3 Replies Latest reply on Feb 13, 2015 5:20 PM by f3ttt

    How I installed a custom CA signed SSL certificate

    m-milligan

      Several users, myself included, have asked if it's possible to replace the self-signed certificate delivered with Alert Central. Here's how I did this:

       

      First, I had to log in as root. Since the built-in "admin" user isn't in sudoers, it's not possible to use "sudo su -" to become root. The admin user also can't edit the sudoers file. I used these instructions as a starting point to boot the VM into single-user mode and change the password for root:

       

      1. Restart the Alert Central VM guest OS.
      2. Press the spacebar to interrupt the boot process (I'm using VMWare. You may have to experiment to find the key or keys to do this in your virtualization environment).
      3. In the GRUB menu, select the default boot option, e.g. CentOS (2.6.32-358.e16.x86_64) and press 'a'. This will bring up the command line used to boot the guest OS.
      4. At the end of the command line, backspace over rhgb quiet" and append "1" (numeral one) at the end.
      5. Press enter to continue the boot process. The guest OS will boot to a command prompt and you'll be root.
      6. If you're so inclined, you can use passwd at this point to change the root password.

       

      Use keytool to create a new keystore and CSR, then use keytool again later to install the new certificate. In the example below, the new keystore file is /opt/apache-tomcat/conf/newKeystore.

       

      Edit /opt/apache-tomcat/conf/server.xml to use the new certificate. Find the section starting with "<Service name="Catalina">" and edit the Connector that listens on port 8443:


          <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

                     maxThreads="150" scheme="https" secure="true"

                     clientAuth="false" sslProtocol="TLS"  keystoreFile="/opt/apache-tomcat/conf/newKeystore" keystorePass="************" />

       

      If you also want to have the Alert Central web site listening on port 443, you'll need to make two more changes.

       

      In /opt/apache-tomcat/conf/server.xml, under "<Service name="Catalina">", edit the connector that listens on port 8080:

       

          <Connector port="8080" protocol="HTTP/1.1"

                     connectionTimeout="20000"

                     redirectPort="443" />

       

      In /opt/apache-tomcat/conf/web.xml, add the text below before the closing </web_app> tag:

       

          <security-constraint>

              <web-resource-collection>

                  <url-pattern>/*</url-pattern>

                  <http-method>GET</http-method><http-method>POST</http-method>

              </web-resource-collection>

              <user-data-constraint>

                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>

              </user-data-constraint>

          </security-constraint>

       

      Save your changes and restart the VM.