|
|
ADSelfService Plus runs as a HTTPS service. It requires a valid CA-signed SSL certificate with the principal name as the name of the host on which it runs. By default, on first time startup, it creates a self signed certificate. This self signed certificate will not be trusted by the user browsers. Thus, while connecting to ADSelfService Plus, you need to manually verify the certificate information and the hostname of ADSelfService Plus server carefully and should force the browser to accept the certificate.
To make the ADSelfService Plus server identify itself correctly to the
web browser and the user:
You can use keytool (bundled with Java) to create your certificates, get them signed by a CA and use them with ADSelfService Plus. Detailed instructions on using keytool is provided here.
This is the initial settings to be made in ADSelfService Plus before applying for an SSL Certificate.
Start ADSelfService
Plus.
(Start --> All Programs --> ADSelfService Plus --> Start
ADSelfService Plus).
Change the Port
Settings from http to https.
("Admin" tab --> "Connection" (left pane)
--> Check "Enable SSL Port [https]" --> Save).
Stop ADSelfService
Plus.
(Start --> All Programs --> ADSelfService Plus --> Stop
ADSelfService Plus).
Step 2: Certificate Request Process :
Before requesting for a certificate from any certifying authority one needs to Create tomcat specific ".keystore" file and ".csr" file, which will be further referred as <domainName>.keystore and <domainName>.csr respectively.
The <domainname>.keystore and <domainName>.csr will include information provided by the individual who creates the .keystore and .csr files.
To create the .keystore file follow the below steps
Open the Command Prompt
From the location <installation directory> \ jre \ bin execute the below command.
|
keytool -genkey -alias tomcat -keypass <your key password> -keyalg RSA -validity 1000 -keystore <domainName>.keystore |
|
|
Note: At the end of executing the above command, you will be prompted to enter keystore password. Try giving the password same as your key password. |
To create the .csr (Certificate Signing Request) file follow the below steps
Open the Command Prompt
From the location <installation directory> \ jre \ bin execute the below command.
| keytool -certreq -alias tomcat -keyalg RSA -keystore <domainName>.keystore -file <domainName>.csr |
Step 3: Certificate Issuance Process :
The third steps talks about the Certificate Issuance Process where the temporary files created are submitted to certifying authority to receive a CA-Signed Certificate.
Some of the prominent CAs are Verisign (http://verisign.com), GoDaddy (http://www.godaddy.com/), Comodo (http://www.comodo.com). Check their documentation / website for details on submitting CSRs and this will involve a cost to be paid to the CA
Submit the created temporary file <domainName>.csr file to the Certificate Authority (CA), to receive <domainName>.crt or <domainName>.cer file along with other certificate files in a zipped format.
This process usually takes a few days time and you will be returned your signed SSL certificate and the CA's root certificate as .cer files
Once the CA-Signed Certificate is received from the Certifying Authority (CA)
Unzip and extract the certificate files into <installation> \ jre \ bin folder.
Install the Root, Intermediate and Primary Certificate files in the same sequence as mentioned.
|
|
Note: Each time you install a certificate to your keystore you will be prompted for the keystore password, which you chose when generating your CSR. The certificate files will vary, based on your choice of CA. |
|
For instance if your CA is "GoDaddy", then the steps to follow will be : Execute the following commands from <installation directory> \ jre \ bin
keytool -import -alias root -keystore <domainName>.keystore -trustcacerts -file gd_bundle.crt keytool -import -alias cross -keystore <domainName>.keystore -trustcacerts -file gd_cross_intermediate.crt keytool -import -alias intermed -keystore <domainName>.keystore -trustcacerts -file gd_intermediate.crt keytool -import -alias tomcat -keystore <domainName>.keystore -trustcacerts -file <domainName>.crt |
|
For instance if your CA is "Verisign", then the steps to follow will be : Execute the following commands from <installation directory> \ jre \ bin
keytool -import -alias intermediateCA -keystore <domainName>.keystore -trustcacerts -file <your_intermediate_certificate>.cer keytool -import -alias tomcat -keystore <domainName>.keystore -trustcacerts -file <domainName>.cer |
|
For instance if your CA is "Comodo", then the steps to follow will be : Execute the following commands from <installation directory> \ jre \ bin
keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore <domainName>.keystore keytool -import -trustcacerts -alias addtrust -file UTNAddTrustServerCA.crt -keystore <domainName>.keystore keytool -import -trustcacerts -alias ComodoUTNServer -file ComodoUTNServerCA.crt -keystore <domainName>.keystore keytool -import -trustcacerts -alias essentialSSL -file essentialSSLCA.crt -keystore <domainName>.keystore keytool -import -trustcacerts -alias tomcat -file <domainName>.crt -keystore <domainName>.keystore
|
Copy the <domainName>.keystore and place it in <installation directory> \ conf folder.
Step 4: Associating the Certificate with ADSelfService Plus :
This will configure the ADSelfService Plus server to use the keystore with your SSL certificate.
To configure ADSelfService Plus server to use the keystore with your SSL certificate follow the below steps.
Edit the server.xml in the <installation directory> \ conf folder.
Replace the value of "keystoreFile" to "./conf/<domainName>.keystore" at the last Connector(End of the page).
Replace the password for "keystorePass" to "password as given for keystore"
Save the server.xml file and close it.
Start ADSelfService Plus and connect to a browser.
If you are able to view the ADSelfService Plus login console without any warning from the browser, you have successfully installed your SSL certificate in ADSelfService Plus!
|
|
