Configuring Secure Communication (SSL) between Admin and Collector Servers
The SSL protocol provides several features that enable secure transmission of Web traffic. These features include data encryption, server authentication, and message integrity.
You can enable secure communication from web clients to the Firewall Analyzer server using SSL.
 |
The steps provided describe how to enable SSL functionality and generate certificates only. Depending on your network configuration and security needs, you may need to consult outside documentation. For advanced configuration concerns, please refer to the SSL resources at http://www.apache.org and http://www.modssl.org
|
Stop the server, if it is running, and follow the steps below to enable SSL support:
Generating a valid certificate
- If you have a keystore file for using HTTPS, place the file under <Firewall Analyzer Home>\server\default\conf directory and rename it as "chap8.keystore"
- If you do not have the keystore file, please follow the steps to create the same.
- Open <Firewall Analyzer Home>\server\default\conf directory and execute the following command in the command prompt.
"<Firewall Analyzer Home>\jre\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore
- During the execution of the above command, it will prompt you for keystore password, enter "change" as password. See Note below.
- It will also prompt for 5 questions on first and last name, organizational unit, organization, city, state, country code.
- Fill in the fields and for confirmation type 'y' and press 'Enter'.
- Again press 'Enter' for password for tomcat.
A file named 'chap8.keystore' will be created in the <Firewall Analyzer Home>\server\default\conf directory.
Disabling HTTP
When you have enabled SSL, HTTP will continue to be enabled on the web server port (default 8080). To disable HTTP follow the steps below:
- Edit the server.xml file present in <Firewall Analyzer Home>/server/default/deploy/jbossweb-tomcat50.sar directory.
- Comment out the HTTP connection parameters, by placing the <!-- tag before, and the --> tag after the following lines:
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/> |
Enabling SSL
- In the same file, enable the HTTPS connection parameters, by removing the <!-- tag before, and the --> tag after the following lines:
<!--
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="change" sslProtocol = "TLS" />
--> |
|
While creating keystore file, you can enter the password as per your requirement. But ensure that the same password is configured, in the server.xml file. Example password is configured as 'change'. |
Configuring HTTPS Configuration Parameters for 64 bit/128 bit encryption
If you want to configure the HTTPS connection parameters for 64 bit/128 bit encryption, add the following parameter at the end of the SSL/TLS Connector tag:
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="change" sslProtocol = "TLS"
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
|
Verifying SSL Setup
- Restart the Firewall Analyzer server.
- Verify that the following message appears in the command window after the Firewall Analyzer application is started:
Server started.
Please connect your client at https://localhost:8500
|
- Connect to the server from a web browser by typing https://<hostname>:8500 where <hostname> is the machine where the server is running
Copyright © 2011,
ZOHO Corp. All Rights Reserved.
ManageEngine
