# Enabling SSL in OpManager

A SSL (Secure Socket Layer) certificate is a digital certificate that ensures the authenticity, integrity, and the encryption of the data shared between the client system and the corresponding server. Hence, to improve network security and to stay compliant with government-mandated frameworks, users must enable their SSL certificate. Enabling SSL is considered one of the best security practices, since it leaves your network less prone to cyberattacks. To enable SSL in OpManager, kindly follow the below steps.

- [For OpManager versions 8050 to 123180](https://www.manageengine.com/network-monitoring/help/enabling-ssl-in-opmanager.html#ssl-steps)
- [For OpManager versions 123181 and above](https://www.manageengine.com/network-monitoring/help/enabling-https-configuration.html)

## For OpManager versions 8050 to 123180

Given below is a list of SSL configuration operations in OpManager:

- [Enabling SSL in OpManager](https://www.manageengine.com/network-monitoring/help/enabling-ssl-in-opmanager.html#enableSSLOpManager)
- [Disabling SSL in OpManager](https://www.manageengine.com/network-monitoring/help/enabling-ssl-in-opmanager.html#disableSSLOpManager)
- [Enabling SSL for NetFlow Plug-in](https://www.manageengine.com/network-monitoring/help/enabling-ssl-in-opmanager.html#enableSSLNetFlow)
- [Disabling SSL for NetFlow Plug-in](https://www.manageengine.com/network-monitoring/help/enabling-ssl-in-opmanager.html#disableSSLNetFlow)
- [Enabling Third-Party SSL in OpManager](https://www.manageengine.com/network-monitoring/help/enabling-ssl-in-opmanager.html#enableThirdPartySSLOpManager)

### Steps to enable SSL in OpManager

In build 8050 we have removed Apache from OpManager. Follow the steps given below to enable SSL:

1. Open a command prompt (Run > cmd) and change directory to `/OpManager/bin`.
2. Execute the following command:

```
ssl_gen.bat -f Enable
```

You have successfully enabled self-signed SSL certificate for OpManager. Now, you can access OpManager web client in the same port number with **https://**.

### Steps to disable SSL in OpManager

1. Open a command prompt (Run > cmd) and change directory to `/OpManager/bin`.
2. Execute the following command:

```
ssl_gen.bat Disable
```

This will disable SSL for OpManager. The web client can be accessed in the same port number with **http://**.

### Steps to enable SSL for NetFlow plug-in

1. Open a command prompt (Run > cmd) and change directory to `/OpManager/NetFlow/bin`.
2. Execute the following command:

```
ssl_gen.bat -f Enable
```

### Steps to disable SSL for Netflow plug-in

1. Open a command prompt (Run-> cmd) and change directory to `/OpManager/NetFlow/bin`.
2. Execute the following command:

```
ssl_gen.bat Disable
```

### Steps to enable third-party SSL in OpManager

1. Open a command prompt (Run > cmd) and change directory to `/OpManager`.

2. **Generate a Keystore file.** Execute the following command and provide requested details to create `OpManager.truststore` file under the `conf` folder.

```
>jrebin\keytool.exe -v -genkey -keyalg RSA -keystore OpManager.truststore -alias OpManager
```

(Press Enter)

(OR)

```
>jre\bin\keytool.exe -v -genkey -keyalg RSA -keystore conf\OpManager.truststore -alias OpManager -keysize 2048
```

(for 2048 bit key)

**Enter keystore password:** (Enter a password for this keystore, at least 6 characters long. Press Enter)

**What is your first and last name?**  
**[Unknown]:** (Enter the Server's name in which OpManager is running. It must be a FQDN [Fully Qualified Domain Name] Ex.: opmserver.manageengine.com. Press Enter.)

**What is the name of your organizational unit?**  
**[Unknown]:** (Name of your Organization Unit. Ex: SYSADMIN. Press Enter.)

**What is the name of your organization?**  
**[Unknown]:** (Your Organization Name. Ex: Zoho Corp. Press Enter.)

**What is the name of your City or Locality?**  
**[Unknown]:** (Your city name. Ex: Pleasanton. Press Enter.)

**What is the name of your State or Province?**  
**[Unknown]:** (Your state name. Ex: California. Press Enter.)

**What is the two-letter country code for this unit?**  
**[Unknown]:** (Your country's two letter code. Ex: US. Press Enter.)

