https://documentation.commvault.com/commvault/v11/article?p=50497.htm
Creating a CA-Signed Certificate for the Tomcat Server
Before You Begin
- Install the Java Key and the Certificate Management tool. For more information, see keytool - Key and Certificate Management Tool.
- For the Web Console, perform this task on the Web Console computer.
- For Compliance Search, perform this task on the Compliance Search computer.
- If you need to replace an expired CA-signed certificate, back up the existing keystore and server.xml files, and then delete the existing keystore file before creating the new CA-signed certificate.
Procedure
- From the command prompt, go to the folder that contains the keytool.exe file:
- For Windows systems, go to C:\Program Files\Commvault\ContentStore\jre\bin.
- For Linux systems, go to /usr/lib/jvm/jdkx/bin.
- To create the keystore file containing the key-pair/certificate to be signed, run the following command:
For Windows:
keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\mykeystore.jks" -ext SAN=dns:<domainname>
For Linux:
keytool -genkey -alias tomcat -keyalg RSA -keystore "/mykeystore.jks" -ext
SAN=dns:<domainname>Optionally, you can use an IP address in the SAN using
SAN=dns:(domainname),ip:(Tomcat server IP address)
instead ofSAN=dns:(domainname)
. However, this is not recommended because if the address changes, you must obtain a new certificate and include the new IP address again.Note:
- This keystore file must be used throughout this procedure.
- Depending on your browser, you might need to perform additional configurations to complete the creation of a CA-Signed Certificate. For example, for Google Chrome version 58 and later, you must specify the Subject Alternative Name (SAN), while running the keytool command.
During the command execution, you are prompted to provide information about your organization:
Parameter
Description
Alias
The alias that is used by Tomcat for reference purposes while importing or installing the certificate. The alias can be any simple name used for cross reference.
After certificate signing is done by the certificate authority and returned back to the customer, then you must use the same alias to import the certificate.
Password
The keystore password. Use a strong password.
Note: Do not use special characters.
First and Last name
The fully qualified domain site name, such as www.someserver.someportal.com, which has to run using HTTPS. If you want to protect several hostnames on the same domain, you must obtain a wildcard certificate and enter the site name, such as *.someportal.com.
If you enter a value that does not include the starting part of the website URL for which you are requesting the certificate, then the browser might treat the website as an untrusted website. In these cases, an error message such as the following is shown:
The security certificate presented by this website was issued for a different website's address.
Note:
- Always use a fully qualified hostname, for example, www.someserver.someportal.com.
- If you want to protect more than one host, list all the hostnames. This is useful when you have a single server that is accessed using two different names, depending on where the connection is coming from. The resulting certificate is valid for any of the hostnames.
Organizational Unit
Optional: If applicable, you can specify the DBA (Doing Business As) name.
Organization Name
The full legal name of your organization.
The organization name must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, enter the certificate requester’s name.
City / Locality
The city (without abbreviation) where your organization is located.
State / Province
The state or province (without abbreviation) where your organization is located.
Country Code
The two letter country code (ISO, International Organization for Standardization, format) where your organization is legally registered.
- To generate a CSR, run the following command:
keytool -certreq -keyalg RSA -alias tomcat -file C:\somename.csr -keystore C:\mykeystore.jks -validity <daysValid> -ext SAN=dns:<domainname>
Parameter
Description
certreq
Do not remove or change this parameter.
keyalg
Do not remove or change this parameter.
Valid value is RSA.
Alias
The same alias name used for generating the keystore.
File
The path to the file for CSR creation.
Keystore
The path to the keystore that was recently created. You must use the same keystore file throughout this procedure.
validity
The number of days the keystore file is valid starting from the day the keystore file is created. Enter a value less than or equal to 397 days.
Optionally, you can include an IP address in the SAN using
SAN=dns:(domainname),ip:(Tomcat server IP address)
instead ofSAN=dns:(domainname)
. However, this is not recommended because if the address changes, you must obtain a new certificate and include the new IP address again. - Upload the CSR to the CA website, indicate the type of Tomcat server, and submit for signing.
- Download the root, intermediate, and issued server/domain certificates.
Important: This step might be different based on the CA. Follow the guidelines provided by your CA.
- Import each signed certificate that is issued by the CA using the following commands:
- Root certificate:
keytool -import -alias root -keystore C:\mykeystore.jks -trustcacerts -file C:\valicert_class2_root.crt
- Intermediate certificate:
keytool -import -alias intermed -keystore C:\mykeystore.jks -trustcacerts -file C:\gd_intermediate.crt
- Issued server/domain certificate:
keytool -import -alias tomcat -keystore C:\mykeystore.jks -trustcacerts -file C:\server_certificate_whatevername.crt
Important: The keystore parameter must be the path to the keystore file that was used to generate the CSR. You must use the same keystore file throughout this procedure.
- Root certificate:
- Close the command line.
Configuring the SSL Certificate for Tomcat Server
Procedure
- Stop the Tomcat Server.
- Go to software_installation_path/Apache/Conf, and then back up the server.xml file that is part of the Apache configuration.
- Copy the generated keystore file to software_installation_path/Apache.
- For new installations of Version 11 SP9 or higher, in the server.xml file, modify the path to the generated keystore file and the keystore password values:
<Certificate certificateKeystoreFile="software_installation_path/Apache/your_file" certificateKeystorePassword="password" certificateKeystoreType="JKS"/>
where:
- software_installation_path/Apache/your_file is the path to your keystore file. You can use the .jks keystore file and set certificateKeystoreType to JKS. You can also use the .pfx, .p12 or .p7b keystore files and set certificateKeystoreType to PKCS12.
- password is the password that you used to create the keystore or certificate.
For configuration on SP8 or earlier installations, refer to the corresponding service pack version documentation.
- In the server.xml file Connector element associated with port 443, keep the following up to date:
- SSL protocols: Update the SSLHostConfig element
protocols
attribute (enable TLSv1.2+TLSv1.3 or a more recent version). - Ciphers: Update the SSLHostConfig element
ciphers
attribute according to your corporate security policy. For a list of ciphers that are considered reasonably secure at this time, see Ciphers for the SSL Connector for Tomcat Server.<SSLHostConfig certificateVerification="none" honorCipherOrder="true" protocols="TLSv1.2+TLSv1.3" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256">
- SSL protocols: Update the SSLHostConfig element
- Start the Tomcat Server and access the resource on your server using HTTPS.
For instructions about restarting the Tomcat service, see Restarting a Service.
Restarting a Service on Windows Clients
When services are running, you can manually restart a service.
Important: When you restart a service, the dependent services are also restarted. For more information on dependent services, see Service Dependencies.
Procedure
- Click Start and point to All Programs.
- Click Commvault > Process Manager.
- Under the Services tab, right-click a running service and then click Restart.
Configuring Services to Start Automatically After a Client Restarts
You can configure services to start automatically after a client restarts.
Procedure
- On the client, go to Start > All Programs > Commvault > Process Manager.
The Process Manager dialog box appears.
- Click the Services tab, and then select the Auto-start when OS starts check box.
No comments:
Post a Comment