keystore -file <domainName>.csr

Method 2: If you use Google Chrome, Microsoft Edge, or other browsers that require a CSR with an SAN, follow the steps below:

• Open Command Prompt.
• Execute the following command:

keytool -certreq -alias tomcat -keyalg RSA -ext SAN=dns:server_name,dns:server_name.domain.com,dns:server_name.domain1.com -keystore <domainName>.keystore -file <domainName>.csr

In the above commands, replace <domainName> with the name of your domain, and provide the appropriate Subject Alternative Names.

2.2 Submitting the CSR to your CA

The created CSR file can be found at <installation directory>\ManageEngine\DataSecurity Plus\jre\bin. Submit this file to your CA.

3. Request a signed certificate from a certificate authority

The steps below provide instructions on how to connect to a CA, submit the CSR, procure the SSL certificate, and import it.

3.1 From Microsoft Certificate Services (internal CA)

For an internal CA:

• Connect to Microsoft Certificate Services, and click Request a certificate.
• Click Advanced certificate request, and then select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
• Open the .csr file using a text editor, copy the content, and paste it under Saved Request. Then, select Web Server as the Certificate Template, and click Submit.
• Click the Download Certificate Chain link to download the issued PKCS #7 Certificate types the <installation directory>\ManageEngine \DataSecurity Plus\jre\bin folder. The downloaded certificate will be in .p7b format.
• Click Home in the top-right corner, and click Download a CA certificate, chain certificate or CRL.
• Click Download CA certificate to download and save the root certificate in .cer format
• Copy the .cer file to the <installation directory>\ManageEngine \DataSecurity Plus\jre\bin location.
• Navigate to <installation directory>\ManageEngine\DataSecurity Plus\jre\bin using Command Prompt, and execute the below query to import the certificate into your .keystore file:

  Keytool –import –trustcacerts –alias tomcat –file certnew.p7b –keystore <keystore_name> .keystore

• Replace <keystore_name> with the name of your keystore.
• In the same location, execute the below query to add the internal CA's root certificate to the list of trusted CAs in the Java cacerts file:

  keytool -import -alias <internal CA_name> -keystore ..\lib\security\cacerts -file certnew.cer

Note: Open the certnew.cer to get the internal CA name, and provide changeit as the keystore password when prompted.

3.2 From an external CA

The following steps describe how to request and import certificates signed by some common vendors.

• To request a certificate from an external CA, submit the CSR to that CA.
• Unzip the certificates returned by your CA, and save them in the <installation directory> \ManageEngine\DataSecurity Plus\jre\bin folder.
• Open Command Prompt and navigate to the <installation directory> \ManageEngine\DataSecurity Plus\jre\bin folder.
• Run the commands listed under your CA:
  • For GoDaddy certificates
    • keytool -import -alias root -keystore <domainName>.keystore -trustcacerts -file gd_bundle.crt
    • keytool -import -alias cross -keystore <domainName>.keystore -trustcacerts -file gd_cross.crt
    • keytool -import -alias intermed -keystore <domainName>.keystore trustcacerts -file gd_intermed.crt
    • keytool -import -alias tomcat -keystore <domainName>.keystore -trustcacerts -file<domainName>.crt
  • For Verisign certificates
    • keytool -import -alias intermediateCA -keystore <domainName>.keystore -trustcacerts -file <your intermediate certificate.cer>
    • keytool -import -alias tomcat -keystore <domainName>.keystore trustcacerts -file <domainName> .cer
  • For Comodo certificates
    • keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore <domainName>.keystore
    • keytool -import -trustcacerts -alias addtrust -file UTNAddTrustServerCA.crt -keystore <domainName>.keystore
    • keytool -import -trustcacerts -alias ComodoUTNServer -file ComodoUTNServerCA.crt - keystore <domainName>.keystore
    • keytool -import -trustcacerts -alias essentialSSL -file essentialSSLCA.crt -keystore <domainName>.keystore
  • For Entrust certificates
    • keytool -import -alias Entrust_L1C -keystore <keystore-name.keystore > -trustcacerts -file entrust_root.cer
    • keytool -import -alias Entrust_2048_chain -keystore <keystore-name.keystore > trustcacerts -file entrust_2048_ssl.cer
    • keytool -import -alias -keystore <keystore-name.keystore > -trustcacerts -file <domain-name.cer>
  • For Thawte certificates