**Is CN=opmserver.manageengine.com, OU=SYSADMIN, O=Zoho Corp, L=Pleasanton, ST=California, C=US correct?**  
**[no]:** (Check the details and if it is correct type yes and press enter. If else just press Enter to modify)

**Generating 1,024 bit RSA key pair and self-signed certificate (MD5WithRSA)**  
**for CN=opmserver.manageengine.com, OU=SYSADMIN, O=Zoho Corp, L=Pleasanton, ST=California, C=US**

**Enter key password for <OpManager>**  
**(RETURN if same as keystore password):** (Just press enter. For tomcat both keystore password and key [alias] password must be the same)

**[Storing confOpManager.truststore]**

3. **Generating CSR File** (Certificate Signing Request). Execute the following commands to create `opmssl.csr` file under `conf` folder:

```
>jre\bin\keytool.exe -v -certreq -file conf\opmssl.csr -keystore conf\OpManager.truststore -alias OpManager
```

**Enter keystore password:** (Enter the password for the keystore file)  
**Certification request stored in file <confopmssl.csr>**  
Submit this to your CA.

4. **Get certificates from CA** (Certification Authority):  
Contact a CA like Verisign, Equifax, with the csr file generated in the previous step to get ssl certificate. Mostly you have to copy and paste the content of the csr file in a text area of their website. After verifying your request, mostly they will send you the certificate content through mail. Copy and paste the content in a text editor and save it as "ServerCert.cer" under OpManager_Home\conf folder. Be cautious that while doing copy-paste, no extra space added at the end of lines.

5. **Import root and intermediate certificates:**  
Before importing our certificate, we have to import the CA's root and intermediate certificates into the keystore file we generated at the second step. While mailing you the certificate, CA's will mention the link to their root and intermediate certificates. Save them under conf directory in the name "CARoot.cer" and "CAIntermediate.cer" respectively. Some CAs may have two or more intermediate certificates. Refer their document clearly before importing.

*To import root certificate*

```
>jre\bin\keytool.exe -import -trustcacerts -file conf\CARoot.cer -keystore conf\OpManager.truststore -alias CARootCert
```

**Enter keystore password:** (Enter the keystore password)  
(Root Certificate's information will be printed)  
**Trust this certificate? [no]:** (type yes and press enter if it is the certificate of your CA)  
**Certificate was added to keystore**

*To import intermediate certificate*

```
>jre\bin\keytool.exe -import -trustcacerts -file conf\CAIntermediate.cer -keystore conf\OpManager.truststore -alias CAInterCert
```

**Enter keystore password:** (Enter the keystore password)  
**Certificate was added to keystore**

6. **Import Server's Certificate.** Execute the following command to add the certificate received from CA to the keystore file:

```
>jre\bin\keytool.exe -import -trustcacerts -file conf\ServerCert.cer -keystore conf\OpManager.truststore -alias OpManager
```

**Enter keystore password:** (Enter the keystore password)  
Certificate reply was installed in keystore

7. Configure Tomcat

   1. Open **ssl_server.xml** file (under OpManager_Home\tomcat\conf\backup) in a text editor.
   2. Search for the term **keystoreFile**. It will be an attribute for connector tag. Set the value as  
      "**WEBNMS_ROOT_DIR/conf/OpManager.truststore**".
   3. Change the value for "**keystorePass**" attribute with your keystore file password.

8. **Modify conf file**

   1. Open "**OpManagerStartUp.properties**" file (under OpManager_Home\conf) in a text editor.
   2. Set the value of the parameter "**https**" as "**Enable**".

9. Start OpManager server. Connect client with https. Ex: https://opmserver:80

**Note:**

If you are already having a certificate for this server and that certificate was requested by the keystore file generated using Java keytool, you may use it for SSL configuration. Just copy and paste the keystore file under OpManager_Home\conf and rename it to "OpManager.truststore" and follow the steps from 5.

(Provide full path of conf\OpManager.truststore ex: c:\ProgramFiles\Manageengine\OpManager\conf\OpManager.truststore instead of conf\OpManager.truststore on all locations above)