Configuring Secure Communication - SSL
Procedure for Firewall Analyzer version 7.5 (Build 7500) onwards
Procedure for Firewall Analyzer version 7.4 (Build 7400) or earlier
How to find build number?
In the Firewall Analyzer web client, and click the About link in the top pane. You will find the build number mentioned below the build version. This is the build number of the currently installed Firewall Analyzer.
The SSL protocol provides several features that enable secure transmission of Web traffic. These features include data encryption, server authentication, and message integrity.
You can enable secure communication from web clients to the Firewall Analyzer server using SSL.
|
The steps provided describe how to enable SSL functionality and generate certificates only. Depending on your network configuration and security needs, you may need to consult outside documentation. For advanced configuration concerns, please refer to the SSL resources at http://www.apache.org and http://www.modssl.org
|
Procedure for Firewall Analyzer version 7.5 (Build 7500) onwards
Generating a valid certificate
Stop the server, if it is running.
Follow the instructions given below for SSL Installation:
If you have a keystore file for using HTTPS, place the file under <Firewall Analyzer Home>conf directory and rename it as "chap8.keystore"
Disabling HTTP
When you have enabled SSL, HTTP will continue to be enabled on the web server port (default 8080). To disable HTTP follow the steps below:
- Edit the server.xml file present in <Firewall Analyzer Home>/conf directory.
- Comment out the HTTP connection parameters, by placing the <!-- tag before, and the --> tag after the following lines:
<Connector port="8080"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
debug="3" connectionTimeout="20000"
disableUploadTimeout="true" /> |
Enabling HTPPS (SSL)
- In the same file, enable the HTTPS connection parameters, by removing the <!-- tag before, and the --> tag after the following lines:
<!--
<Connector port="8443" SSLEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/test.keystore" keystorePass="firewall" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" URIEncoding="UTF-8"/>
--> |
|
While creating keystore file, you can enter the password as per your requirement. But ensure that the same password is configured, in the server.xml file. Example password is configured as 'firewall'. |
Verifying SSL Setup
- Restart the Firewall Analyzer server.
- Verify that the following message appears in the command window after the Firewall Analyzer application is started:
Server started.
Please connect your client at https://localhost:8500
|
- Connect to the server from a web browser by typing https://<hostname>:8500 where <hostname> is the machine where the server is running
Configuring HTTPS Configuration Parameters for 64 bit/128 bit encryption
If you want to configure the HTTPS connection parameters for 64 bit/128 bit encryption, add the following parameter at the end of the SSL/TLS Connector tag:
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" SSLEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/test.keystore" keystorePass="firewall" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" URIEncoding="UTF-8" SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA/>
|
Using the existing SSL certificate
- You can export the Wild card certificate to a .pfx file and then follow the instructions given below to configure the same in Firewall Analyzer.
- Stop ManageEngine Firewall Analyzer service
- Copy the .pfx file to the location <Firewall Analyzer Home>conf
- Go to the location <Firewall Analyzer Home>\conf and open the file server.xml in word pad, and locate the entries in the file as below:
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" SSLEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/test.keystore" keystorePass="firewall" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" URIEncoding="UTF-8"
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
|
- Replace the file name chap8.keystore with the pfx file name (<pfx file name>.pfx) and also enter the keystoreType="pkcs12" after the file name and also replace the keystorePass value 'rmi+ssl' with the password for the .pfx file.
- The entries should be as given below:
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" SSLEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/<pfx file name>.pfx" keystoreType="pkcs12" keystorePass="<password for the .pfx file>" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" URIEncoding="UTF-8"
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
|
- Restart Firewall Analyzer service.
Follow the instructions given below for SSL Installation:
Step 1: Create a new Keystore
- You will be using the keytool command to create and manage your new Keystore file. When you are ready to create your keystore go to the directory where you plan to manage your Keystore and certificates (<Firewall Analyzer Home>\jre\bin\). Enter the following command:
keytool -genkey -alias <our_alias_name> or [Domain Name] -keyalg RSA -keystore chap8.keystore
(For example: keytool -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore)
- You will be prompted to choose a password for your keystore. You will then be prompted to enter your Organization information. When it asks for first and last name, DO NOT mention your first and last name, but rather it is your Fully Qualified Domain Name for the site you are securing say, helpdesk.yourdomain.com. If you are ordering a Wildcard Certificate this must begin with the * character say, *.yourdomain.com)
- After you have completed the required information confirm that the information is correct by entering 'y' or 'yes' when prompted. Next, you will be asked for your password to confirm. Make sure to remember the password you choose. Your keystore file named chap8.keystore is now created in your current working directory.
