Enabling SSL in OpManager
Steps to enable SSL for OpManager
build 8050 and above
In build 8050 we have remove Apache from OpManager. Follow the
steps given below to enable SSL:
- Open a command prompt (Run-> cmd) and change directory to
/opmanager/bin.
- Execute the following command
ssl_gen.bat -f Enable
You have successfully enabled self signed SSL certificate for
OpManager. Now you can access OpManager web client in the same port
number with https://.
Steps to disable SSL:
- Open a command prompt (Run-> cmd) and change directory to
/opmanager/bin.
- Execute the following command
ssl_gen.bat Disable
This will disable SSL for OpManager. The web client can be accessed in
the same port number with http://.
Steps to enable SSL for OpManager
builds older than 8050 (Apache has been removed in build 8050)
- Stop OpManager service.
- Ensure service window is closed.
- Open a command prompt and change directory to \opmanager\bin.
- Execute the script OpManagerService.bat with -r
option as shown below:
OpManagerService.bat -r
This removes the Service entry.
- From the command prompt, with \opmanager\bin as the current
directory, execute the script ssl_gen.bat. This
creates the SSL Certificate.
- Now, execute the OpManagerService.bat script once again, but with
the argument as -i as shown below. This recreates the
OpManager Service.
OpManagerService.bat -i
- Restart OpManager Service and connect as https://<opmanager
host name or IP address>:<port number>. For instance, if the
host name is OpM-Server and the port is 80, you will connect as
https://OpM-Server:80
The WebClient is now SSL-enabled.
Steps to enable SSL for NetFlow
plug-in
If you have also installed the NetFLow plug-in, then follow steps given
below.
- Ensure that SSL has already been enabled in OpManager.
- Stop the OpManager Service.
- Download and unzip the NetFlow_ssl.zip
under \opmanager folder.
- Run the ssl_gen.bat present under \opmanager\NetFlow\bin.
- This will create NetFlow.truststore and server.keystore under
\opmanager\NetFlow\server\default\conf\ssl folder.
- Start the OpManager service.
The NetFlow plug-in is also now SSL-enabled.
Steps to enable third-party SSL in
OpManager
- Open a command prompt (Run-> cmd) and change directory to
/opmanager.
- Generate a Keystore file.
Execute the following command and provide requested details to create
OpManager.truststore
file under conf folder.
>jre\bin\keytool.exe -v -genkey
-keyalg RSA -keystore conf\OpManager.truststore -alias opmanager
(Press Enter)
Enter keystore password:(Enter
a password for this keystore. atleast 6 characters long. Press Enter)
What is your first and last name?
[Unknown]: (Enter the
Server's name in which OpManager is running. It must be a FQDN [Fully
Qualified Domain Name] Ex.: opmserver.manageengine.com. Press Enter.)
What is the name of your
organizational unit?
[Unknown]: (Name of your
Organization Unit. Ex: SYSADMIN. Press Enter.)
What is the name of your
organization?
[Unknown]: (Your
Organization Name. Ex:Zoho Corp. Press Enter.)
What is the name of your City or
Locality?
[Unknown]: (Your city name.
Ex:Pleasanton. Press Enter.)
What is the name of your State or
Province?
[Unknown]: (Your state
name. Ex:California. Press Enter.)
What is the two-letter country
code for this unit?
[Unknown]: (Your country's
two letter code. Ex:US. Press Enter.)
Is CN=opmserver.manageengine.com,
OU=SYSADMIN, O=Zoho Corp, L=Pleasanton, ST=California, C=US correct?
[no]: (Check the details
and if it is correct type yes and press enter. If else just press Enter
to modify)
Generating 1,024 bit RSA key pair
and self-signed certificate (MD5WithRSA)
for CN=opmserver.manageengine.com,
OU=SYSADMIN, O=Zoho Corp, L=Pleasanton, ST=California, C=US
Enter key password for
<opmanager>
(RETURN if same as keystore
password): (Just press enter. For tomcat both keystore password
and key [alias] password must be the same)
[Storing conf\OpManager.truststore]
- Generating CSR File
(Certificate Signing Request). Execute the following commands to create
opmssl.csr file under conf folder:
>jre\bin\keytool.exe -v
-certreq -file conf\opmssl.csr -keystore conf\OpManager.truststore
-alias opmanager
Enter keystore password: (Enter
the password for the keystore file)
Certification request stored in
file <conf\opmssl.csr>
Submit this to your CA
- Get certificates from CA
(Certification Authority):
Contact a CA like Verisign, Equifax, with the csr file generated in the
previous step to get ssl certificate. Mostly you have to copy and paste
the content of the csr file in a text area of their website. After
verifying your request, mostly they will sent you the certificate
content through mail. Copy and paste the content in a text editor and
save it as "ServerCert.cer" under OpManager_Home\conf folder. Be
cautious that while doing copy-paste, no extra space added at the end
of lines.
- Import root and intermediate
certificates:
Before importing our certificate, we have to import the CA's root and
intermediate certificates into the keystore file we generated at the
second step. While mailing you the certificate, CA's will mention the
link to their root and intermediate certificates. Save them under conf
directory in the name "CARoot.cer" and "CAIntermediate.cer"
respectively. Some CAs may have two or more intermediate certificates.
Refer their document clearly before importing.
To import root
certificate:
>jre\bin\keytool.exe -import
-trustcacerts -file conf\CARoot.cer -keystore conf\OpManager.truststore
-alias CARootCert
Enter keystore password:
(Enter the keystore password)
(Root Certificate's information will be printed)
Trust this certificate? [no]:
(type yes and press enter if it is the certificate of your CA)
Certificate was added to keystore
To import intermediate
certificate:
>jre\bin\keytool.exe -import
-trustcacerts -file conf\CAIntermediate.cer -keystore
conf\OpManager.truststore -alias CAInterCert
Enter keystore password:
(Enter the keystore password)
Certificate was added to keystore
- Import Server's Certificate. Execute
the following command to add the certificate received from CA to the
keystore file:
>jre\bin\keytool.exe -import
-trustcacerts -file conf\ServerCert.cer -keystore
conf\OpManager.truststore -alias opmanager
Enter keystore password:
(Enter the keystore password)
Certificate reply was installed in
keystore
- Configure Tomcat:
- Open "ssl_server.xml" file (under
OpManager_Home\tomcat\conf\backup) in a text editor.
- Search for term "keystoreFile". It will be an attribute for
connector tag. Set the value as
"WEBNMS_ROOT_DIR/conf/OpManager.truststore".
- Change the value for "keystorePass" attribute
with your keystore file password.
- Modify conf file:
- Open "OpManagerStartUp.properties" file (under
OpManager_Home\conf) in a text editor.
- Set the value of the parameter "https" as "Enable".
- Start OpManager server. Connect client with https.
Ex:https://opmserver.manageengine.com:80
Note:
If you are already having a certificate for this server and that
certificate was requested by the keystore file generated using Java
keytool, you may use it for SSL configuration. Just copy and paste the
keystore file under OpManager_Home\conf and rename it to
“OpManager.truststore” and follow the steps from 5.
Copyright © 2012,
ZOHO Corp. All Rights Reserved.