    Purchased directly from Thawte

    • keytool -import -trustcacerts -alias tomcat -file<certificate-name.p7b>-keystore<keystore-name.keystore>

    Purchased through the Thawte reseller channel

    • keytool -import -trustcacerts -alias thawteca -file <SSL_PrimaryCA.cer > -keystore<keystore-name.keystore>
    • keytool -import -trustcacerts -alias tomcat -file <SSL_SecondaryCA.cer > trustcacerts -file entrust_2048_ssl.cer
    • keytool -import -trustcacerts -alias tomcat -file <certificate-name.cer> -keystore <keystore-name.keystore>

Note: These instructions might change depending on the certificates issued by the CA. If you are receiving certificates from a CA not listed above, contact your CA to get the commands required to add their certificates to the keystore.

4. Binding the SSL certificate with DataSecurity Plus

The steps below describe how to configure the DataSecurity Plus server to use the keystore with your SSL certificate.

4.1 Define the SSL port in the DataSecurity Plus console

Follow the steps below to define the HTTPS port that will be used by DataSecurity Plus:

• Log in to the DataSecurity Plus console with an account that has administrative privileges.
• From the applications drop-down menu, select Admin and navigate to General Settings > Connection.
• Select DataSecurity Plus Portal (HTTPS) as the Connection Type. Then, enter the chosen port number you plan on using for DataSecurity Plus, and save the changes.

  Note: 9163 is the default HTTPS port number used by DataSecurity Plus.

• Restart DataSecurity Plus.

4.2 Installing the SSL certificate

Follow the steps below to install the SSL certificate:

• Copy the <domainName>.keystore file from the <installation directory> \ManageEngine\DataSecurity Plus\jre\bin folder, and save it to the <installation directory>\ManageEngine\DataSecurity Plus\conf folder.
• Open the server.xml file located in <installation directory>\ManageEngine \DataSecurity Plus\conf using a text editor, and navigate to the last connector tag.
• Replace keystoreFile with ./conf/<domainName>.keystore and keystorePass with the password given during keystore creation.
• Save the server.xml file, and close it.
• Restart DataSecurity Plus (Start > All Programs > DataSecurity Plus > Start DataSecurity Plus) for the changes to take effect, then launch the DataSecurity Plus client.

5. Instructions for common certificate types

This section provides the steps to configure SSL using .p7b and .pfx certificate file types.

5.1 Installing a .p7b certificate

Most CAs will provide certificates with the extension .p7b. To install this type of file, follow the steps below:

• Double-click this file to open a console that will list all the required certificates.
• Right-click the certificates and navigate to All tasks > Export.
• The Certificate Export Wizard dialog will pop up. Click Next.
• Select the export file format as Base-64 encoded X.509 (.cer). Click Next.
• Specify the name of the file you want to export. Click Next.
• Review your settings, and click Finish. Then, click OK.
• Add this certificate file to the keystore using the steps and commands provided by your CA.
• Continue to Section 4.

5.2 Installing a .pfx certificate

Once you've executed section 4.1, follow the below steps to install a certificate with the extension .pfx:

• Stop the DataSecurity Plus service.
• Copy the .pfx file to the <installation directory>\ManageEngine\DataSecurity Plus\conf folder.
• Open the server.xml file located in <installation directory>\ManageEngine \DataSecurity Plus\conf using a text editor, and navigate to the last connector tag.
• Replace keystoreFile with the .pfx file's name and enter keystoreType="pkcs12" after the file name. Replace keystorePass with the password for the .pfx file.
• Save the server.xml file, and close it.
• Restart DataSecurity Plus (Start > All Programs > DataSecurity Plus > Start DataSecurity Plus) for the changes to take effect, then launch the DataSecurity Plus client.