Step 2: Generate a CSR from your new keystore
- Next, you will use keytool to create the Certificate Signing Request (CSR) from your Keystore. Enter the following command
keytool -certreq -alias <your_alias_name> or [Domain Name] -file csr.txt -keystore chap8.keystore
(For example: keytool -certreq -alias tomcat -file csr.txt -keystore chap8.keystore)
- Type the keystore password that you chose earlier and hit Enter.
- Your CSR file named csr.txt is now created in your current directory. Open the CSR with a text editor, and copy and paste the text (including the BEGIN and END tags) into the CA web order form. Be careful to save the keystore file (chap8.keystore) as your certificates will be installed to it later.
Step 3: How to install your SSL Certificate
- Download your Certificate files from the email from CA to the directory where your keystore (chap8.keystore) was saved during the CSR creation process. The certificate must be installed to this exact keystore. If you try to install it to a different keystore it will not work. The certificates you downloaded must be installed to your keystore in the correct order for your certificate to be trusted. If the certificates are not installed in the correct order, then the certificate will not authenticate properly.
- Install the Root Certificate file:
- Each time you install a certificate to your keystore you will be prompted for the keystore password, which you chose when generating your CSR.
- Type the following command to install the Root certificate file:
keytool -import -trustcacerts -alias root -file TrustedRoot.crt -keystore chap8.keystore
NOTE: Choose 'Yes' if you get prompted with a message that says "Certificate already exists in system-wide CA keystore under alias <entrustsslca> Do you still want to add it to your own keystore? [no]:" You will get a confirmation stating that the "Certificate was added to keystore".
- Install the intermediate certificates if any. (Follow the instructions provided by the CA)
- Install the Primary Certificate file:
- Type the following command to install the Primary certificate file:
keytool -import -trustcacerts -alias tomcat -file <your_domain_name>.crt -keystore chap8.keystore
This time you should get a slightly different confirmation stating that the "Certificate reply was installed in keystore" If it asks if you want to trust the certificate. Choose y or yes. Your Certificates are now installed to your keystore file (keystore.key) and you just need to configure your server to use the keystore file.
Procedure for Firewall Analyzer version 7.4 (Build 7400) or earlier
Generating a valid certificate
Stop the server, if it is running.
Follow the instructions given below for SSL Installation:
If you have a keystore file for using HTTPS, place the file under <Firewall Analyzer Home>\server\default\conf directory and rename it as "chap8.keystore"
Disabling HTTP
When you have enabled SSL, HTTP will continue to be enabled on the web server port (default 8080). To disable HTTP follow the steps below:
- Edit the server.xml file present in <Firewall Analyzer Home>/server/default/deploy/jbossweb-tomcat50.sar directory.
- Comment out the HTTP connection parameters, by placing the <!-- tag before, and the --> tag after the following lines:
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/> |
Enabling HTPPS (SSL)
- In the same file, enable the HTTPS connection parameters, by removing the <!-- tag before, and the --> tag after the following lines:
<!--
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
--> |
|
While creating keystore file, you can enter the password as per your requirement. But ensure that the same password is configured, in the server.xml file. Example password is configured as 'rmi+ssl'. |
Verifying SSL Setup
- Restart the Firewall Analyzer server.
- Verify that the following message appears in the command window after the Firewall Analyzer application is started:
Server started.
Please connect your client at https://localhost:8500
|
- Connect to the server from a web browser by typing https://<hostname>:8500 where <hostname> is the machine where the server is running
Configuring HTTPS Configuration Parameters for 64 bit/128 bit encryption
If you want to configure the HTTPS connection parameters for 64 bit/128 bit encryption, add the following parameter at the end of the SSL/TLS Connector tag:
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS"
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
|
Using the existing SSL certificate
- You can export the Wild card certificate to a .pfx file and then follow the instructions given below to configure the same in Firewall Analyzer.
- Stop ManageEngine Firewall Analyzer service
- Copy the .pfx file to the location <Firewall Analyzer Home>\server\default\conf
- Go to the location <Firewall Analyzer Home>\server\default\deploy\jbossweb-tomcat50.sar and open the file server.xml in word pad, and locate the entries in the file as below:
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS"
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
|
- Replace the file name chap8.keystore with the pfx file name (<pfx file name>.pfx) and also enter the keystoreType="pkcs12" after the file name and also replace the keystorePass value 'rmi+ssl' with the password for the .pfx file.
- The entries should be as given below:
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/<pfx file name>.pfx" keystoreType="pkcs12"
keystorePass="<password for the .pfx file>" sslProtocol = "TLS"
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
|
- Restart Firewall Analyzer service.
|