Self signed certificate for the AMC Web Console.

Version 1

    Trying to get a certificate to work that is a self signed certificate for the AMC Web Console fails with either a bad certificate or bad password.


    Solution: ----------- Self-Signed Certificate Instructions (modified for clarifications) These instructions explain how to generate a self-signed certificate in the Apache Tomcat environment. The keytool.exe utility referenced in this document is located in [Avalanche MC/SE Install directory]\JRE\Bin folder.


    1. Use the keytool.exe utility that comes with the Java Run-time Environment (JRE) to create a keystore for the SSL certificate. Identify your alias and keystore names. These names can be arbitrary, but should be noted for future reference. Upon completing the keytool command to generate the keystore, you will be prompted to enter a keystore password. Please note the keystore password and do not loose it.


    2. After you generate the keystore, you will be prompted to enter the X.509 attributes for the certificate. These attributes are: -First and last name (Common Name(CN)) - (use your computer name or fully qualified domain name here and not your actual name) -Organizational Unit -Organization -City -State -Country Code The Common Name (domain name) you enter should be one that your company owns. Add a DNS entry if needed to resolve this computer to the Common Name.


    3. You will be prompted to add a password for the alias. This will also go in the server,xml file when you modify it. To simplify things, you can press the Return button to keep the keystore password and the password for the new alias the same. C:\Program Files\Wavelink\AvalancheMC\JRE\bin>keytool -genkey -alias amcselfcert -keyalg RSA -keystore selfsignkeystore.keystore Enter keystore password: keypass (example) Re-enter new password: keypass (example) What is your first and last name? [Unknown]: Example: What is the name of your organizational unit? [Unknown]: Example: Engineering What is the name of your organization? [Unknown]: Example: Wavelink Corporation What is the name of your City or Locality? [Unknown]: Example: Midvale What is the name of your State or Province? [Unknown]: Example: Utah What is the two-letter country code for this unit? [Unknown]: Example: US Is, OU=Engineering, O=Wavelink Corporation, L=Midvale, ST=Utah, C=US correct? [no]: yes Enter key password for (RETURN if same as keystore password): C:\Program Files\Wavelink\AvalancheMC\JRE\bin>


    4. To activate SSL on the Apache Tomcat server, go to C:\Program Files\Wavelink\AvalancheMC\WebUtilities\tomcat\conf folder and modify server.xml file. Change the the following section to reflect what is shown here and restart the tomcat server. Make sure the section is uncommented. You can also change the connector port to the default https port of 443 if you are not using this for any other applications. Changing the port to 443 will allow you to access the AMC console without entering the port within the URL. (note the keystorePass="keypass" is the same password used in the example above. This must be set to the password you have chosen) Note: These are the changes made to the default server.xml file for this connector port. This line was added, keystoreFile="C:\Program Files\Wavelink\AvalancheMC\JRE\bin\selfsignkeystore.keystore" keystorePass="keypass". We also needed to change the protocol from HTTP/1.1 to org.apache.coyote.http11.Http11NioProtocol.


    5. To verify your certificate is working properly go to a command line and type: keytool -list -v -keystore selfsignkeystore.keystore Enter keystore password: keypass You should see your certificate show on the screen which helps to indicate it was created properly and your password is correct. Now go to a browser and type: https://:8443/AvalancheWeb Example: If you changed the Java SSL connector port to 443, use: https:///AvalancheWeb


    6. To troubleshoot issues connecting to the Apache Tomcat web server using SSL after changes are made, go to: C:\Program Files\Wavelink\AvalancheMC\WebUtilities\Tomcat\logs to find Catalina Tomcat logs. Note that you need to stop the Tomcat service to get all the log messages as they are cached in memory. Example log file: catalina.2010-02-24.log


    7. Backup the keystore file and the server.xml document. The keystore contains the private and public keys. For this implementaion, that would be: selfsignkeystore.keystore server.xml